[SOLVED] DNS Failover

[Johnny_FL1]

Hi everyone

 

I'm an IT apprentice and got the task to find a solution for DNS failover.

I know, that for windows at least, it's possible to set two DNS servers. One primary and one secondary and if the primary doesn't respond, it will switch automatically to the second one. Sadly not all clients in the company I'm working for are able to do that. So I'm searching for a solution on the DNS side.

We have three Domain Controllers running DNS and Active Directory.

The solution must be able to function internally without internet access, so external health checks are not an option.

Please consider, that a possible solution must be higly available and reliable. Cost doesn't really matter in this case, so if additional hardware is needed, it's no problem as long as that is redundant.  And again, it must be a server side solution.

The Pictures included should visualize the infrastructure and the searched solution a bit.

 

Is there a HSRP like solution, which uses a Virtual IP to which clients refer, and in the background health checks (like heartbeats) are checking the three DC's for connectivity and in an event of failure automatically switches the traffic?

Or is there a way to do health checks within the Servers, so that the secondary monitors the connectivity of the primary and automatically "simulates" to be the primary in the event of a failure? 

 

 

EDIT

If there is a solution without having to place some hardware in front of the DC's, but to handle the problem amogst the DNS servers themselves, such solutions would be preferred.

EDIT END

 

I know my text may be difficult to understand, but I'm open for questions.

Thanks for the help in advance

Johnny

 

[WereCatf]

12 minutes ago, Johnny_FL1 said:

I'm an IT apprentice and got the task to find a solution for DNS failover.

I know, that for windows at least, it's possible to set two DNS servers. One primary and one secondary and if the primary doesn't respond, it will switch automatically to the second one. Sadly not all clients in the company I'm working for are able to do that. So I'm searching for a solution on the DNS side.

I have literally no idea what Active Directory does or how it works, but...couldn't you just setup a new DNS-server which queries all three of those DNS-servers you described in your post and then point all your clients to that instead? A very quick and painless way would be to e.g. toss in a pfSense-box on the network and disable DHCP-server on it, then just configure it to use all those DNS-servers of yours and point all clients to the pfSense-box instead.

[TidalZelda]

I think the point of the setup he describes is "no single point of failure", so running a single box to just pick a working one would make it the single point of failure.

21 minutes ago, Johnny_FL1 said:

Please consider, that a possible solution must be higly available and reliable. Cost doesn't really matter in this case, so if additional hardware is needed, it's no problem as long as that is redundant.

yep, soo single box is out the window.

[WereCatf]

Just now, TidalZelda said:

I think the point of the setup he describes is "no single point of failure", so running a single box to just pick a working one would make it the single point of failure

Well, yeah, but there's always a single point of failure anyways. I mean, you can't have a virtual IP unless you have one device dedicated to handling that and, well, you still have a single point of failure, then.

[tech.guru]

you can use a high availability pair of netscalers to load balance dns servers. this can be accomplished very easy. in addition, you can load balance LDAPS which is probably another service that at the moment is a single point of failure.

 

get a couple of netscaler vpx for this project, or bigger MPX if you want to load balance more services.

it has probes for DNS you can add a record for DNS to query and expected response.

 

if the probe fails the netscaler will mark server as offline and move to the next server

[tzaitam]

If throwing money at the problem isn't an issue an Infoblox DDI-installation would solve your problem. Multiple nodes can be presented with a single IP and you gain a robust IPAM-solution.

[tech.guru]

the benefits of buying a load balancer is you will gain an appliance that can be used for many other things.

the netscaler can also be coupled with management anaytic system to monitor and alert you of issues and report response times.

 

in addition it supports rate limiting and some advanced features to protect your dns infrastructure from attacks.

[tech.guru]

7 minutes ago, WereCatf said:

Well, yeah, but there's always a single point of failure anyways. I mean, you can't have a virtual IP unless you have one device dedicated to handling that and, well, you still have a single point of failure, then.

not true. the virtual ip is a floating ip that will be assigned to the primary device in the netscalers case.

if a heartbeat is lost between the primary netscaler failure event to secondary occurs. secondary device takes ownership of all services.  GARP request is sent so the arp tables for the VIP are updated to the new device.

 

you can also use vmac if GARP is too slow or blocked on your switches.

[WereCatf]

2 minutes ago, tech.guru said:

not true. the virtual ip is a floating ip that will be assigned to the primary device in the netscalers case.

if a heartbeat is lost between the primary netscaler failure event to secondary occurs. secondary device takes ownership of all services.  GARP request is sent so the arp tables for the VIP are updated to the new device.

 

you can also use vmac if GARP is too slow or blocked on your switches.

Hmm, I'll have to read up on this topic since I clearly am missing quite a lot.

[Johnny_FL1]

41 minutes ago, tech.guru said:

you can use a high availability pair of netscalers to load balance dns servers. this can be accomplished very easy. in addition, you can load balance LDAPS which is probably another service that at the moment is a single point of failure.

 

get a couple of netscaler vpx for this project, or bigger MPX if you want to load balance more services.

it has probes for DNS you can add a record for DNS to query and expected response.

 

if the probe fails the netscaler will mark server as offline and move to the next server

Hi tech.guru

Thanks for the reply

 

Wouldn't the netscalers cause problems with the Active Directory etc.?

Or would it be possible to configure the clients to use the virtual IP of these netscalers for DNS only?

Then all other traffic that has to go to the DC's would take the same path as today.

 

[tech.guru]

5 minutes ago, Johnny_FL1 said:

Hi tech.guru

Thanks for the reply

 

Wouldn't the netscalers cause problems with the Active Directory etc.?

Or would it be possible to configure the clients to use the virtual IP of these netscalers for DNS only?

Then all other traffic that has to go to the DC's would take the same path as today.

 

 

you would just put the virtual ip for the load balancing vserver for dns, on the dns clients list.

all other traffic would go to the domain controllers as it does today.

 

but you would be able to use this to load balance other network services,

LDAPS, HTTPS, DNS, NTP, RADIUS, EXCHANGE, SQL etc

 

for your requirement you could even go with the free vpx dns is very lightweight,

https://www.jasonsamuel.com/2011/03/02/citrix-announces-free-5-mbps-vpx-express-and-free-platinum-edition-vpx-developer/

 

if your requirements grow than you could consider more expensive license. just note the citrix management analytic system is premium feature and isnt available for free edition

 

 

[tech.guru]

here is a link, https://www.citrix.com/lp/try/citrix-networking-vpx-express.html

it has been upgraded to 20 Mbps but removed citrix gateway in free edition.

 

you are not using vpn for this appliance and want to deploy inside the network. this seems like a good fit

express is basically standard edition, this includes high availability and all the features needed to load balance dns.

 

since its virtual be easy to upgrade the license and assign more cores and memory if you decide to expand its usage to more network services

 

[Johnny_FL1]

Hi

We have found some solutions and are now evaluating which ones the best for us.

 

The Solution will be two physical Load balancers which have a floating IP configured.

The clients get the floating IP as DNS. This way, all other traffic will take the same route as it does today and DNS will take the route over the load balancers.

 

Thanks for everyone who has helped me solve this issue.

Peace out