5

I have been trying to create an LVS DNS HA using CentOS 6.x:

  • Piranha GUI to configure the DNS
  • Pulse is the HA heart of CentOS LB
  • IPTables to configure marks on the packets since DNS uses TCP and UDP 53

After several days, I find that I can not figure out how to make it work - and I was hoping that someone has either the lvs.cf file avaiable along with all iptables rules necessary. Or if someone has already used some other OpenSource & Free software that allows to do DNS LB (not round robine DNS A records - that's not what the purpose of this exercise is for).

If anyone has successfully made named DNS under LVS with two or more real-servers within the pool, work, I would greatly appreciate if the configurations could be posted:

  • lvs.cf
  • iptables rules to place

I am primarily looking for either Direct Server Return or NAT - either solution will work for me.

Thank you in advance.

Jim.

shija03
  • 51
  • 2
  • 1
    Have you attempted this setup? If so, you should post some more information about your setup (example configuration, network layout, obfuscated IP addresses). – Andy Shinn Jan 29 '13 at 18:48
  • Have a look [at this](http://serverfault.com/questions/669441/load-balancing-dns-servers-udp-tcp) as well. – gxx May 06 '16 at 07:40
  • 2
    DNS is already HA (or at least it should be). You shouldn't need LVS. What is the problem you are trying to solve? – dmourati May 06 '16 at 08:04
  • I see value in doing this. As mentioned, DNS is HA, sortof. It depends on the client resolver timeout if a NS fails to respond. This typically has a 1 to 5 second timeout. Some folks understandably don't accept this timeout as a valid failure or degraded condition. It realy depends on their needs. With LVS or Anycast, you can make it appear that 1 IP never goes down. I would personally go the Anycast route. – Aaron May 23 '17 at 16:47

1 Answers1

1

You should be able to configure DNS load balancing pretty easily with LVS in DR mode. Personally I would use Ldirectord rather than Piranaha (which is old and buggy), but either should work.

Like you said you will need to configure your firewall mark for the correct TCP and UDP ports, then load balance all packets that are marked to your backend server(s). I assume you won't need persistence for DNS (wouldn't work for UDP anyway).

I think the step you are probably missing is to allow the backend servers to respond to the traffic you are sending - commonly know as the ARP problem. If you have Windows servers then use this method. Or for Linux the simplest method is to use an iptables redirect:

iptables -t nat -A PREROUTING -p tcp -d <VIP> -j REDIRECT

Its explained in more detail on page 21 of the http://loadbalancer.org quick start guide.

If you need any help, post your config and I'll take a look.

drcelus
  • 1,233
  • 4
  • 14
  • 27
Malcolm turnbull
  • 747
  • 5
  • 6