1

I have a net with 2 DNS servers (master & slave), but I don't want clients to ask directly to them. So, in the same net, I have a debian machine with haproxy 1.7.5 installed. I want clients to have in their /etc/resolv.conf file the IP of the proxy. I want the proxy to balance the load between the two servers.

IP DNS master = 10.10.24.2
IP DNS slave  = 10.10.24.4
IP PROXY      = 10.10.24.5

In the file /etc/haproxy/haproxy.cfg at the end, I added:

resolvers mydns
    nameservers dns1 10.10.24.2:53
    nameservers dns2 10.10.24.4:53

Then I start haproxy:

haproxy -f /etc/haproxy/haproxy.cfg

If I execute in the proxy:

netstat -tuna

I get these two new lines:

udp    0    0    10.10.24.5:35000    10.10.24.2:53    ESTABLISHED
udp    0    0    10.10.24.5:35000    10.10.24.4:53    ESTABLISHED

But I was expecting to receive something like this:

udp    0    0    10.10.24.5:53    10.10.24.2:53    ESTABLISHED
udp    0    0    10.10.24.5:53    10.10.24.4:53    ESTABLISHED

Obviously, the DNS requests from clients to the proxy aren't working...

Is it possible to achieve this using haproxy?

sergio
  • 11
  • 1
  • 1
  • 2
  • Can you post your full `haproxy.cfg`? – GregL Apr 25 '17 at 23:56
  • ok, I post it now... I asked this question in a haproxy forum and they answered: "You can't load balance UDP with haproxy. That's not what the dns resolvers command in haproxy is for. You'd need a udp load balancer. You can use nginx for this if you do a custom compile." – sergio Apr 26 '17 at 07:43
  • Actually, whoever wrote that is exactly right, HAProxy can't load balance UDP. However, your question makes me wonder why you'd want to "protect" these two DNS servers in the first place? – GregL Apr 26 '17 at 10:33
  • I am doing this for college... The nets are virtual, I am doing it with virtual box, the DNS servers run bind9. The teacher told us to balance the load and to hide the servers and that we could balance the load with bind9, but this would be like roundrobin. He told us that we could do a more complex balancing with haproxy but, as I can see, it's impossible. – sergio Apr 26 '17 at 18:33

2 Answers2

1

It looks perfectly fine. The outgoing part of an IP connection (from 10.10.24.5 to 10.10.24.2) usually uses a random port (or semi-random), it doesn't need to have the same port number as the target machine.

What is more important is that you also have a line like this: 

udp        0      0 10.10.24.5:53      0.0.0.0:*               LISTEN

which indicates that HAProxy is indeed listening on UDP port 53 for DNS requests and is ready to forward it to the subsequent servers.

Sven
  • 97,248
  • 13
  • 177
  • 225
  • Hello, thanks for your answer. No, I don't see this line you tell me. – sergio Apr 25 '17 at 12:32
  • Well, what happens if you go to a client and test a DNS request, e.g. with `dig @10.10.24.5 hostname`? Also, post your config files and log file entries. – Sven Apr 25 '17 at 12:35
  • ; <<>> DiG 9.9.95-9+deb8u10-Debian <<>> @10.10.24.5 proxy ; (1 server found) ;; global options: +cmd ;; connection timed out; no servers could be reached – sergio Apr 25 '17 at 15:20
  • 4
    I asked this question in a haproxy forum and they answered: "You can't load balance UDP with haproxy. That's not what the dns resolvers command in haproxy is for. You'd need a udp load balancer. You can use nginx for this if you do a custom compile." – sergio Apr 26 '17 at 07:48
1

You don't need to load balance your DNS servers. It is enough to have two DNS servers configured on the client side and that's it.

If you don't have another machine acting as a load balancer, you will be creating a single point of failure for DNS service.

This is a similar post at serverfault.

Khaled
  • 35,688
  • 8
  • 69
  • 98
  • 1
    I know I don't need it, but I want to do it. Its for college. Thanks for your answer. – sergio Apr 25 '17 at 12:34
  • Actually some applications only allow you to configure a single DNS server. This is also true for LDAP client configurations, and other "crucial" services. Just because the average client tool or service tool doesn't need this, it doesn't mean that there is no need at all. – Tmanok May 22 '22 at 10:44