2

I'm trying to make my small business network a bit more robust by adding a fallback ISP. What I can't figure out is how to manage the DNS for inbound connections. A simplified view of my network looks like this:

+-------+    +-------+
| ISP 1 |    | ISP 2 |
+-------+    +-------+
    |           |
 +-----------------+
 | Dual WAN Router |
 +-----------------+
          |
    +----------+
    |  Server  |
    +----------+

When I just had 1 ISP, I only had one WAN IP address to worry about and I simply updated my DNS A record anytime my dynamic IP changed. I'm using AWS (Route 53) for DNS, so it's pretty easy to write a script to get your current IP and then use their CLI tools to update your DNS records accordingly.

Now that I have two WAN IP addresses, I'm not exactly sure how to proceed. I have two main issues:

  1. I want ISP 1 to be the primary (it has a better connection), but I want to fallback to ISP 2 if 1 is not available. I use the server for VoIP as well as HTTP and SSH. The VoIP needs to have pretty high availability (hence the redundant ISP). But, I don't know how to achieve failover like this.

  2. How can I keep both DNS records up to date? With just one ISP, I can reliably determine the WAN IP from the Server with a command like this: dig +short myip.opendns.com @resolver1.opendns.com. With two ISPs, I can't imagine how I would get the IPs for both from the Server.

Ideas for #1

I have read about DNS round robin with multiple A records, but everywhere I find it mentioned it's recommended against. Another option seems to be BGP, but I don't understand it, and I kind of feel like I don't have what I need to implement it (this post seems to apply).

Another solution for #1 could be having a load balancer with a single IP that the domains point to. Then, that load balancer chooses which ISP to route traffic to based on some health check. The issue is that this needs to be protocol agnostic (i.e. work seamlessly with VoIP traffic as well as HTTP, etc.). That's why a DNS level solution seemed appealing.

I stumbled on this AWS blog post which looked promising, but my head exploded when I tried to figure out how I would keep the dynamic IPs up to date in the health checks and the various corresponding DNS records.

After reading this post, the "right" way to do this at my level seems to be a link balancer like this, but the cheapest model in that line is around $1,200 which is a bit more than I was looking for. Plus, I'm still a bit foggy on how to point the Name Servers for my domains to my link balancer when it's getting dynamic IPs from the ISPs.

Ideas for #2

I think I can configure my Dual WAN Router to call a webhook when IPs change, but that would be kind of complicated to implement.

Is there some magic bullet solution that I'm missing?

Dominic P
  • 417
  • 1
  • 4
  • 18
  • Just to close this out. I was able to implement Esa Jokinen's solution fairly easily. The downsides are that I can't use the redundant connection to augment my primary in day-to-day use (even for outbound traffic) and I'm at the mercy of local DNS resolvers to respect my short TTL for failover. That said, the simplicity of it is worth those costs for me right now. In the future, I might look into a more robust solution like that proposed by ewwhite. Thanks again to all who helped. I really appreciate it. – Dominic P Jun 10 '17 at 20:44

2 Answers2

3

I use AWS Route53 health checks for inbound DNS resolution and internet failover.

Create a health check.

enter image description here

enter image description here

Create an public DNS entry for each service.

enter image description here

Associate the health check with the DNS entry.

enter image description here

ewwhite
  • 194,921
  • 91
  • 434
  • 799
  • Thanks for the in depth answer. That solution looks very robust. Are you also using dynamic IPs? The way I see it, I would need to find a way to get both IPs reliably and then update both the health checks _and_ the corresponding A records when they change. Does that sound right/possible? – Dominic P Jun 08 '17 at 21:35
  • How often are your IP addresses changing? Can you look into what it takes to have a static solution? – ewwhite Jun 08 '17 at 21:53
  • They only change maybe once ever 2-3 months, but I know I will forget to stay on top of it if I don't have an automated system. My ISPs will give me static IPs, but, unfortunately, they're too expensive for me to justify at my currently level. – Dominic P Jun 08 '17 at 23:19
1

It depends on your dual WAN router's features, but I believe the most straight-forward solution could be to make the router to use ISP/WAN 2 only when it detects that ISP/WAN 1 is down. This way you could have the server and its dynamic DNS script as is; it will update the same record to resolve to the public IP of WAN2 when WAN1 fails.

Of course this will take up to the TTL seconds until it's effective, but with a short TTL like 300 that shouldn't cause too long downtime in percentage.

Esa Jokinen
  • 43,252
  • 2
  • 75
  • 122
  • 1
    +1, for such a simple solution. It looks like my router [does support](http://just.draytek.com/index.php?option=com_k2&view=item&id=1810&Itemid=293&lang=en) this kind of setup. – Dominic P Jun 08 '17 at 21:30