DNS layer with service discover as resolver not SRV

Question

I need to know is there any solution for solving my problem. I have a BIND DNS server and consul as service discoverer. This is what i want as simple diagram:

How can I configure this sample setup and let BIND just resolve the A record to the IP address of the healthy load balancer server?

If the client queries the DNS server for the A record of domain.example, it must get the IP address of the Healthy (192.168.1.100) server

The sample configuration of consul for DNS shows how to configure SRV records, not A records. How can I get it to work with A records for the healthy server.

I need to tell bind ask record from consul but how? My example zone file:

$TTL    300 ;
$ORIGIN example.com.
@  1D  IN  SOA ns1.example.com. hostmaster.example.com. (
                2002022401 ; serial
                3H ; refresh
                15 ; retry
                1w ; expire
                3h ; nxdomain ttl
               )
www    IN  A      192.168.0.2  ; how can i tell bind using consul as IP resolver on this record

consul using port for resolving and how can i tell bind to use consul instead.

DNS gives you load-balancing, not failover. For that look at application load-balancers that include monitoring of backends, like `haproxy`. A pure DNS solution would go towards anycasting but this is far more complicated to properly setup and handle than what you describe with one logical host and 2 backends, so out of scope. But it does provide load balancing and fail over, because you mix DNS and BGP anycasting. — Patrick Mevzek, Aug 22 '18 at 03:11
acctually I'm looking for software based solution with this simple solution(expect cache of dns) dns server can resolve user to healthy load balancer — sweb, Aug 23 '18 at 15:52
Other way to look at it: use any nameserver software where you can plug a dynamic backend that is a program that generates the response when the query comes. This same program or a companion can do health checks so that the reply will always be the best ones. This comes however with a lot of dangers and drawbacks (performance, completeness, etc.) and this is certainly not the prefered path I would recommend to do failover. DNS (alone) is not a good solution for failover. — Patrick Mevzek, Aug 23 '18 at 16:05

score 4 · Answer 1 · answered Aug 20 '18 at 19:39

Well... sad-to-say, you're kinda going to have a hard time doing this in production.

50% of the problem is updating the "healthy" records to point to the healthy server. There are ways of doing dynamic updates with bind, but unfortunately there is no way to convince bind itself to do some sort of checks to see if the server is healthy. You'll need to figure out a way to trigger a dynamic update when the healthy/unhealthy status is reached.

50% of the problem is also caching. The reality is, DNS is designed to be cached. There is a defined "TTL" field on DNS records that is essentially a defined time to cache the record. When you update the "healthy" records, clients will be forced to wait until the TTL is reached, and the records re-queried. Some applications have a built-in method that will attempt to re-query a record if the connection is dropped or could not be established, but there is no guarantee that this will be done.

You'd be better off using firewall rules to reject connections on the unhealthy server, and simply relying on the DNS server to advertise both servers, and allowing the application to try one, then the other (round-robin).

Fist thank you for answer, for first 50% i can do it via script and some services to reported network problem or resource monitor. 50% on healthy could be multiple a record for healthy balancer consider there are more than 2 load balander. — sweb, Aug 20 '18 at 22:11
Lower ttl cache for dns server could be useful but of course could be some problem but better than dns dosnt know about state of endpoint servers for client — sweb, Aug 20 '18 at 22:13
I need to know is any one faced this problem and how can deal with it. 1. Any network could be broken 2. We need just do it with software solution — sweb, Aug 20 '18 at 22:15

Tommiie · Answer 2 · 2018-08-24T11:48:03.037

4

I believe everyone focusses too hard on the BIND server. According to the Consul documentation, you only need BIND to forward the DNS queries from port 53 to port 8600 which Consul uses. Consul is the DNS server in this setup.

Consul uses checks to determine which of the two (or more) servers is (are) the "healthy" one(s).

Next it can respond with both A and SRV records as can be seen in the documentation.

So instead of asking us to read through the entire Consul documentation and come up with a working configuration for you, why don't you provide us with your configuration files and tell us what is not working as expected. That way we can more easily help you solve the issue at hand.

I need to tell bind ask record from consul but how?

The answer to that exact question is given in the documentation! PLEASE read the documentation!

edited Aug 24 '18 at 11:48

answered Aug 24 '18 at 05:53

Tommiie

5,547
2
11
45

Consul provide `.consul` tld for checking as service not actual domain. in fact i need simple example using actual domain resolvation using bind and consul. I need simple example via domain not SRV or `.consul` tld – sweb Aug 24 '18 at 11:19
question update btw – sweb Aug 24 '18 at 11:25
1

Again, please read the documentation. They only live in the `consul` TLD by default but [this is configurable](https://www.consul.io/docs/agent/options.html#domain) using the `domain` option. – Tommiie Aug 24 '18 at 11:26

DNS layer with service discover as resolver not SRV

2 Answers2