 |  |
The problem is when you try to use load balancing and/or fault tolerance when your servers are behind a NAT server.
Re: NAT and Load Balancing (was: Re: How Many Domain R
From: Men & Mice Support
Date: Tuesday, December 7, 1999
Time: 7:04:00 pm
Here are the issues:
1) The load preference message (LPM) packet that the web server sends to QuickDNS Pro is marked with a source IP address - this is the address of the server, and, if the packet goes through the NAT server on its way, is changed to the public address of the server.
2) The LPM packet contains several fields. One of them is IP address. This must match the source address (from issue 1). It is not changed by the NAT server. Therefore, so long as the StarNine plug-in doesn't allow configuration of this field, the web server *can not* be behind a NAT server. You might think that, given that they match so long as both web and DNS servers are behind the same NAT server and communicate directly, that it would work...
3) The IP Address field of the LPM packet must match one of the listed addresses in the load balance record. Therefore, the LPM packet's address field must contain the public address of the server. Therefore (by issue 2), the source address stamped on the packet must also match the public address of the server.
Unfortunately, the design of the LPM system didn't take NAT into account. Therefore, the only solutions are:
1) Put all servers on public addresses (probably in the DMZ, if your NAT server offers a DMZ).
2) Have StarNine modify the plug-in (or write your own - it's not that hard once you know how to write a plug-in) so that the server's address can be set. Then when the plug-in contacts the DNS server, it does so through the NAT server (whether both servers are behind NAT or not), meaning the source address gets changed to the same value that was set in the plug-in settings, and both then match the public address of the server, which is listed in the load balance record. [NOTE: I haven't examined the security implications of this solution, so I don't know if it would be safe for StarNine to make this change!]
There isn't a way to modify QuickDNS Pro's behavior to fix this without opening up some big truck-sized security holes. The only way we can fix it is to totally redesign the lb/ft mechanism, which would of course require StarNine to totally redo their plug-in anyway.
I hope this makes the problem clear. I know it's pretty technical, but if you have questions about this, I'll do my best to answer them.
At 9:20 AM -0800 12/7/99, Craig Bowers wrote:
>NAT? What about NAT? Are there issues with QuickDNS Pro in a NAT
>environment? I don't mean to be jumpy but I was going to be replacing our
>proxy server with a firewall doing NAT, and thought I might stick the
>servers behind it too.
>
>>-----Original Message-----
>>From: quickdns-talk@lists.menandmice.com
>>[mailto:quickdns-talk@lists.menandmice.com]On Behalf Of Men & Mice
>>Support
>>Sent: Saturday, December 04, 1999 9:53 AM
>>To: QuickDNS Talk
>>Subject: Re: How Many Domain Records?
>>
>>
>>At 9:27 AM -0800 12/4/99, Ross Markbreiter wrote:
>>>Hello,
>>>Any word on Fault Tolerance or NAT.
>>
>>Nothing that I can discuss at this time.
>>____________________________________________________________________
>>Chris Buxton cbuxton@menandmice.com
>>Men & Mice http://www.menandmice.com
>>Makers of: QuickDNS Pro
Messages In This Thread:
Return to Digital Point Solutions' Home Page
| home | |
| products | |
| services | |
| support | |
| email lists |
| optigold isp | |
| optigold isp news | |
| home inspection | |
| inspectrix | |
| java companion | |
| oracle | |
| quickdns pro | |
| search engine | |
| veterinary |
| tips | |
| employees | |
| free tools | |
| portfolio | |
| jobs | |
| contact |
888/4-DPOINTSupport:
858/452-3696