PDA

View Full Version : DNS rerouting




philstone
Mar 4, 2013, 05:57 AM
I've been searching the internet all weekend but still no joy on this...

Scenario - we have a server onsite that we want to connect to using full DNS so that the address doesn't change whether its from within the office or externally (e.g. server address will be server.mydomain.com)

Using AEBS for DHCP (and DNS) although SLS is configured for DNS as well (not really active as no clients are asking the SLS for DNS)
Is there a way to configure the system so that...

Internal request for server.mydomain.com forwards to the local IP address rather than going outside the LAN then back in?
I would prefer to keep the AEBS acting as DHCP server.

Has anyone else had issues like this before? I know in a Windoze environment this is possible.

Cheers



HenryAZ
Mar 4, 2013, 08:51 AM
I have used internal name servers for this purpose. Set up an internal name server to run the mydomain.com zone, have your DHCP server give out that name server to its local LAN clients, and have the record server.mydomain.com resolve to the internal address.

Any client then on the LAN will get the internal address. Any client outside (using whatever outside name servers they are provided with) will resolve the external IP.

The caveat here is your internal clients will look to this internal name server zone for all information regarding the zone. So, if you have records in the zone with external addresses, they will need to be included in the internal zone as well. For example, if your web server is hosted offsite, you will need a record in the internal zone pointing to the external web server. You will need to have correct MX records in the internal zone. Your internal zone will basically be a mirror of the external zone, except for the addresses you want to resolve internally.

Additionally, you will need to have the internal name server forward requests for everything other than mydomain.com to an external resolver.

philstone
Mar 4, 2013, 10:14 AM
Thanks - I already have an internal NS which resolves correctly, however I have to assign the DNS manually to the client as the DHCP on the AEBS is giving itself out as a local DNS server - I can't see a way to change that in the DHCP options on the AEBS? Is there a way?

Thanks again

HenryAZ
Mar 4, 2013, 10:32 AM
Thanks - I already have an internal NS which resolves correctly, however I have to assign the DNS manually to the client as the DHCP on the AEBS is giving itself out as a local DNS server - I can't see a way to change that in the DHCP options on the AEBS? Is there a way?

Thanks again

I cannot answer that very well, as I've never used any access point or router as a DHCP server.

Usually devices like that give out, as DNS, the DNS they are configured for. Try configuring the AEBS to use the internal name server. As long as the internal server can resolve anything (the internal zone, or forward external requests), this should pose no problem.

freejazz-man
Mar 4, 2013, 06:51 PM
except for about 2x as many DNS queries as necessary, unless you are going to cache them

it can make browsing stuff like youtube kinda sucky

HenryAZ
Mar 4, 2013, 07:07 PM
except for about 2x as many DNS queries as necessary, unless you are going to cache them


Why would anyone run a name server with caching turned off to begin with?

Not to mention the fact that the results will also be cached on each local machine's OS resolver cache.

freejazz-man
Mar 5, 2013, 10:20 AM
Why would anyone run a name server with caching turned off to begin with?

Not to mention the fact that the results will also be cached on each local machine's OS resolver cache.

when you are using a CDN you don't really hit domains that are cached

HenryAZ
Mar 5, 2013, 03:08 PM
when you are using a CDN you don't really hit domains that are cached

If a record is not cached locally, then it needs resolving, for sure. I still don't see your point as to how this applies here. Running a local name server doing its own recursing/resolving is the most efficient way to get the records to your LAN.

freejazz-man
Mar 5, 2013, 03:23 PM
well, if you use your ISPs DNS server it's going to be quicker for CDN content because it's going to cut down the number of servers queried

the ISPs DNS is likely faster running on better hardware

I've read a few people claiming that hitting their ISPs DNS instead of a local server improved the streaming quality for HD youtube videos

it's gotta be a pretty small time difference, but if you think about the context of streaming, that can be critical at times.

HenryAZ
Mar 5, 2013, 04:08 PM
well, if you use your ISPs DNS server it's going to be quicker for CDN content because it's going to cut down the number of servers queried

the ISPs DNS is likely faster running on better hardware

I've read a few people claiming that hitting their ISPs DNS instead of a local server improved the streaming quality for HD youtube videos

it's gotta be a pretty small time difference, but if you think about the context of streaming, that can be critical at times.

:eek: I give up.

freejazz-man
Mar 5, 2013, 04:23 PM
not exactly sure what you mean by that, but think about it

if you are trying to resolve blahla.sdlaskln.xjknl.kmcd.cdn.apple.net

the ISP DNS is going to be able to resolve the name quicker and still not have to relay it back to your DNS to respond to the client, it will respond directly to the client.

in the context of streaming a video being able to hit the CDN server .5 sec might mean less frames dropped. when a video is being streamed from youtube it's not just from one server, it's from a CDN where each server serves a little and then redirects to another node for more.

yeah, it's kinda a ridiculous example, but I was just throwing it out there as something I've noticed.

HenryAZ
Mar 5, 2013, 07:28 PM
if you are trying to resolve blahla.sdlaskln.xjknl.kmcd.cdn.apple.net

the ISP DNS is going to be able to resolve the name quicker and still not have to relay it back to your DNS to respond to the client, it will respond directly to the client.


I guess we'll just disagree on this. My name server does its own recursing/resolving (no ISP server in the mix). When I query from a client machine on the LAN (query my name server), the response is typically delivered to the client in <150ms. That's my name server, going out on the Internet directly to the authoritative source, and returning with the answer. The portion of the 150ms that is taken in relaying from my name server to my client is probably <5ms. Once I have it cached locally now, the response to my clients is way faster than any other server can provide.

That 150ms may be slow or fast compared to queries on other Internet connections, but it is my crappy Internet connection and every packet that traverses it has the same latency, whether I am using my name server or someone else's.

I do not agree that (necessarily) an ISP server provides better performance. Hardware they have to have to handle the query load, for sure, but many of them are still slammed anyway. If the hardware is supporting the query load as it should, the effective time DNS takes is on the network rtt, and the response time of the authoritative server.

freejazz-man
Mar 6, 2013, 12:31 PM
I only offered one very specific scenario where an ISPs server would provide better performance, so maybe you misunderstood me?

HenryAZ
Mar 6, 2013, 03:20 PM
I only offered one very specific scenario where an ISPs server would provide better performance, so maybe you misunderstood me?

I don't think I misunderstood, just disagree :) My experience is the lookup results get back to your LAN quicker with a local name server doing its own recursion.

freejazz-man
Mar 6, 2013, 06:40 PM
right, except in a scenario where an ISP would have names cached that you otherwise wouldn't, especially if you are going to do your own recursion

HenryAZ
Mar 7, 2013, 08:14 AM
right, except in a scenario where an ISP would have names cached that you otherwise wouldn't, especially if you are going to do your own recursion

To me that is the main valid argument that makes sense to take advantage of your ISP's (or a public) name server. The remote name server you use may be faster by having a record cached that you do not have cached yet. But if there is a problematic network path to it, or it is congested, it may be slower even with a cached answer. Depending on the ISP's dedication and support, its cache may also be an easy target for poisoning :)

The only way to know is to compare response times.

On a slight thread drift, but related to your YouTube comments, I've been following with interest a discussion on NANOG about certain backbone ISP's throttling YT video streams. Issues you see might not be DNS-related at all :)

Boy that whole anycasted CDN model is a can of worms.

freejazz-man
Mar 7, 2013, 09:25 AM
yeah, like I said, it's a very specific and limited scenario where it would be better to forgo your own DNS. any path to your ISPs DNS is likely pretty similar to whatever you would have to do to resolve a name anyway.

If your ISP has it's cache poisoned, you probably have bigger problems than youtube streams :p

As for the throttling, that definitely happens, although it's distinct from the situation I'm referring to.

what's terrible about the CDN is that it's great for cybercrime. compromise one of those hosts and very few analysts are going to notice any unusual http content being served off a node