From: Ed W <li...@wi...> - 2011-08-03 19:25:21
|
On 03/08/2011 16:49, Tom Eastep wrote: > > On Aug 3, 2011, at 7:42 AM, Jamie Begin wrote: > >> I'm using Shorewall with a load-balanced muti-ISP config along with >> LSM for failover. It's working great, except for DNS requests. I'd >> appreciate some advice on how to best configure this. >> >> The WAN connections are a T1 through XO and a cable connection through >> Comcast. About 80% of the traffic is routed out the Comcast >> connection under normal connections. I would like to ensure that DNS >> requests that leave the Comcast interface are routed to Comcast's DNS >> servers and vice versa for XO. I know I can add some entries in >> tc-rules, but this only solves part of the problem. ... > I suggest that you run a caching-only name server on the firewall and > not bother with your ISPs' name servers. ... This still leaves you the problem of what to do if a client isn't configured to use the caching nameserver on the firewall... (DHCP might help of course) I believe there is nothing that prevents you using a REDIRECT rule on the firewall to snarf all DNS requests and redirect them to the local caching nameserver (dnsmasq/unbound are nice for caching only / recursive). I presume there is also no problem to use DNAT to redirect the request upstream if that's preferable..? The final thing you could do is use some DNS server that works via either connection and then just redirect normally... Many DNS servers don't care what IP you come from. Failing that there is google dns/opendns Just mentioning another cool thing you can do (not useful here, but wanted to mention the feature). The author of dnsmasq has added passthrough of packet marks. This means if you mark some connection to the local DNS server, then the upstream request (if there is one) acquires the same mark. No use in this case, but I think it's a cool feature thats worth shouting about in case someone else has a use... Good luck Ed W |