Shorewall users - Nov 2007 - DNS resolution for Multi-ISP

Hello,

I trying to setup multi-isp configuration (using latest bering-uClibc
3.1-beta1), and began reading the corresponding doc:
            http://www.shorewall.net/3.0/MultiISP.html
I am not clear on how the DNS resolution happens if a DNS request
from one provider goes to the other provider''s name server. ISPs
these days serve their customers alone and reject all requests
outside their network. 

1. As part of multi-isp setup, is it possible to have the DNS requests
routed thru'' a provider go to provider''s DNS IPs?

2. Does listing all ISP''s DNS IPs into /etc/resolve.conf help?

Appreciate any pointers or links.

Thanks
__
Seva

-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/

imap@adari.net wrote:
> Hello,
> 
> I trying to setup multi-isp configuration (using latest bering-uClibc
> 3.1-beta1), and began reading the corresponding doc:
>             http://www.shorewall.net/3.0/MultiISP.html
> I am not clear on how the DNS resolution happens if a DNS request
> from one provider goes to the other provider''s name server. ISPs
> these days serve their customers alone and reject all requests
> outside their network. 
> 
> 1. As part of multi-isp setup, is it possible to have the DNS requests
> routed thru'' a provider go to provider''s DNS IPs?
> 
> 2. Does listing all ISP''s DNS IPs into /etc/resolve.conf help?
> 
> Appreciate any pointers or links.
DNS is not a special case  -- it obeys the same rules as any other
connection.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/
------------------------------------------------------------------------
leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

> > I trying to setup multi-isp configuration (using latest bering-uClibc
> > 3.1-beta1), and began reading the corresponding doc:
> >             http://www.shorewall.net/3.0/MultiISP.html
> > I am not clear on how the DNS resolution happens if a DNS request
> > from one provider goes to the other provider''s name server.
ISPs
> > these days serve their customers alone and reject all requests
> > outside their network. 
> > 
> > 1. As part of multi-isp setup, is it possible to have the DNS requests
> > routed thru'' a provider go to provider''s DNS IPs?
> > 
> > 2. Does listing all ISP''s DNS IPs into /etc/resolve.conf
help?
> > 
> > Appreciate any pointers or links.
> 
> DNS is not a special case  -- it obeys the same rules as any other
> connection.
> 
> -Tom
Thanks for a prompt response Tom.

DNS not being special case does make sense. Do you have any suggestions
on how to deal with the DNS look up failures when the requests are sent
to wrong provider.

Thanks



-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/

imap@adari.net wrote:
>>> I trying to setup multi-isp configuration (using latest
bering-uClibc
>>> 3.1-beta1), and began reading the corresponding doc:
>>>             http://www.shorewall.net/3.0/MultiISP.html
>>> I am not clear on how the DNS resolution happens if a DNS request
>>> from one provider goes to the other provider''s name
server. ISPs
>>> these days serve their customers alone and reject all requests
>>> outside their network. 
>>>
>>> 1. As part of multi-isp setup, is it possible to have the DNS
requests
>>> routed thru'' a provider go to provider''s DNS IPs?
>>>
>>> 2. Does listing all ISP''s DNS IPs into /etc/resolve.conf
help?
>>>
>>> Appreciate any pointers or links.
>> DNS is not a special case  -- it obeys the same rules as any other
>> connection.
>>
>> -Tom
> 
> Thanks for a prompt response Tom.
> 
> DNS not being special case does make sense. Do you have any suggestions
> on how to deal with the DNS look up failures when the requests are sent
> to wrong provider.
What does "request are sent to wrong provider" mean?

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/
------------------------------------------------------------------------
leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

> >>> I trying to setup multi-isp configuration (using latest
bering-uClibc
> >>> 3.1-beta1), and began reading the corresponding doc:
> >>>             http://www.shorewall.net/3.0/MultiISP.html
> >>> I am not clear on how the DNS resolution happens if a DNS
request
> >>> from one provider goes to the other provider''s name
server. ISPs
> >>> these days serve their customers alone and reject all requests
> >>> outside their network. 
> >>>
> >>> 1. As part of multi-isp setup, is it possible to have the DNS
requests
> >>> routed thru'' a provider go to provider''s DNS
IPs?
> >>>
> >>> 2. Does listing all ISP''s DNS IPs into
/etc/resolve.conf help?
> >>>
> >>> Appreciate any pointers or links.
> >> DNS is not a special case  -- it obeys the same rules as any other
> >> connection.
> >>
> >> -Tom
> > 
> > Thanks for a prompt response Tom.
> > 
> > DNS not being special case does make sense. Do you have any
suggestions
> > on how to deal with the DNS look up failures when the requests are
sent
> > to wrong provider.
> 
> What does "request are sent to wrong provider" mean?
> 
> -Tom
Let me give you an example:
isp1: DNS  1.2.3.4, 2.3.4.5
isp2: DNS  3.4.5.6, 4.5.6.7

Assume that we list all the above in /etc/resolv.conf file. When you 
start the very first time, if using multi-isp, the request for DNS
resolution could go to either of the two ISPs. Assume that the request
goes to isp2 but the DNS server picked for resolution is 1.2.3.4. 
This scenario is what I am referring to as ''wrong provider''
(DNS
resolution point of view).

Thanks






-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/

imap@adari.net wrote:
>>>>> I trying to setup multi-isp configuration (using latest
bering-uClibc
>>>>> 3.1-beta1), and began reading the corresponding doc:
>>>>>             http://www.shorewall.net/3.0/MultiISP.html
>>>>> I am not clear on how the DNS resolution happens if a DNS
request
>>>>> from one provider goes to the other provider''s
name server. ISPs
>>>>> these days serve their customers alone and reject all
requests
>>>>> outside their network. 
>>>>>
>>>>> 1. As part of multi-isp setup, is it possible to have the
DNS requests
>>>>> routed thru'' a provider go to provider''s
DNS IPs?
>>>>>
>>>>> 2. Does listing all ISP''s DNS IPs into
/etc/resolve.conf help?
>>>>>
>>>>> Appreciate any pointers or links.
>>>> DNS is not a special case  -- it obeys the same rules as any
other
>>>> connection.
>>>>
>>>> -Tom
>>> Thanks for a prompt response Tom.
>>>
>>> DNS not being special case does make sense. Do you have any
suggestions
>>> on how to deal with the DNS look up failures when the requests are
sent
>>> to wrong provider.
>> What does "request are sent to wrong provider" mean?
>>
>> -Tom
> 
> Let me give you an example:
> isp1: DNS  1.2.3.4, 2.3.4.5
> isp2: DNS  3.4.5.6, 4.5.6.7
> 
> Assume that we list all the above in /etc/resolv.conf file. When you 
> start the very first time, if using multi-isp, the request for DNS
> resolution could go to either of the two ISPs. Assume that the request
> goes to isp2 but the DNS server picked for resolution is 1.2.3.4. 
> This scenario is what I am referring to as ''wrong
provider'' (DNS
> resolution point of view).
>
You might consider route_rules that route 1.2.3.4 and 2.3.4.5 out of
isp1 and 3.4.5.6 and 4.5.6.7 out of isp2.....

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/

imap@adari.net wrote:
>>>>> I trying to setup multi-isp configuration (using latest
bering-uClibc
>>>>> 3.1-beta1), and began reading the corresponding doc:
>>>>>             http://www.shorewall.net/3.0/MultiISP.html
>>>>> I am not clear on how the DNS resolution happens if a DNS
request
>>>>> from one provider goes to the other provider''s
name server. ISPs
>>>>> these days serve their customers alone and reject all
requests
>>>>> outside their network. 
>>>>>
>>>>> 1. As part of multi-isp setup, is it possible to have the
DNS requests
>>>>> routed thru'' a provider go to provider''s
DNS IPs?
>>>>>
>>>>> 2. Does listing all ISP''s DNS IPs into
/etc/resolve.conf help?
>>>>>
>>>>> Appreciate any pointers or links.
>>>> DNS is not a special case  -- it obeys the same rules as any
other
>>>> connection.
>>>>
>>>> -Tom
>>> Thanks for a prompt response Tom.
>>>
>>> DNS not being special case does make sense. Do you have any
suggestions
>>> on how to deal with the DNS look up failures when the requests are
sent
>>> to wrong provider.
>> What does "request are sent to wrong provider" mean?
>>
>> -Tom
> 
> Let me give you an example:
> isp1: DNS  1.2.3.4, 2.3.4.5
> isp2: DNS  3.4.5.6, 4.5.6.7
> 
> Assume that we list all the above in /etc/resolv.conf file. When you 
> start the very first time, if using multi-isp, the request for DNS
> resolution could go to either of the two ISPs. Assume that the request
> goes to isp2 but the DNS server picked for resolution is 1.2.3.4. 
> This scenario is what I am referring to as ''wrong
provider'' (DNS
> resolution point of view).
> 
The exact procedure would depend on how your using the dns services of
the isp''s. Does just the firewall do the dns lookups or can every
client
contact the isp''s name servers? You can direct the lookups to the
correct isp to begin with, use tcrules or route_rules files. Off the top
of my head something like this in route_rules should work.

-	<ip_of_dns_server>	<providermark>	1000
-	<ip_of_dns_server2>	<providermark2>	1000
edit <> as required

This will cause all traffic to <ip_of_dns_server> to travel out that
isp''s interface. You could be more selective if you use the tcrules
file, by marking just the traffic of the ports involved.

Jerry











-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/

imap@adari.net wrote:
>>>>> I trying to setup multi-isp configuration (using latest
bering-uClibc
>>>>> 3.1-beta1), and began reading the corresponding doc:
>>>>>             http://www.shorewall.net/3.0/MultiISP.html
>>>>> I am not clear on how the DNS resolution happens if a DNS
request
>>>>> from one provider goes to the other provider''s
name server. ISPs
>>>>> these days serve their customers alone and reject all
requests
>>>>> outside their network. 
>>>>>
>>>>> 1. As part of multi-isp setup, is it possible to have the
DNS requests
>>>>> routed thru'' a provider go to provider''s
DNS IPs?
>>>>>
>>>>> 2. Does listing all ISP''s DNS IPs into
/etc/resolve.conf help?
>>>>>
>>>>> Appreciate any pointers or links.
>>>>>           
>>>> DNS is not a special case  -- it obeys the same rules as any
other
>>>> connection.
>>>>
>>>> -Tom
>>>>         
>>> Thanks for a prompt response Tom.
>>>
>>> DNS not being special case does make sense. Do you have any
suggestions
>>> on how to deal with the DNS look up failures when the requests are
sent
>>> to wrong provider.
>>>       
>> What does "request are sent to wrong provider" mean?
>>
>> -Tom
>>     
>
> Let me give you an example:
> isp1: DNS  1.2.3.4, 2.3.4.5
> isp2: DNS  3.4.5.6, 4.5.6.7
>
> Assume that we list all the above in /etc/resolv.conf file. When you 
> start the very first time, if using multi-isp, the request for DNS
> resolution could go to either of the two ISPs. Assume that the request
> goes to isp2 but the DNS server picked for resolution is 1.2.3.4. 
> This scenario is what I am referring to as ''wrong
provider'' (DNS
> resolution point of view).
>
>   
Perhaps, consider installing bind onto your router, configure it for 
forwarding, and then redirect all DNS queries to that service. I do this 
on many systems. It works flawlessly, and can save a fair bit of 
upstream bandwidth.

Regards,
T


-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/

In a scenario like this, I would just run bind on one of the local
servers and let it do lookups from the DNS root, ignoring the ISPs
forwarders completely. There''s no rule that you have to use them,
they''re mostly for the desktop users who can''t maintain a
long-term
DNS cache...

-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/

> >>>>> I trying to setup multi-isp configuration (using
latest bering-uClibc
> >>>>> 3.1-beta1), and began reading the corresponding doc:
> >>>>>             http://www.shorewall.net/3.0/MultiISP.html
> >>>>> I am not clear on how the DNS resolution happens if a
DNS request
> >>>>> from one provider goes to the other
provider''s name server. ISPs
> >>>>> these days serve their customers alone and reject all
requests
> >>>>> outside their network. 
> >>>>>
> >>>>> 1. As part of multi-isp setup, is it possible to have
the DNS requests
> >>>>> routed thru'' a provider go to
provider''s DNS IPs?
> >>>>>
> >>>>> 2. Does listing all ISP''s DNS IPs into
/etc/resolve.conf help?
> >>>>>
> >>>>> Appreciate any pointers or links.
> >>>> DNS is not a special case  -- it obeys the same rules as
any other
> >>>> connection.
> >>>>
> >>>> -Tom
> >>> Thanks for a prompt response Tom.
> >>>
> >>> DNS not being special case does make sense. Do you have any
suggestions
> >>> on how to deal with the DNS look up failures when the requests
are sent
> >>> to wrong provider.
> >> What does "request are sent to wrong provider" mean?
> >>
> >> -Tom
> > 
> > Let me give you an example:
> > isp1: DNS  1.2.3.4, 2.3.4.5
> > isp2: DNS  3.4.5.6, 4.5.6.7
> > 
> > Assume that we list all the above in /etc/resolv.conf file. When you 
> > start the very first time, if using multi-isp, the request for DNS
> > resolution could go to either of the two ISPs. Assume that the request
> > goes to isp2 but the DNS server picked for resolution is 1.2.3.4. 
> > This scenario is what I am referring to as ''wrong
provider'' (DNS
> > resolution point of view).
> >
> 
> You might consider route_rules that route 1.2.3.4 and 2.3.4.5 out of
> isp1 and 3.4.5.6 and 4.5.6.7 out of isp2.....
> 
> -Tom
Thanks for the tip. I have read the route_rules doc and things are
a bit clear to me.

Thanks for all the help and wonderful package!




-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/

> >>>>> I trying to setup multi-isp configuration (using
latest bering-uClibc
> >>>>> 3.1-beta1), and began reading the corresponding doc:
> >>>>>             http://www.shorewall.net/3.0/MultiISP.html
> >>>>> I am not clear on how the DNS resolution happens if a
DNS request
> >>>>> from one provider goes to the other
provider''s name server. ISPs
> >>>>> these days serve their customers alone and reject all
requests
> >>>>> outside their network. 
> >>>>>
> >>>>> 1. As part of multi-isp setup, is it possible to have
the DNS requests
> >>>>> routed thru'' a provider go to
provider''s DNS IPs?
> >>>>>
> >>>>> 2. Does listing all ISP''s DNS IPs into
/etc/resolve.conf help?
> >>>>>
> >>>>> Appreciate any pointers or links.
> >>>> DNS is not a special case  -- it obeys the same rules as
any other
> >>>> connection.
> >>>>
> >>>> -Tom
> >>> Thanks for a prompt response Tom.
> >>>
> >>> DNS not being special case does make sense. Do you have any
suggestions
> >>> on how to deal with the DNS look up failures when the requests
are sent
> >>> to wrong provider.
> >> What does "request are sent to wrong provider" mean?
> >>
> >> -Tom
> > 
> > Let me give you an example:
> > isp1: DNS  1.2.3.4, 2.3.4.5
> > isp2: DNS  3.4.5.6, 4.5.6.7
> > 
> > Assume that we list all the above in /etc/resolv.conf file. When you 
> > start the very first time, if using multi-isp, the request for DNS
> > resolution could go to either of the two ISPs. Assume that the request
> > goes to isp2 but the DNS server picked for resolution is 1.2.3.4. 
> > This scenario is what I am referring to as ''wrong
provider'' (DNS
> > resolution point of view).
> > 
> 
> The exact procedure would depend on how your using the dns services of
> the isp''s. Does just the firewall do the dns lookups or can every
client
> contact the isp''s name servers? You can direct the lookups to the
> correct isp to begin with, use tcrules or route_rules files. Off the top
> of my head something like this in route_rules should work.
> 
> -	<ip_of_dns_server>	<providermark>	1000
> -	<ip_of_dns_server2>	<providermark2>	1000
> edit <> as required
> 
> This will cause all traffic to <ip_of_dns_server> to travel out that
> isp''s interface. You could be more selective if you use the
tcrules
> file, by marking just the traffic of the ports involved.
> 
> Jerry
Thanks Jerry for the example. I understand now how
''route_rules'' can
help for directing the traffic.




-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/

Quoting Andrew Suffield <asuffield@suffields.me.uk>:
> In a scenario like this, I would just run bind on one of the local
> servers and let it do lookups from the DNS root, ignoring the ISPs
> forwarders completely. There''s no rule that you have to use them,
> they''re mostly for the desktop users who can''t maintain a
long-term
> DNS cache...
> 
We have a local split level DNS and hence, I think, route_rule would
be a better choice.

Thanks


-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/

Quoting terry.gilsenan@interoil.com:
> imap@adari.net wrote:
> >>>>> I trying to setup multi-isp configuration (using
latest bering-uClibc
> >>>>> 3.1-beta1), and began reading the corresponding doc:
> >>>>>             http://www.shorewall.net/3.0/MultiISP.html
> >>>>> I am not clear on how the DNS resolution happens if a
DNS request
> >>>>> from one provider goes to the other
provider''s name server. ISPs
> >>>>> these days serve their customers alone and reject all
requests
> >>>>> outside their network. 
> >>>>>
> >>>>> 1. As part of multi-isp setup, is it possible to have
the DNS requests
> >>>>> routed thru'' a provider go to
provider''s DNS IPs?
> >>>>>
> >>>>> 2. Does listing all ISP''s DNS IPs into
/etc/resolve.conf help?
> >>>>>
> >>>>> Appreciate any pointers or links.
> >>>>>           
> >>>> DNS is not a special case  -- it obeys the same rules as
any other
> >>>> connection.
> >>>>
> >>>> -Tom
> >>>>         
> >>> Thanks for a prompt response Tom.
> >>>
> >>> DNS not being special case does make sense. Do you have any
suggestions
> >>> on how to deal with the DNS look up failures when the requests
are sent
> >>> to wrong provider.
> >>>       
> >> What does "request are sent to wrong provider" mean?
> >>
> >> -Tom
> >>     
> >
> > Let me give you an example:
> > isp1: DNS  1.2.3.4, 2.3.4.5
> > isp2: DNS  3.4.5.6, 4.5.6.7
> >
> > Assume that we list all the above in /etc/resolv.conf file. When you 
> > start the very first time, if using multi-isp, the request for DNS
> > resolution could go to either of the two ISPs. Assume that the request
> > goes to isp2 but the DNS server picked for resolution is 1.2.3.4. 
> > This scenario is what I am referring to as ''wrong
provider'' (DNS
> > resolution point of view).
> >
> >   
> Perhaps, consider installing bind onto your router, configure it for 
> forwarding, and then redirect all DNS queries to that service. I do this 
> on many systems. It works flawlessly, and can save a fair bit of 
> upstream bandwidth.
> 
> Regards,
> T
Thanks for your suggestion. We internally have a DNS system that we 
want to continue to use and hence I am thinking ''route_rule''
is the
way to go.

Thanks




-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/

<quote who="imap@adari.net">
[...]
> DNS not being special case does make sense. Do you have any suggestions
> on how to deal with the DNS look up failures when the requests are sent
> to wrong provider.
Easyest is to actually have your own Internal DNS Caching Server.
Configured in a way it has alterative forwarders, it will take care of
serving all internal clients, and fail over to the next available
forwader.

As you are customer of both providers, they should accept request from
this DNS Server, and your prolbem is solved. One advantage is also, that
your DNS Requests will be served way faster than through the ISP Link, and
you don''t need any special configuration on any other device to have
this
setup working.
Cheers

Joerg
-- 
------------------------------------------------------------------------
| Joerg Mertin              :  smurphy@solsys.org                (Home)|
| in Forchheim/Germany      :  smurphy@linux.de                  (Alt1)|
| Stardust''s LiNUX System   :                                         
|
| Web: http://www.solsys.org                                           |
------------------------------------------------------------------------
PGP Fingerprint: AF0F FB75 997B 025F 4538 5AD6 9888 5D97 170B 8B7A



-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/