Shorewall users - Aug 2011 - Dual ISP config: How to forward DNS requests to the proper server?

I''m using Shorewall with a load-balanced muti-ISP config along with LSM
for
failover.  It''s working great, except for DNS requests.  I''d
appreciate some
advice on how to best configure this.

The WAN connections are a T1 through XO and a cable connection through
Comcast.  About 80% of the traffic is routed out the Comcast connection
under normal connections.  I would like to ensure that DNS requests that
leave the Comcast interface are routed to Comcast''s DNS servers and
vice
versa for XO.  I know I can add some entries in tc-rules, but this only
solves part of the problem.  It still requires that clients know which DNS
server to request.  But since the client has no idea which WAN interface the
request will travel through, it can''t know whether to send the lookup
to
Comcast or XO''s DNS server.

I suspect that I need to do some time of outgoing NAT.  But I''m not
sure if
I''m over-complicating things.  And if I''m not, how do I
configure something
like this?  Thanks!


------------------------------------------------------------------------------
BlackBerry® DevCon Americas, Oct. 18-20, San Francisco, CA
The must-attend event for mobile developers. Connect with experts. 
Get tools for creating Super Apps. See the latest technologies.
Sessions, hands-on labs, demos & much more. Register early & save!
http://p.sf.net/sfu/rim-blackberry-1

Am Mittwoch, 3. August 2011, 10:42:09 schrieb Jamie
Begin:
> I''m using Shorewall with a load-balanced muti-ISP config along
with LSM for
> failover.  It''s working great, except for DNS requests. 
I''d appreciate some
> advice on how to best configure this.
> 
> The WAN connections are a T1 through XO and a cable connection through
> Comcast.  About 80% of the traffic is routed out the Comcast connection
> under normal connections.  I would like to ensure that DNS requests that
> leave the Comcast interface are routed to Comcast''s DNS servers
and vice
> versa for XO.  I know I can add some entries in tc-rules, but this only
> solves part of the problem.  It still requires that clients know which DNS
> server to request.  But since the client has no idea which WAN interface
the
> request will travel through, it can''t know whether to send the
lookup to
> Comcast or XO''s DNS server.
> 
> I suspect that I need to do some time of outgoing NAT.  But I''m
not sure if
> I''m over-complicating things.  And if I''m not, how do I
configure something
> like this?  Thanks!
Hello Jamie,
you can try to split the dns "questions" with dnsmasq, if you have a
provider
config where you split the traffic by domain.

# dnsmasq.conf
# ask comcast for comcast domains 
server=/comcast.com/68.87.29.164

(So you move the problem from the client to the server.)
Hope that help a little bit.

Best regards Jörg



------------------------------------------------------------------------------
BlackBerry® DevCon Americas, Oct. 18-20, San Francisco, CA
The must-attend event for mobile developers. Connect with experts. 
Get tools for creating Super Apps. See the latest technologies.
Sessions, hands-on labs, demos & much more. Register early & save!
http://p.sf.net/sfu/rim-blackberry-1

On Aug 3, 2011, at 7:42 AM, Jamie Begin wrote:
> I''m using Shorewall with a load-balanced muti-ISP config along
with LSM for failover.  It''s working great, except for DNS requests. 
I''d appreciate some advice on how to best configure this.
> 
> The WAN connections are a T1 through XO and a cable connection through
Comcast.  About 80% of the traffic is routed out the Comcast connection under
normal connections.  I would like to ensure that DNS requests that leave the
Comcast interface are routed to Comcast''s DNS servers and vice versa
for XO.  I know I can add some entries in tc-rules, but this only solves part of
the problem.  It still requires that clients know which DNS server to request. 
But since the client has no idea which WAN interface the request will travel
through, it can''t know whether to send the lookup to Comcast or
XO''s DNS server.
> 
> I suspect that I need to do some time of outgoing NAT.  But I''m
not sure if I''m over-complicating things.  And if I''m not, how
do I configure something like this?  Thanks!
> 
I suggest that you run a caching-only name server on the firewall and not bother
with your ISPs'' name servers.

-Tom

Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________




------------------------------------------------------------------------------
BlackBerry® DevCon Americas, Oct. 18-20, San Francisco, CA
The must-attend event for mobile developers. Connect with experts. 
Get tools for creating Super Apps. See the latest technologies.
Sessions, hands-on labs, demos & much more. Register early & save!
http://p.sf.net/sfu/rim-blackberry-1

On 03/08/2011 16:49, Tom Eastep wrote:
> 
> On Aug 3, 2011, at 7:42 AM, Jamie Begin wrote:
> 
>> I''m using Shorewall with a load-balanced muti-ISP config along
with
>> LSM for failover.  It''s working great, except for DNS
requests.  I''d
>> appreciate some advice on how to best configure this.
>>
>> The WAN connections are a T1 through XO and a cable connection through
>> Comcast.  About 80% of the traffic is routed out the Comcast
>> connection under normal connections.  I would like to ensure that DNS
>> requests that leave the Comcast interface are routed to
Comcast''s DNS
>> servers and vice versa for XO.  I know I can add some entries in
>> tc-rules, but this only solves part of the problem. 
...
> I suggest that you run a caching-only name server on the firewall and
> not bother with your ISPs'' name servers.
...


This still leaves you the problem of what to do if a client isn''t
configured to use the caching nameserver on the firewall... (DHCP might
help of course)

I believe there is nothing that prevents you using a REDIRECT rule on
the firewall to snarf all DNS requests and redirect them to the local
caching nameserver (dnsmasq/unbound are nice for caching only /
recursive). I presume there is also no problem to use DNAT to redirect
the request upstream if that''s preferable..?

The final thing you could do is use some DNS server that works via
either connection and then just redirect normally... Many DNS servers
don''t care what IP you come from.  Failing that there is google
dns/opendns

Just mentioning another cool thing you can do (not useful here, but
wanted to mention the feature). The author of dnsmasq has added
passthrough of packet marks.  This means if you mark some connection to
the local DNS server, then the upstream request (if there is one)
acquires the same mark. No use in this case, but I think it''s a cool
feature thats worth shouting about in case someone else has a use...

Good luck

Ed W

------------------------------------------------------------------------------
BlackBerry® DevCon Americas, Oct. 18-20, San Francisco, CA
The must-attend event for mobile developers. Connect with experts. 
Get tools for creating Super Apps. See the latest technologies.
Sessions, hands-on labs, demos & much more. Register early & save!
http://p.sf.net/sfu/rim-blackberry-1

On Wed, 3 Aug 2011 10:42:09 -0400, Jamie Begin wrote:
> Im using Shorewall with a load-balanced muti-ISP config along with 
> LSM
> for failover.  Its working great, except for DNS requests.  Id
> appreciate some advice on how to best configure this.
if you run bind you will get most performance with dns over all 
possible isp links, eg dont add forwards as global forward that way root 
zone is used to split load out to more then one ip name servers where 
you are client

------------------------------------------------------------------------------
BlackBerry® DevCon Americas, Oct. 18-20, San Francisco, CA
The must-attend event for mobile developers. Connect with experts. 
Get tools for creating Super Apps. See the latest technologies.
Sessions, hands-on labs, demos & much more. Register early & save!
http://p.sf.net/sfu/rim-blackberry-1
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

On Aug 3, 2011, at 12:25 PM, Ed W wrote:
> On 03/08/2011 16:49, Tom Eastep wrote:
>> 
>> On Aug 3, 2011, at 7:42 AM, Jamie Begin wrote:
>> 
>>> I''m using Shorewall with a load-balanced muti-ISP config
along with
>>> LSM for failover.  It''s working great, except for DNS
requests.  I''d
>>> appreciate some advice on how to best configure this.
>>> 
>>> The WAN connections are a T1 through XO and a cable connection
through
>>> Comcast.  About 80% of the traffic is routed out the Comcast
>>> connection under normal connections.  I would like to ensure that
DNS
>>> requests that leave the Comcast interface are routed to
Comcast''s DNS
>>> servers and vice versa for XO.  I know I can add some entries in
>>> tc-rules, but this only solves part of the problem. 
> ...
> 
>> I suggest that you run a caching-only name server on the firewall and
>> not bother with your ISPs'' name servers.
> 
> ...
> 
> 
> This still leaves you the problem of what to do if a client isn''t
> configured to use the caching nameserver on the firewall... (DHCP might
> help of course)

If hosts behind the gateway are configuring their own name servers, there are
more basic problems with the installation than the multi-ISP issue.

-Tom

Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
BlackBerry® DevCon Americas, Oct. 18-20, San Francisco, CA
The must-attend event for mobile developers. Connect with experts. 
Get tools for creating Super Apps. See the latest technologies.
Sessions, hands-on labs, demos & much more. Register early & save!
http://p.sf.net/sfu/rim-blackberry-1

On Wed, 2011-08-03 at 17:42 -0700, Tom Eastep wrote:
> On Aug 3, 2011, at 12:25 PM, Ed W wrote:
> 
> > 
> > This still leaves you the problem of what to do if a client
isn''t
> > configured to use the caching nameserver on the firewall... (DHCP
might
> > help of course)
> 
> 
> If hosts behind the gateway are configuring their own name servers, there
are more basic problems with the installation than the multi-ISP issue.
> 
Nevertheless, I agree that REDIRECT rules for both udp and tcp port 53
would solve that problem. 

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
BlackBerry® DevCon Americas, Oct. 18-20, San Francisco, CA
The must-attend event for mobile developers. Connect with experts. 
Get tools for creating Super Apps. See the latest technologies.
Sessions, hands-on labs, demos & much more. Register early & save!
http://p.sf.net/sfu/rim-blackberry-1