HPE Community
Operating System - OpenVMS
1819793 Members
3286 Online
109607 Solutions
New Discussion юеВ

Using a Windows DNS for Load Balancing

 
Chris Barratt
Frequent Advisor

тАО12-18-2005 03:00 PM

тАО12-18-2005 03:00 PM

Using a Windows DNS for Load Balancing

We are looking at making use of TCP/IP load balancing (ie. the metric server, load broker stuff). I have asked our VMS guys to look into it, and we have come up against a snag.

Our DNS servers are based on Windows (Active Directory) and the guys that manage this have come back to the VMS group with 2 concerns,

1. Security - the only way to securely update an AD DNS seems to be with a client that is a trusted user or machine in the Windows domain. It is possible to turn on non-secure updates, but this apparently is subject to risks of denila of service and DNS poisoning attacks.

2. Performance - they are worried about the regularity of updates, particularly since there are 5 secondary DNS servers, to which changes will be replicated. Add to this the time it takes for DNS changes to propogate out to secondary servers, it is possible that clients won't see changes quickly anyway.

I was wondering if anyone out there is using load-balancing with a Windows DNS and if so whether they also ran into these concerns ?

Thanks,
Chris

0 Kudos
Reply
7 REPLIES 7
John Gillings
Honored Contributor

тАО12-18-2005 04:31 PM

тАО12-18-2005 04:31 PM

Re: Using a Windows DNS for Load Balancing

Hi Chris,

Your question needs more background than can be effectively dealt with in this forum. Please send me email so we can log a case for you.

Quick answers...

1) on the face of it, yes, non-secure updates to DNS risk attacks. Avoid.

2) How frequent are updates likely to be? Propagation delay probably isn't too much of a concern. The addresses will always be *valid*, there might be some connections made during the switch over window which might not be *optimal*, but unless you're really running on the edge, this shouldn't matter (besides, this will have the effect of slowing down any switch back, so over time should be somewhat self correcting).

You could move your DNS server to OpenVMS and bypass the issues altogether ;-)
A crucible of informative mistakes
0 Kudos
Reply
Ian Miller.
Honored Contributor

тАО12-18-2005 11:32 PM

тАО12-18-2005 11:32 PM

Re: Using a Windows DNS for Load Balancing

What version of VMS and which tcpip product ?
____________________
Purely Personal Opinion
0 Kudos
Reply
Chris Barratt
Frequent Advisor

тАО12-19-2005 10:11 AM

тАО12-19-2005 10:11 AM

Re: Using a Windows DNS for Load Balancing

VMS 7.3-2 and TCPIP Services 5.4 - ECO 5
Windows 2003
0 Kudos
Reply
Chris Barratt
Frequent Advisor

тАО12-19-2005 10:29 AM

тАО12-19-2005 10:29 AM

Re: Using a Windows DNS for Load Balancing

Hi John,

Yep, will send you an email. I posted here to see if there was anyone else working in this environment too.

I would love to run the DNS on OpenVMS, but as this is all run on a government wide basis, not just for our organisation, I think I might have trouble getting this through (not that I won't at least suggest it !).

This is not really my normal area of expertise, so I am just sort of getting second opinions.

What would happen in a Unix/VMS environment..if say the DNS was on a Unix box, would there be the same authnetication issue ?
Or is this yet another case of Windows only playing nicely with other Windows boxes ?

I agree with you in regard to the propogation angle...all in all it should even itself out.

cheers,
Chris.
0 Kudos
Reply
Jan van den Ende
Honored Contributor

тАО12-19-2005 09:57 PM

тАО12-19-2005 09:57 PM

Re: Using a Windows DNS for Load Balancing

Chris,

fwiw,

We are also running in a Government environment, with similar constraints. (NO chance of DNS on VMS, in spite of the obvious advantages to availability and maintainability).
I do not know about M$ DNS servers, but you also mentioned *X as DNS option.

What we are using is Tru64 DNS as a "poor man's" clustername implementation, but we actually turned it into benefits.

Forget about the IP-cluster alias.

We implement the clustername as a round-robin CNAME over the nodenames.

Extra bonus:

We implement all cluster-aware applics as CNAMES to the cluster name.
Non-cluster aware apps (typically Database systems ported from *X) point to the node that currently provides that service.
Now, we are able to do planned maintenamce to any node or application by (having) the CNAME temporarily changed: remove the node out of the round-robin, or set the apllic to a temporary round-robin which excludes the
maintenance node.

The overall effect is that we have a reasonable spread of workload, AND, we are able to do rolling updates to the OS or any applic.

I am completely ignorant of the (im-)possibility of M$ DNS to implement the same.

hth.

Proost.

Have one on me.

jpe

Don't rust yours pelled jacker to fine doll missed aches.
0 Kudos
Reply
Chris Barratt
Frequent Advisor

тАО12-27-2005 11:54 AM

тАО12-27-2005 11:54 AM

Re: Using a Windows DNS for Load Balancing

Thanks Jan.
We already run in a similar manner to you...in that we have an entry in the DNS to do round robin across our 2 nodes. We then have DNS entries for each of our groups of users which will either point to the round robin entry, or to an individual node. Like your setup it gives us some control of where we want users connecting - particularly useful when migrating between clusters.

I think I need to explore if there are any quick ways of changing this round robin entry on the fly, as currently it would be a service request to our outsourcer, and the turnaround for this could see the change happen a few days after we need it done ! :-)

I was looking at load balancing to solve this problem and also better load our machines, which are a bit lopsided load-wise at the moment.

After discussions in from the call I logged, I think I will probably stick with round-robin for the moment and see if I can manually even things up a bit.
0 Kudos
Reply
Peter Quodling
Trusted Contributor

тАО12-27-2005 02:46 PM

тАО12-27-2005 02:46 PM

Re: Using a Windows DNS for Load Balancing

While there was a tongue in cheek comment from John Gillings about moving DNs to Vms, I'd just like to point out, that in the past on a number of configurations, i have used a VmS System as a firewall and/or proxy server.

It's one surefire way of keeping the Eunuchs Script jockeys away...

q
Leave the Money on the Fridge.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.