Professional Documents
Culture Documents
Table of Contents
1 INTRODUCTION ..................................................................................................................................3
2 SIMPLE SCENARIO – SINGLE LINKPROOF WITH EXTERNAL SOA ............................................3
3 MODIFYING DNS ON THE EXTERNAL SOA ....................................................................................4
3.1 REFERRING THE A RECORD RESOLUTION TO LINKPROOF ...................................................................... 4
3.2 ADDING A REDUNDANT (BACKUP) LINKPROOF DEVICE ........................................................................... 5
4 COMPLETE SETUP – REDUNDANT LINKPROOF DEVICES WITH MULTIPLE INTERNAL
SOAS ...........................................................................................................................................................6
1 Introduction
To provide inbound load balancing and redundancy, LinkProof uses DNS resolution to control the flow of
incoming traffic. This document describes how to configure LinkProof with DNS. It assumes that:
• You are familiar with configuring LinkProof ’s interface addresses and Next Hop Routers. For more
information on setting up LinkProof, refer to the LinkProof User Guide.
• You have a working knowledge of DNS. For more information on DNS, refer to DNS and Bind,
published by O’Reilly & Associates.
• You have familiarity with setting up redundancy.
Although LinkProof has a built-in DNS agent, it is not a full DNS server. It cannot answer queries for NS
records, CNAMES, or MX records. Only record requests that match URLs listed in the LinkProof DNS >
Name to Local IP table receive a response.
This section describes a typical (simple) scenario for configuring LinkProof with an external SOA (see
Figure 1).
COMPANY.COM has one internet link, ISP1. This ISP currently answers all requests for
www.company.com. With the installation of a new internet link, COMPANY adds a LinkProof device.
Note: The examples in this document use non-routable addresses. An actual installation would require
public, routable addresses.
Page 3
To set up a single LinkProof device with external SOA
1. Set up static NAT addresses for the Web server using the following LinkProof panes:
Because LinkProof handles the public addresses in this example, use the following static NAT
settings:
2. Configure DNS to Local IP using LinkProof > DNS > Name to Local IP.
Note: Use the internal address of the server, not the static NAT addresses.
This enables LinkProof to answer queries for www.company.com, and lookups directed to the
LinkProof device interfaces return static NAT addresses (such as 192.168.1.10 and 10.1.1.10).
Because most of the world will be querying ISP1’s DNS server, you have to modify the zone file so
that the requests go to the LinkProof device.
COMPANY.COM
@ IN SOA ns.company.com
IN MX mail
WWW IN A 192.168.1.100
MAIL IN A 192.168.1.101
COMPANY.COM
@ IN SOA ns.company.com
IN MX mail
WWW IN NS linkproof1
WWW IN NS linkproof2
MAIL IN NS linkproof1
MAIL IN NS linkproof2
LINKPROOF1 IN A 192.168.1.10
LINKPROOF2 IN A 10.1.1.10
Page 4
This delegates the final answer to LinkProof. Initially, the client queried the DNS server and received the
IP address. Now, the client queries the DNS server, which tells the client to query the LinkProof device
at one of the ISP interface addresses. The client then queries the LinkProof interface IP address, and is
given the static NAT address for www.company.com, choosing the best route to establish the connection
based on load balancing or proximity.
Two NS records are used and returned to the client because the external DNS server is not aware if
either of the links is down. Providing both ISP interfaces for LinkProof as A records is necessary to
properly delegate the query. The SOA can be made to round robin the NS records it provides so that
DNS queries are actively sent to each ISP.
ISP DNS: Does not know, ask LinkProof 1.company.com or LinkProof 2.company.com.
(This is the delegation)
LinkProof 1: 192.168.1.100
The same zone file would apply to multiple DNS servers, so that COMPANY.COM can register ISP1’s
DNS server as well as ISP2’s DNS server as the SOA (thus eliminating an additional point of failure).
Adding a backup LinkProof is straightforward and does not require many changes to the configuration as
described in Section 3.1 Referring the A Record Resolution to LinkProof. The changes entail duplicating
on the backup device
• the static NAT addresses that exist on the primary device (setting them to backup mode)
• the DNS to Local IP table.
1. Create a DNS virtual IP address. This is an additional, unique IP address for each ISP subnet. On
the primary device, you create the following entries using LinkProof > DNS > DNS Virtual IP:
COMPANY.COM
@ IN SOA ns.company.com
IN MX mail
WWW IN NS linkproof1
WWW IN NS linkproof2
MAIL IN NS linkproof1
MAIL IN NS linkproof2
LINKPROOF1 IN A 192.168.1.11
LINKPROOF2 IN A 10.1.1.11
Page 5
2. On the backup device, the same entries are created, but the mode is set to backup. The zone file
shows that the LINKPROOF 1 and LINKPROOF 2 IP addresses are now n.n.n.11 instead of
n.n.n.10.
Note: This also applies if the DNS servers are behind a DMZ.
Figure 2 illustrates the configuration for such a network. This configuration assume the firewalls answer
DNS on a unique IP address, rather than their interface addresses, and NAT traffic from the internal LAN
to a unique IP address. In this way, LinkProof can differentiate outbound LAN traffic from inbound DNS
or Web requests. While it is possible that all traffic (in and out) can be translated to the firewall’s
interface address, such a setup is covered separately in this document.
Figure 2 Redundant LinkProof Devices with Multiple Internal SOAs
The following are the interface, DNS, and NAT settings for this configuration:
1. Create a Virtual IP rather than the static NATs configured in Section 3.1 Referring to A Record
Resolution to LinkProof. From the LinkProof > Virtual IP pane, define a single, private IP address
(172.168.1.100) which is mapped to the DNS addresses on each firewall (172.168.1.40 and
172.168.1.41).
2. Create a Static NAT address for each ISP subnet, and use the Virtual IP as the local server using
the LinkProof > Smart NAT > Static NAT pane. These two static NAT entries are registered as the
SOA name servers with Network Solutions.
Note: If you are using internal DNS servers, you need to modify the LinkProof proximity parameters.
Because an internal DNS server queries LinkProof for the A record, you configure LinkProof to
ignore proximity calculations to these servers (otherwise, LinkProof calculates proximity for the
internal subnet).
When DNS requests from the Internet arrive at the static NAT addresses, they are load balanced
between the two firewalls (using the same algorithm that is used for NHR load balancing). Each firewall
is configured with a zone file similar to the Section 3.1 Referring to A Record Resolution to LinkProof, so
that the handling of the A record (the final, destination IP address) is referred to LinkProof’s interface (or
virtual DNS address).
Page 6
Page 7