DNS Load-Balancing with HAPROXY
Solution 1
It looks perfectly fine. The outgoing part of an IP connection (from 10.10.24.5
to 10.10.24.2
) usually uses a random port (or semi-random), it doesn't need to have the same port number as the target machine.
What is more important is that you also have a line like this:
udp 0 0 10.10.24.5:53 0.0.0.0:* LISTEN
which indicates that HAProxy is indeed listening on UDP port 53 for DNS requests and is ready to forward it to the subsequent servers.
Solution 2
You don't need to load balance your DNS servers. It is enough to have two DNS servers configured on the client side and that's it.
If you don't have another machine acting as a load balancer, you will be creating a single point of failure for DNS service.
This is a similar post at serverfault.
Related videos on Youtube
sergio
Updated on September 18, 2022Comments
-
sergio over 1 year
I have a net with 2 DNS servers (master & slave), but I don't want clients to ask directly to them. So, in the same net, I have a debian machine with haproxy 1.7.5 installed. I want clients to have in their /etc/resolv.conf file the IP of the proxy. I want the proxy to balance the load between the two servers.
IP DNS master = 10.10.24.2 IP DNS slave = 10.10.24.4 IP PROXY = 10.10.24.5
In the file /etc/haproxy/haproxy.cfg at the end, I added:
resolvers mydns nameservers dns1 10.10.24.2:53 nameservers dns2 10.10.24.4:53
Then I start haproxy:
haproxy -f /etc/haproxy/haproxy.cfg
If I execute in the proxy:
netstat -tuna
I get these two new lines:
udp 0 0 10.10.24.5:35000 10.10.24.2:53 ESTABLISHED udp 0 0 10.10.24.5:35000 10.10.24.4:53 ESTABLISHED
But I was expecting to receive something like this:
udp 0 0 10.10.24.5:53 10.10.24.2:53 ESTABLISHED udp 0 0 10.10.24.5:53 10.10.24.4:53 ESTABLISHED
Obviously, the DNS requests from clients to the proxy aren't working...
Is it possible to achieve this using haproxy?
-
GregL about 7 yearsCan you post your full
haproxy.cfg
? -
sergio about 7 yearsok, I post it now... I asked this question in a haproxy forum and they answered: "You can't load balance UDP with haproxy. That's not what the dns resolvers command in haproxy is for. You'd need a udp load balancer. You can use nginx for this if you do a custom compile."
-
GregL about 7 yearsActually, whoever wrote that is exactly right, HAProxy can't load balance UDP. However, your question makes me wonder why you'd want to "protect" these two DNS servers in the first place?
-
sergio about 7 yearsI am doing this for college... The nets are virtual, I am doing it with virtual box, the DNS servers run bind9. The teacher told us to balance the load and to hide the servers and that we could balance the load with bind9, but this would be like roundrobin. He told us that we could do a more complex balancing with haproxy but, as I can see, it's impossible.
-
-
sergio about 7 yearsHello, thanks for your answer. No, I don't see this line you tell me.
-
sergio about 7 yearsI know I don't need it, but I want to do it. Its for college. Thanks for your answer.
-
FooBee about 7 yearsWell, what happens if you go to a client and test a DNS request, e.g. with
dig @10.10.24.5 hostname
? Also, post your config files and log file entries. -
sergio about 7 years; <<>> DiG 9.9.95-9+deb8u10-Debian <<>> @10.10.24.5 proxy ; (1 server found) ;; global options: +cmd ;; connection timed out; no servers could be reached
-
sergio about 7 yearsI asked this question in a haproxy forum and they answered: "You can't load balance UDP with haproxy. That's not what the dns resolvers command in haproxy is for. You'd need a udp load balancer. You can use nginx for this if you do a custom compile."
-
Admin almost 2 yearsActually some applications only allow you to configure a single DNS server. This is also true for LDAP client configurations, and other "crucial" services. Just because the average client tool or service tool doesn't need this, it doesn't mean that there is no need at all.