Is this the most efficient way to get DNS requests from clients connected to the private Interface to use the local cache?
[admin@MT-TEST] ip firewall dst-nat> print
Flags: X - disabled, I - invalid, D - dynamic
0 in-interface=private dst-address=212.23.8.1/32 action=redirect
1 in-interface=private dst-address=212.23.8.6/32 action=redirect
Thanks
Guy
I’d be tempted to try redirecting anything that’s going out to port 53. You need to do this for both TCP and UDP. That way it doesn’t matter what your clients have set as their DNS server addresses.
Regards
Andrew
Hi Andrew,
Yes, that would certainly be an alternative. The only reason I thought the above might be better is if the DNS cache fails or is ‘off-line’ for some reason, everybody would fail over to my upstream DNS servers, if they had the correct addresses. If a client had the incorrect addresses (e.g. I fat fingered them during installtion) and the DNS cache failed, they would loose DNS service, and that would be the first time the error was apparent.
I guess it’s half a dozen of one, six of the other, unless one method is faster?
Cheers,
Guy
I’m not sure that they would fail-over as you’re redirecting the DNS addresses. This will happen whether the cache is up or not.
You could just redirect the primary. That way, if the cache is down the clients will fail-over the the secondary which isn’t redirected.
Regards
Andrew