Dynamic DNS with Failover Load-Balancing

Here’s the scenario: Dual WANs configured for failover load-balancing. Firewall / DNAT rules in place allowing either interface to be used for incoming connections, and Dynamic DNS is configured on eth6 for wan1.domain.com and eth7 for wan2.domain.com.

Problem: Want to have active-wan.domain.com resolve to whichever WAN is active. Can’t use web-check on the eth6 / eth7 interfaces because the load-balancing policies apply to traffic originating from the router so wan1 and wan2 would always be set the active interface’s IP.

Solution: At first I thought it would be necessary to create a transition-script for the load-balancing policy to update active-wan outside of ddclient during a transition, but I realized that I was over thinking the problem.

What I ended up doing was creating an additional DDNS entry on a separate interface for domain.com which uses a web-check.

set service dns dynamic interface eth5 web dyndns
set service dns dynamic interface eth5 service custom-lb host-name active-wan.domain.com
set service dns dynamic interface eth5 service custom-lb login user
set service dns dynamic interface eth5 service custom-lb options zone=domain.com
set service dns dynamic interface eth5 service custom-lb password pass
set service dns dynamic interface eth5 service custom-lb protocol cloudflare
set service dns dynamic interface eth5 service custom-lb server www.cloudflare.com

This exploits the load-balancing of the router’s traffic to discover the correct IP for active-wan. During a failover transition, ddclient will automatically detect that the IP has changed and update active-wan — no transition-script is necessary.

Note: Do not use web-check for weighted load-balancing. It will constantly flap between WAN IPs.

Leave a Reply