Solve the bottleneck of Dual-Egress Campus Network

Due to the bandwidth bottleneck between CERNET and CHINANET, many colleges and universities adopt dual-Egress solutions that connect CERNET and CHINANET at the same time, in order to improve the Internet access speed of the campus network and reduce the cost of network use.
The campus network of Northwest Agriculture and Forestry University uses a dual-Egress solution. One of the links is connected to CERNET, with a bandwidth of 8 M, and the other is connected to the telecom network with a bandwidth of M. by using dual-egress, the problem of slow access to the Internet through the campus network is indeed solved, but in turn the problem of slow access to the campus network through the public network is more prominent. Under normal circumstances, the campus network server uses the education network domain name and IP address. All access to campus network servers must go through the CERNET link. Therefore, although the campus network has a high-speed CHINANET link, however, Internet users can only access campus network resources through educational links with bandwidth bottlenecks, which is undoubtedly a serious waste of CHINANET egress links. Adding a set of domain names and servers can solve this problem, but this will increase extra expenditure, and the domain names on the campus network will not be unified.
Based on the campus network of Northwest Agriculture and Forestry University, this paper discusses a solution to the above problems without adding domain names and servers.
Policy-based domain name resolution
DNSDomain Name System) is used to convert host domain names and Host IP addresses. When you enter the host domain name in the application, the DNS server can resolve the name to the corresponding IP address. Domain name resolution on such DNS is generally static, that is, the domain name and IP address are one-to-one correspondence.
With the development of the network and the emergence of new applications, static DNS cannot meet our needs. Therefore, dynamic domain name resolution technology has emerged. Let's take a look at the DNS server's two domain name resolution methods that look like policy domain name resolution.
First, multiple domain names correspond to one IP address. This is generally used to implement a VM. You can use only one IP address to implement multiple sites with different domain names. This is useful in scenarios where IP Address resources are insufficient but you want to have multiple sites.
Second, a domain name corresponds to multiple IP addresses: in the configuration of the Domain Name Service, there is a method to achieve server load balancing, the DNS configuration file generally has similar content: www.youdomain.edu.cn in a 210.27.80.4 www.youdomain.edu.cn in a 210.27.80.5 ......
Www.youdomain.edu.cn in a 210.27.80.N is applicable to multiple servers with the same content. In this query method, the DNS server responds to the request in a round-robin manner, that is, 210.27.80.4 is the first request, and 210.27.80.5 is the next request.
Although the above two methods can resolve a domain name into several different IP addresses, or resolve multiple different domain names into one IP address, they are still not counted as policy domain name resolution. This is because policy domain name resolution is much more intelligent than the above two methods. It is based on policies, and the DNS server can return different resolution results based on the network of the client; or the DNS server applies different security policies based on the network of the client. For example, if you provide recursive resolution services to intranet users and ignore recursive resolution requests of Internet users.
Implementation of policy domain name resolution
Related configuration: Take the WWW server as an example. The domain name is www.nwsuaf.edu.cn, with two NICs, one with the education network IP address 210.27.80.4), and the other with the telecommunication network IP address 61.150.47.6 ).
Goals: For a domain name resolution request from CERNET to www.nwsuaf.edu.cn, the DNS server returns 210.27.80.4, and for a domain name resolution request from other networks, 61.150.47.6 is returned. in this way, non-CERNET users can directly access the WWW server on the campus network through the high-speed link of China Telecom.
1. DNS Server Configuration
DNS software in Unix/Linux is always mainstream with the BINDBerkeley Internet Name Domain program of Berkeley. The policy domain name resolution cannot be implemented in BIND 8 or earlier versions, but the View statement has appeared since BIND 9, which can solve this problem well.
The main contents of the/etc/named. conf file are as follows: acl edu-nets {210.27.0.0/16; 202.117.0.0/16 ;... }; // All education network segment lists options {directory "/var/named" # data file storage path pid-file "/var/named. pid ";}; view" CerNet "{# define view match-clients {edu-nets ;}; recursion yes; # recursive parsing zone" with the name CerNet." {Type hint; file "named. ca ";}; zone" 0.0.127.IN-ADDR. ARPA "{type master; file" 127.0.0 ";}; zone" nwsuaf.edu.cn "{type master; file" nwsuaf.edu.cn. cernet "}; # cernet resolution file zone" 80.27.210.in-addr. arpa "{type master; file" 210.27.80 ";};# reverse resolution file}; view" ChinaNet "{# define view match-clients {any ;}; # recursion no for all networks except CERNET; # disable recursive resolution zone "." {Type hint; file "named. ca "}; zone" 0.0.127.IN-ADDR. ARPA "{type master; file" 127.0.0 ";}; zone" nwsuaf.edu.cn "{type master; file" nwsuaf.edu.cn. public ";};# public network resolution file zone" 47.150.61.in-addr. arpa "{type master; file" 61.150.47 ";};# reverse resolution file}; then set nwsuaf.edu.cn under/etc/named. cernet and nwsuaf.edu.cn. public: In nwsuaf.edu.cn. add A record IN the cernet file: www.youdomain.edu.cn in a 210.27.80.4 IN nwsuaf.edu.cn. add a record to the public file: www. youdoma After such configuration, the policy domain name can work properly. The list of CIDR blocks of CERNET can be viewed from CERNET. http://www.edu.cn/ .
2. WWW Server Configuration
Finally, in combination with the settings in the DNS server, you also need to set the dual Nic of the WWW server: 1) configure the first eth0 for the two NICS): IP address 210.27.80.4, mask 255.255.255.0, gateway 210.27.80.1. the second eth1): IP address 61.150.47.6, mask 255.255.255.255.mask, Gateway 61.150.47.30.2) add route add-net 210.27.112.0 netmask route 248.0 dev eth0 // route to CERNET add-net 202.117.176.0 netmask route 240.0 dev eth0 // route to CERNET ......
Route add default gw 61.150.47.30 dev eth1 // The default route to the telecommunication network. It is best to write the above command into/etc/rc. d/rc. local script to load the route information when the system starts. With the above configuration, the WWW server can work normally, and the Internet users can access the WWW server through the telecom high-speed link of the campus network.
If conditions permit, you can also configure two servers, one for each network segment, the effect will be better. However, if the access volume of the server is small, it is a waste of resources. Therefore, when the access volume is not large, adding dual NICs to a server is a good solution.
Summary
In the RedHat Linux operating system, this article uses BIND 9.3.1 to implement dynamic resolution of domain names and solves the problem that the speed of accessing the campus network through the Internet is slow. Although this article is only a simple application of dynamic domain name resolution Technology in the dual-Egress campus network, it has given us a full understanding of the power of the new version of BIND 9.0. Networks with larger scales and more complex structures should play a greater role.