Global load balancing basics
The global load balancing (GLB) feature is a DNS-based solution that enables you to deploy redundant resources around the globe that you can leverage to keep your business online when a local area deployment experiences unexpected spikes or downtime. The FortiADC system implements a hardened BIND 9 DNS server that can be deployed as the authoritative name server for the DNS zones that you configure. In this solution, you create a global load balancing framework that accounts for location and health so that DNS responses direct client requests to a virtual server that is close and available.
In the framework, location is determined by matching the source IP address to either the FortiGuard Geo IP database or the FortiADC predefined ISP address book.
Availability is determined by real-time connectivity checking. When the DNS server receives a client request, it checks connectivity for all possible matches and excludes unavailable servers from the response list.
The DNS server supports the following security features:
• DNSSEC—Domain Name System Security Extensions. DNSSEC provides authentication by associating cryptographically generated digital signatures with DNS resource record (RR) sets. The FortiADC system makes it easy to manage the keys that must be provided to DNS parent domains and the keys that must be imported from DNS child domains.
• Response rate limit—Helps mitigate DNS denial-of-service attacks by reducing the rate at which the authoritative name servers respond to high volumes of malicious queries.
• DNS forwarding—In a typical enterprise local area network, the client configuration has the IP address of an internal authoritative DNS server so that requests for internal resources can be answered directly from its zone data. Requests for remote resources are sent to another DNS server known as a forwarder. The internal server caches the results it learns from the forwarder, which optimizes subsequent lookups. Using forwarders reduces the number of DNS servers that must be able to communicate with Internet DNS servers.
Figure 45 shows an example global load balancing deployment with redundant resources at data centers in China and the United States. FortiADC-1 is the local SLB for the data center in China. FortiADC-2 is the local SLB for the data center in the United States. FortiADC-3 is a global SLB. It hosts the DNS server that is authoritative for www.example.com. When a client clicks a link to www.example.com, the local host DNS resolver commences a DNS query that is ultimately resolved by the authoritative DNS server on FortiADC-3. The set of possible answers includes the virtual servers on FortiADC-1 or FortiADC-2. The global load balancing framework uses location and health status to determine the set of answers that are returned. For example, you can use the global SLB framework to direct clients located in China to the virtual server in China; or if the virtual server in China is unavailable, then to the redundant resources in the United States.
In Release 4.3, the virtual server IP addresses and ports can be discovered by the FortiADC global SLB from the FortiADC local SLBs. The GLB DNS server uses the discovered IP addresses in the DNS response. The framework also supports third-party IP addresses, and you can use the DNS server for general DNS use cases.
