DSR and proxy mode comparison - BlueCat DNS Edge

DNS Edge Deployment Guide

prodname
BlueCat DNS Edge
To help illustrate how DSR load balancing compares to proxy mode, consider the following examples.
Note: The following examples are simplified to use a single Layer 2 network to illustrate the concept.

Proxy mode

First, here is an example of a typical load balancer set up set to use proxy mode. This mode is probably the most common type of load balancing. In this mode, the service points don't see the real source IP of the DNS client, they see the source IP of the private side of the load balancer.

Step Source IP Source MAC Destination IP Destination MAC
1 10.0.0.1 00:01:aa:bb:cc:dd:01 10.0.0.10 00:01:aa:bb:cc:dd:0a
2 10.0.0.11 00:01:aa:bb:cc:dd:0b 10.0.0.100 00:01:aa:bb:cc:dd:64
3 10.0.0.100 00:01:aa:bb:cc:dd:64 10.0.0.11 00:01:aa:bb:cc:dd:0b
4 10.0.0.10 00:01:aa:bb:cc:dd:0a 10.0.0.1 00:01:aa:bb:cc:dd:01

In this example, the steps are as follows:

  1. The client sends a query to the VIP on the load balancers.
  2. The load balancer selects a server from the farm and initiates its own connection to the server.
  3. The server replies to the load balancer.
  4. The load balancer sends the reply to the client.

In this mode, there are two connections; one from the client to the load balancer’s public VIP, and one from the load balancer’s private IP to the server farm. The load balancer maintains the map of client side connections to server side connections and is basically performing NAT.

DSR mode

Now consider the following DSR mode load balancing example. In this mode, the client’s IP is passed through to the server farm. The connection to the servers isn't proxied.

Step Source IP Source MAC Destination IP Destination MAC
1 10.0.0.1 00:01:aa:bb:cc:dd:01 10.0.0.10 00:01:aa:bb:cc:dd:0a
2 10.0.0.1 00:01:aa:bb:cc:dd:01 10.0.0.10 00:01:aa:bb:cc:dd:64
3 10.0.010 00:01:aa:bb:cc:dd:64 10.0.0.1 00:01:aa:bb:cc:dd:01

In this example, the steps are as follows:

  1. The client sends a query to the VIP on the load balancer.
  2. The load balancer selects a server from the farm and passes the packet through unmodified with the exception of the MAC address.
  3. The server replies directly to the client through the default gateway (not back through load balancer).

The key to make this work is that the service points must be configured with the VIP as a secondary address that doesn't ARP. This is commonly implemented on the loopback (lo) interface. With this configuration, each service point is able to respond to packets that reach it using the VIP as the destination IP address. Because load balancing is done at Layer 2, and each request has the same destination IP address, all service points can respond in this way. This configuration allows reply traffic to return to the clients as if it originated from the load balancer’s public VIP.