Using IP aliases, was: named.conf: query-source address
cswiger at mac.com
Thu Jul 17 20:20:24 UTC 2008
On Jul 17, 2008, at 7:00 AM, Eugene Grosbein wrote:
>> About the only common reason to set up multiple aliases on an
>> interface is when you're doing something like hosting multiple SSL
>> webservers on a single box which actually need to have distinct IPs
>> a consequence. Other than that, using public IPs for aliases is
>> usually wasteful of IP address space. YMMV...
> Think about multiple IP-based services (not HTTP "virtual" servers)
> at one physical host that should use distinct IP addresses
> for some reasons (local policy/billing/monitoring/etc.)
I'll reply to this particular message, but let me generalize against
some of the other responses as well.
If your organization does billing based on traffic, or wants to do
traffic shaping or bandwidth limitation, great; but IPFW+Dummynet or PF
+ALTQ don't care whether you recognize traffic by IP alone or by IP
+port(s), so long as the ports are distinct for each billing category
or packet queue you want to run.
If you want to organize specific services on specific ports which have
different backend hosts handling them to distribute load or allow you
to rebalance your hardware to meet changing demand, by all means. You
can have a hardware load-balancer like a NetScaler, or even use the
RFC-2391 capabilities of IPFW+natd or "RDR ROUND ROBIN" with PF. But
if you do that, you might as well put the actual backend machines on a
RFC-1918 subnet and you might well end up using fewer public IPs than
you would if all machines had public IPs.
I don't have any problem with people deciding for themselves how they
want to manage their services and their networks. It's just that, too
often, people use IP aliases to do things like make a single physical
machine appear as two so they don't actually bother to provide two
actual machines for hosting DNS services with proper redundancy. Even
for the shared webhosting case, where you need separate IPs per SSL
cert as HTTPS doesn't support name-based virtual hosts, I'm a little
dubious about the notion that having a single machine hosting lots of
distinct websites, probably for different clients, is a good idea from
the standpoint of security.
More information about the freebsd-stable