Cover V11, I04

Listing 1
Listing 2


Geographic Failover for Cheapskates

Rob King

I work for a company whose network carries real-time financial data between banks and customers, so it's absolutely necessary that the network be up 24 hours a day. To ensure reliability, even if the building itself were to burn down, fall over, and sink into the swamp, the company created a Fallback Center. The original plan (before I was hired) was to have the Fallback Center in the data center of our primary ISP. However, what if the ISP were to sink into the swamp as well? The company had also made arrangements that if the primary center went offline, someone would have to call the ISP and have them manually change routing tables to point to the new machines -- the problem with this should be obvious. The problem for me became how to do failover between two locations, on two different ISPs, without any single points-of-failure. We could have had DNS servers at a third location (or two third parties), which would return round-robin answers for all the machines on the network. This wouldn't do though, because we wanted failover, not load-balancing. We could have purchased a DNS-based failover box, but what if this box were cut off from the network? Besides, they're expensive!

The Solution

I registered our primary and secondary DNS servers with the appropriate authority. The primary DNS server would be at the primary location, in the primary location's IP space. The secondary DNS server would be at the Fallback Center, in the Fallback Center's IP space. The secondary would be slaved to the primary, and the primary DNS server's records would point to the primary location's network. The secondary DNS server, because it's slaved, would also point to the primary network.

I then created a script (run by cron on the secondary server) that performs nslookups on a known good host, using the primary as a server. Then, if it can't resolve the known host, the script copies a set of DNS maps (which point to the machines at the Fallback Center) over the original DNS maps and does an ndc restart. Since the primary DNS server is unreachable, all queries must now go to the secondary DNS server, which now points to the Fallback Center. See Listing 1. (All code listings for this article can be found at:

An Example

Assume you have a Web server at the primary location, with the IP address You also have a fallback Web server at the fallback location, with the IP address The nameservers point to A user goes to and gets So far, so good. Suddenly, the sys admin spills his caffienated-beverage-of-choice on the 7206 and the primary center goes offline. The DNS server at the fallback center sees this and copies the DNS maps to the fallback center over the originals, and restarts the nameserver. Another user tries to go to The primary namserver times out, and the user automatically queries the secondary nameserver and gets Problem solved. Local DNS caches could be a problem (but that's a "reload" away) and affect any sort of DNS-based failover. Listing 2 is the script to run when you're ready to fail back to the Primary Center.

Another option is to set up an SNMP daemon on the primary namserver, have machines send SNMP traps for critical issues, and have a script to stop the primary nameserver. You could theoretically use this for any number of Fallback Centers, though the timeout would get to be a problem. To use this for time-of-day routing, place a script in cron on the primary to stop the nameserver at certain times.

I hope this helps you sleep a little better at night. It serves our purposes well, although we thankfully haven't had to use it in a real failover...yet.

Rob King has been a UNIX/Network Administrator37 for four years. He currently is the Network Administrator38 for a banking firm in the Grand Duchy of Luxembourg. Rob would also like to say "hi" to the lovely Lesley.