03-09-2021 – ISP Failover
By: Eric McIntyre, CloudFloorDNS
For most small to medium businesses, there are almost always some on-prem (on premise, or in-building) services hosted at “HQ” or at some satellite offices. Many of these services are commonly used for remote employees or external customers and both need to be up and running to run the business. In many cases these on-prem hosted services are VPN, OWA (Outlook Web Access), WWW, FTP, ADFS, Databases, sales tools etc.
The biggest issue with hosting these above on-prem services using a single ISP is downtime. Downtime is expensive – and just a single VPN outage can knock your remote employees offline and put a stop to your business. Hosting your Website on-prem too? Well, you are now losing sales and both your remote employees and customers are all calling your helpdesk and in-house IT to figure out what’s going on. It’s a downward spiral from here and can cost much more than money. Don’t forget about the intangible effects from angry customers, damage to your brand and reputation and so much more. So yeah, we can say that downtime is expensive in more ways than one!
Using only a single ISP to host your on-prem services is like playing the lottery – it may never go down for an extended period, or Murphy’s law would have a car hit a telephone pole up the street and snap it in half. This causes your ISP to be knocked out for 12+ hours during the business season of the year. An ice storm can knock out power for even longer, 10 days or more is possible, just ask New Englanders or more recently, some Texans.
As you can see from the above scenario’s, downtime is the main reason many small to medium businesses add a second ISP into the building. Having dual ISP’s and the appropriate dual WAN hardware (Sonicwall, Cisco, Fortinet and others) will automatically fail over ISP1 to ISP2 in the event of a failure on the primary ISP connection.
Oh No Mr Roboto
One big problem with this scenario is your DNS for these domains and services do not failover – only your hardware switches over automatically. Unless you have DNS Failover, your DNS stays at the old IP address until your DNS administrator or IT guy makes the changes. If this happens in the middle of the night or on a weekend, or worse vacation time with the family, it could take quite a while to get this changed over.
The second big issue with this is the DNS provider that’s hosting the domain these services are attached to. Most registrar or “vanilla DNS” providers do not offer low cache times or what’s known as TTL or Time to Live. Every DNS record has this setting, and if you have an IP address that never goes down and never needs to move, this can be set high, even 14400 or higher.
The need to be fast & nimble
Let’s say your provider doesn’t let you set a TTL below 30 minutes or 1800 seconds. Now now matter how fast you make the update, it could take someone 30 more minutes to get the new IP address since DNS servers “cache” or remember these records from the previous IP.
Managed DNS providers like CloudFloorDNS and others offer a very low TTL setting, typically 30 seconds. By setting your VPN.Example.com record to 30 seconds, this means that a DNS server won’t cache this for longer than 30 seconds before it comes back to us to request the IP address again. So combining this low TTL with Monitoring from multiple locations (Our Netmon Monitoring platform) and DNS Failover and you have the missing piece of the puzzle to flip over your hostnames for you automatically! When your Primary ISP comes back up, you can even have the DNS Failover move everything back and notify you.
Our ISP Failover service allows you to monitor an IP or hostname and we would PING your gateway of your Primary ISP every 1 minute from several locations, a minimum of 3 geographically distributed locations on different networks to send these PINGS. Each monitor location reports back to the master and when 2 or more go down, we’ll initiate the failover rules that YOU set. Each failover “test” can attach itself to 1 DNS zone, so let’s say Example.com is hosted on our DNS and you want to enable Failover for that domain
You host VPN, WWW, and OWA on-prem on example.com and need to failover to the backup ISP IP range when ISP1 goes down. You setup the failover test and it provides access to the zonefile to select what hostnames you want to move on this failover exactly like the example below. There is no additional cost as long as the CNAME or A-Record lives within example.com that the test “attaches” to.
VPN.example.com primary is 220.127.116.11 and upon failure move to 18.104.22.168
WWW.example.com primary is 22.214.171.124 and failover to the IP of 126.96.36.199
OWA.example.com primary is 188.8.131.52 and failover to the IP of 184.108.40.206
See how easy it is? It’s a combination of the right DNS provider, monitoring and DNS failover technology that can help your on-prem services stay up and active for your employees and customers. At only $50 a month for our Bronze Anycast DNS plan (includes Failover) it’s a very small price to pay for the uptime insurance that it provides!