Policy Based Routing and DNS

[devilnuts]

Someone asked me about this yesterday, and I wanted to see if it is possible:

This guy has built multiple tunnels on his router terminating on three separate continents. He wants to configure the router to direct traffic over specific links based on destination, and what he was describing to me sounded very much like PBR. However, he wants to do this using DNS domains instead of IP.

I'm having trouble figuring out how this can be done on a router, since ACLs don't seem to have an inherent mechanism for identifying traffic based on anything higher than layer 4.

The Question:

Can PBR be performed using destination web domains vice IP address? If no, is there instead another function on the router that will accomplish this?

If the router can't do what he's looking for, what would a good third-party solution be?

[deanwebb]

I've never known a layer 3 device to use DNS info for routing decisions. It's kinda all based on IP addresses.

[wintermute000]

Look at IWAN/pfrv3 and other sdwan solutions

[Reggle]

DNS and routing = no go. However, I wonder why on earth he'd need that. DNS names can float around the network for all I care, but IP subnets should remain geographically static. Sounds to me like he's overengineering something.
And if you're talking about dynamic public IP addresses with DynDNS, that's DMVPN you're looing for.

[wintermute000]

I like the way you think. I've run into the second scenario before (i.e. customer who knew just enough to be dangerous, and assumed the way to VPN to a dynamic IP was via dynamic DNS).


Don't forget, PBR requires both ways to be setup


Eventually (esp with multiple tunnels) it becomes such a pain that you're much better off with GRE over IPSEC and then running a routing protocol (or better still mGRE i.e. DMVPN). Would still work with static VTI tunnels, doesn't need to be dynamic.