Routing by DNS name

I have a Balance One and have a question about the outbound policies that use DNS hostnames. Is this correlating IP addresses by doing a reverse lookup only? I ask because I am trying to balance (1:1 weights) for game and content download for my xbox. The hostname that the xbox uses never matches up to a reverse lookup since the content is coming from a CDN. The following names are fictional since I don’t want to break any TOS with Xbox live.

Let’s say the xbox downloads game titles from games.xbox.com. When I try to use this as the DNS name for outbound policy - it doesn’t work. I see the connections in the active sessions on the wrong WAN. I always wait a full minute after applying config changes to make sure that I don’t have any persistent sessions getting it stuck.

What I think is happening is the following…
Xbox requests DNS entry for games.xbox.com
Xbox gets results that look like
games.xbox.com → someserver.region.xbox.cdn.com → actualserver.cdn.net → 25.25.25.25
Xbox makes request to 25.25.25.25 -
Peplink does reverse lookup and sees actualserver.cdn.net (which doesn’t match the rule)
Peplink routes down wrong WAN

Basically, even though the Peplink is what told the Xbox that games.xbox.com is 25.25.25.25; it doesn’t know the information when it is time to do the routing for that host. I tested my theories by changing the domain name in the outbound policy to match what is returned with the reverse lookup and my traffic was balanced as expected. This is not ideal since the Xbox can use several different CDNs, but they will all be a product of the forward resolved address for games.xbox.com.

Any help is appreciated.

Hi. I’m wondering if you can “steer” the outgoing connection to the desired WAN on the basis of PORT. Would that not work?

unfortunately no, it is all port 80 traffic. I tried, and it did work. However, much more than I wanted “balanced” this way ended up being routed in a round robin fashion. I would get all kinds of weird issues across multiple applications. I guess people have built logic inside their dispersed applications that are not expecting multiple IP addresses for a single client.

I was afraid you were going to say that (port 80).

What you think is correct. We will look into this and need time to study the feasibility to achieve this.

Can you help to add these 2 outbound rules (I assume the domains are correct) as workaround to confirm this will helps?

• xbox.cdn.com
• xbox.cdn.net

Since you are trying to balance traffic from the xbox specifically, can’t you have a rule based on its IP as the source and ignore destination? Or does that negatively affect other apps on the xbox?

It does work, but some components of the matchmaking system depend on a single WAN and varying and sometimes ethereal ports.

I have tried almost every conceivable combination with varying levels of success. None of them were perfect. I thought that finding the actual root pointer was going to get me something, but I guess not.

It seems to me that IF the router is being used as a caching DNS server, it should maintain an internal reverse lookup table based upon query results returned to clients. It should use this information when possible. It does not gauruntee there won’t be incorrectly routed connections due to the same IPs of CDNs being used by multiple host names. This could be mitigated by including/indexing this internal reverse lookup cache by WAN and then source IP that originally requested the lookups. The TTL could be set to 1 second less than the forward lookup that exists in the cache already.

The problem is that the applications URL pointer seldom matches the reverse DNS lookup information in today’s cloud based service delivery model. In fact the reverse lookup is typically a non-identifying server name that may be used by cloud admins (maybe). Sometimes it is a generic dhcp reservation type record. The valuable record is the originating query, since subsequent connections will have been derived from it.

Does anybody else use outbound routing by DNS name? This seems like such a great way to balance traffic. Unfortunately, the way it is currently implemented does not work. Very rarely does a reverse lookup yield the actual domain name of the website that you are talking to.

youtube.com resolves by forward lookup to 216.58.193.206. A reverse lookup of 216.58.193.206 yields the name 206.193.58.216.in-addr.arpa with an alias of lax02s23-in-f206.1e100.net. So, if I wanted to do a simple routing for all youtube traffic; I would have to set up individual outbound policies for every possible network that has youtube servers in it. And then keep it all up to date and current as the youtube pointers move around.

This is a huge deficiency. Maybe it worked 10-15 years ago when servers only ran one website, but in the cloud based world with dispersed datacenters and DNS trickery happening everywhere - - it doesn’t work. Should I submit a feature request to spend some time on engineering a forward resolution based approach?

@jmjones, we have filed the request for this request. Engineering team will look into this.

Was this feature ever implemented? I’m looking for the same functionality so I can route my Zoom call traffic over a specific WAN. Given everyone working at home right now, I suspect everyone would much rather have a rule for “zoom.us” rather than individual rules for the IP ranges here:
https://support.zoom.us/hc/en-us/articles/201362683-Network-Firewall-or-Proxy-Server-Settings-for-Zoom
@TK_Liew is there anything that can be done ?

Being able to import a list with a textbox - just like this box in which I’m typing this message - would be a fantastic improvement. Copy/Paste/Apply - done.