Load Balancing Umbrella virtual appliances (VAs) is feasible as long as the load balancers meets a couple of key prerequisites.
Currently, we only offer one article with a known working configuration with the F5 GTM Appliance:
We have not tested other vendors solutions but there are two prerequisite requirements that must be met in order for the virtual appliances to function behind a load balancer.
- The source IP address of the client making the query must be preserved when passing the query to virtual appliance.
- The DNS response from the virtual appliance must route through the load balancer so the response to the client appears as coming from the address of the load balancer.
If these prerequisites are not met then the virtual appliances will no longer be able to enforce and report based on internal IP addresses which means Active Directory integration will also no longer function.
If the second prerequisite is not met then the client will drop the response.
You can verify this by running the below query:
Linux or OSX
dig @<load balancer ip> txt debug.opendns.com
nslookup -type=txt debug.opendns.com <load balancer ip>
and checking the line in the response that looks like the following:
"debug.opendns.com. 0 IN TXT "fw: source x.x.x.x:xxxx"
If the IP Address listed matches the IP Address of the machine the query was made from, then the load balancer is passing the original source address. If the IP Address is showing as the load balancer address, then the load balancer is not passing the original client's source IP and the VA will not report appropriately in the Umbrella dashboard.