DNS-first global load balancing.
Not a service mesh. Not a proxy. Just intelligent DNS.
Enterprise GSLB without the enterprise tax
| Feature | F5 GTM | NetScaler | Route53 | Cloudflare | Consul | OpenGSLB |
|---|---|---|---|---|---|---|
| Self-hosted / Data sovereignty | ✓ | ✓ | ✗ | ✗ | ✓ | ✓ |
| No vendor lock-in | ✗ | ✗ | ✗ | ✗ | ✓ | ✓ |
| Geolocation routing | ✓ | ✓ | ✓ | ✓ | ✗ | ✓ |
| Latency / RTT-based routing | ✓ | ✓ | ✓ | ✓ | ✗ | ✓ |
| EDNS Client Subnet (ECS) | ✓ | ✓ | ✓ | ✓ | ✗ | ✓ |
| Weighted failover chains | ✓ | ✓ | ✓ | ✓ | ✗ | ✓ |
| Predictive health checks | ✗ | ✗ | ✗ | ✗ | ✗ | ✓ |
| Agent-side failure prediction | ✗ | ✗ | ✗ | ✗ | ✗ | ✓ |
| External health validation | ✓ | ✓ | ✓ | ✓ | ✗ | ✓ |
| DNSSEC support | ✓ | ✓ | ✓ | ✓ | ✗ | ✓ |
| Server management API | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| Gossip-based state sync | ✓ | ✓ | N/A | N/A | ✓ | ✓ |
| Open source | ✗ | ✗ | ✗ | ✗ | ✓ | ✓ |
| Annual cost | $50K-$250K | $20K-$100K+ | Pay/query | $200+/mo | Free | Free |
| Setup complexity | High | High | Low | Low | Medium | Low |
OpenGSLB uses a simplified two-component architecture. Agents run alongside your applications, monitoring local health and gossiping state to Overwatch nodes. Overwatches serve authoritative DNS and independently validate agent claims—no complex consensus protocols, no VIP management, just DNS client retry for redundancy.
Agents gossip to all Overwatch nodes • Each Overwatch operates independently • DNS clients retry on failure
Unlike other solutions where security is optional, OpenGSLB enforces security by default with no opt-out for critical features.
All agent-to-overwatch communication uses AES-256 encryption. There is no "disable encryption" option—OpenGSLB won't start without a valid encryption key.
Agents authenticate using service tokens on first connection, then certificates are pinned. Prevents impersonation attacks even if tokens are compromised later.
DNSSEC signing with NSEC3 to prevent zone enumeration. Includes automatic key generation, inter-Overwatch key synchronization, and configurable algorithms.
Four-level trust model: Agent claims → Overwatch validation → External tools → Human override. Overwatch external checks always win over agent claims.
API and metrics endpoints secured via IP allowlists by default. Localhost-only access unless explicitly configured for network access.
All override changes, certificate pins, and administrative actions are logged with timestamps and source identification for compliance requirements.
Full DNS implementation with A/AAAA records, UDP+TCP transport, configurable TTLs, NXDOMAIN handling, and DNSSEC signing.
Round-robin, weighted distribution, active/standby failover, geolocation routing with custom CIDR mappings, and latency-based routing with EMA smoothing.
Extract client location from recursive resolvers for accurate geo-routing even when clients use public DNS services like Google or Cloudflare.
Agent-side failure prediction monitors CPU, memory, and error rates. Detects degradation before it impacts DNS responses—something no SaaS GSLB offers.
Three server sources unified into one: static configuration, agent registration, and API registration. All participate equally in routing decisions.
Full CRUD API for dynamic server management. Add, update, or remove servers at runtime without configuration changes or restarts.
Servers registered via API or agents automatically participate in DNS routing based on their service associations. No manual domain configuration needed.
Agents know they're about to fail (predictive). Overwatches validate claims independently (reactive). Both perspectives combined eliminate false positives.
Structured logging (JSON/text), Prometheus metrics, health status API, CLI management tool. Hot-reload configuration via SIGHUP without downtime.
Split configuration across multiple files with glob patterns, environment variable expansion, and layered merging for team-based management.
Full-featured opengslb-cli for status monitoring, server management, override control, geo testing, DNSSEC management, and config validation.
Single Go binary. No external databases, no service mesh, no Kubernetes required. Deploy via Docker, systemd, or bare metal. Works on Linux and Windows.