but it's a perfect example of why GSLB based on DNS ain't perfect. What would be a better solution then?
utopia would be for DNS to be enhanced in some manner such that the 'end user ip-address' became visible in the DNS request. utopia would have NAT devices which actually updated that in-place so an authoritive nameserver always authoritively _knew_ the public ip-address of where the request was coming from. alas, we don't live in utopia and have to settle for alternate solutions. one such approach is rely on protocol-specific mechanisms. e.g. if its HTTP, then something at HTTP. oh wait - that won't deal with HTTP proxies either - but at least there is some standardization on HTTP headers that proxies insert giving a hint of the original client ip-address. there are other approaches also. a few years back when i spent a fair bit of time in this area, my experience is that a hybrid system based on "specific protocol" and "generic solution" (dns) worked best. this simply isn't an area where "one solution fits all cases". there are public companies whose business model depends on this being 'hard' to do right. them being capable of doing something 'better' than not all all is the reason they are still in business. i did a fair bit of research in this area as part of work i used to do a few years back. much of that research belongs to my employer - i thought it was documented publicly in the form of a patent i am a co-inventor of - but alas, i can't seem to find it on uspto.gov .. perhaps it hasn't been issued yet .. i haven't tracked these things for years. in either case, i guess its an example of where even commercial entities whose business model depends on 'getting it right' most of the time do indeed 'get it wrong' also. cheers, lincoln.