Re: Anycast DNS - LB/LTM
I'm not familiar with LTM, so there is no need to check the pool with the script, LTM will know itself and stop advertising through some other mechanism when the pool is empty? therefore checking VIPA using the script is just redundant? From: David Klein r...@nachtmaus.us To: ju wusuo juwu...@yahoo.com Cc: bind-users@lists.isc.org bind-users@lists.isc.org Sent: Saturday, March 10, 2012 3:31 PM Subject: Re: Anycast DNS - LB/LTM Exactly. The script runs inside the LTM, and wraps nslookup or dig. It should output a distinct output for success, and another distinct output for failure. It should only check the pool members, not the VIPA itself. If the pool is empty, the LTM will stop advertise the VIPA. -DTK On Fri, Mar 9, 2012 at 1:16 PM, ju wusuo juwu...@yahoo.com wrote: so the script would run on the LTM, it will periodically check each physical DNS node, if one cannot resolve then takes it out of the pool; it will also check the VIP, if the VIP cannot resolve, pool is empty or LTM issue, stop the advertising? From: David Klein r...@nachtmaus.us To: ju wusuo juwu...@yahoo.com Cc: bind-users@lists.isc.org bind-users@lists.isc.org Sent: Wednesday, March 7, 2012 11:18 PM Subject: Re: Anycast DNS You would need to create a custom script to use as your monitor, which does a lookup of an address that you know will always be in your domain. If that fails, force-down/inactive the node, and tie this script as a monitor to the pool holding the DNS server nodes. You can advertise the /32 containing the VIPA to the up-stream router via either OSPF or IBGP, and if the pool goes empty, stop advertising the route (the only option is stop advertising, not actively withdraw the route, since that could cause a massive reconvergence cycle in your enterprise-wide RIB, if done wrong, just because of a flapping interface). HTH, -DTK On Wed, Mar 7, 2012 at 2:34 PM, ju wusuo juwu...@yahoo.com wrote: thanks everyone for all responses with the great inputs .. now if I want to put the DNS servers behind LBs, 1) would the LTMs be able to announce the routes dynamically for the DNS servers, and a VIP can be withdrawn when the site is gone? 2) would the LTMs be able to detect a DNS service failure and stop sending over DNS queries, i.e., in the case a named is still up but just not able to resolve names (assuming LTM can detect a named is down)? ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- david t. klein Cisco Certified Network Associate (CSCO11281885) Linux Professional Institute Certification (LPI000165615) Redhat Certified Engineer (805009745938860) Quis custodiet ipsos custodes? -- david t. klein Cisco Certified Network Associate (CSCO11281885) Linux Professional Institute Certification (LPI000165615) Redhat Certified Engineer (805009745938860) Quis custodiet ipsos custodes?___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Anycast DNS - LB/LTM
Exactly. The script runs inside the LTM, and wraps nslookup or dig. It should output a distinct output for success, and another distinct output for failure. It should only check the pool members, not the VIPA itself. If the pool is empty, the LTM will stop advertise the VIPA. -DTK On Fri, Mar 9, 2012 at 1:16 PM, ju wusuo juwu...@yahoo.com wrote: so the script would run on the LTM, it will periodically check each physical DNS node, if one cannot resolve then takes it out of the pool; it will also check the VIP, if the VIP cannot resolve, pool is empty or LTM issue, stop the advertising? -- *From:* David Klein r...@nachtmaus.us *To:* ju wusuo juwu...@yahoo.com *Cc:* bind-users@lists.isc.org bind-users@lists.isc.org *Sent:* Wednesday, March 7, 2012 11:18 PM *Subject:* Re: Anycast DNS You would need to create a custom script to use as your monitor, which does a lookup of an address that you know will always be in your domain. If that fails, force-down/inactive the node, and tie this script as a monitor to the pool holding the DNS server nodes. You can advertise the /32 containing the VIPA to the up-stream router via either OSPF or IBGP, and if the pool goes empty, stop advertising the route (the only option is stop advertising, not actively withdraw the route, since that could cause a massive reconvergence cycle in your enterprise-wide RIB, if done wrong, just because of a flapping interface). HTH, -DTK On Wed, Mar 7, 2012 at 2:34 PM, ju wusuo juwu...@yahoo.com wrote: thanks everyone for all responses with the great inputs .. now if I want to put the DNS servers behind LBs, 1) would the LTMs be able to announce the routes dynamically for the DNS servers, and a VIP can be withdrawn when the site is gone? 2) would the LTMs be able to detect a DNS service failure and stop sending over DNS queries, i.e., in the case a named is still up but just not able to resolve names (assuming LTM can detect a named is down)? ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- david t. klein Cisco Certified Network Associate (CSCO11281885) Linux Professional Institute Certification (LPI000165615) Redhat Certified Engineer (805009745938860) Quis custodiet ipsos custodes? -- david t. klein Cisco Certified Network Associate (CSCO11281885) Linux Professional Institute Certification (LPI000165615) Redhat Certified Engineer (805009745938860) Quis custodiet ipsos custodes? ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Anycast DNS - LB/LTM
so the script would run on the LTM, it will periodically check each physical DNS node, if one cannot resolve then takes it out of the pool; it will also check the VIP, if the VIP cannot resolve, pool is empty or LTM issue, stop the advertising? From: David Klein r...@nachtmaus.us To: ju wusuo juwu...@yahoo.com Cc: bind-users@lists.isc.org bind-users@lists.isc.org Sent: Wednesday, March 7, 2012 11:18 PM Subject: Re: Anycast DNS You would need to create a custom script to use as your monitor, which does a lookup of an address that you know will always be in your domain. If that fails, force-down/inactive the node, and tie this script as a monitor to the pool holding the DNS server nodes. You can advertise the /32 containing the VIPA to the up-stream router via either OSPF or IBGP, and if the pool goes empty, stop advertising the route (the only option is stop advertising, not actively withdraw the route, since that could cause a massive reconvergence cycle in your enterprise-wide RIB, if done wrong, just because of a flapping interface). HTH, -DTK On Wed, Mar 7, 2012 at 2:34 PM, ju wusuo juwu...@yahoo.com wrote: thanks everyone for all responses with the great inputs .. now if I want to put the DNS servers behind LBs, 1) would the LTMs be able to announce the routes dynamically for the DNS servers, and a VIP can be withdrawn when the site is gone? 2) would the LTMs be able to detect a DNS service failure and stop sending over DNS queries, i.e., in the case a named is still up but just not able to resolve names (assuming LTM can detect a named is down)? ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- david t. klein Cisco Certified Network Associate (CSCO11281885) Linux Professional Institute Certification (LPI000165615) Redhat Certified Engineer (805009745938860) Quis custodiet ipsos custodes?___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Anycast DNS
thanks everyone for all responses with the great inputs .. now if I want to put the DNS servers behind LBs, 1) would the LTMs be able to announce the routes dynamically for the DNS servers, and a VIP can be withdrawn when the site is gone? 2) would the LTMs be able to detect a DNS service failure and stop sending over DNS queries, i.e., in the case a named is still up but just not able to resolve names (assuming LTM can detect a named is down)? ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Anycast DNS
You would need to create a custom script to use as your monitor, which does a lookup of an address that you know will always be in your domain. If that fails, force-down/inactive the node, and tie this script as a monitor to the pool holding the DNS server nodes. You can advertise the /32 containing the VIPA to the up-stream router via either OSPF or IBGP, and if the pool goes empty, stop advertising the route (the only option is stop advertising, not actively withdraw the route, since that could cause a massive reconvergence cycle in your enterprise-wide RIB, if done wrong, just because of a flapping interface). HTH, -DTK On Wed, Mar 7, 2012 at 2:34 PM, ju wusuo juwu...@yahoo.com wrote: thanks everyone for all responses with the great inputs .. now if I want to put the DNS servers behind LBs, 1) would the LTMs be able to announce the routes dynamically for the DNS servers, and a VIP can be withdrawn when the site is gone? 2) would the LTMs be able to detect a DNS service failure and stop sending over DNS queries, i.e., in the case a named is still up but just not able to resolve names (assuming LTM can detect a named is down)? ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- david t. klein Cisco Certified Network Associate (CSCO11281885) Linux Professional Institute Certification (LPI000165615) Redhat Certified Engineer (805009745938860) Quis custodiet ipsos custodes? ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Anycast DNS
On 29/02/12 03:55, ju wusuo wrote: Have seen some anycast DNS implementations using more than one address, some times even on the same subnet, any considerations or reasons for doing that? We do that. We use two different, indepentent methods to route traffic to the IPs. We feel this provides a greater degree of resilience. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Anycast DNS
Have seen some anycast DNS implementations using more than one address, some times even on the same subnet, any considerations or reasons for doing that? We do that. We use two different, indepentent methods to route traffic to the IPs. We feel this provides a greater degree of resilience. More than one address also lets you do some load balancing or traffic steering, if that is desirable. (E.g.: Anycast group 1 announces prefix 1 with localpref 110, prefix 2 with localpref 120. Anycast group 2 announces prefix 1 with localpref 120, prefix 2 with localpref 110.) Steinar Haug, Nethelp consulting, sth...@nethelp.no ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Anycast DNS
Ju, What do you mean on more than one address? -- Paul Ooi On Feb 29, 2012, at 11:55 AM, ju wusuo wrote: Have seen some anycast DNS implementations using more than one address, some times even on the same subnet, any considerations or reasons for doing that? ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Anycast DNS
In article mailman.58.1330527041.63724.bind-us...@lists.isc.org, Oliver Garraux oli...@g.garraux.net wrote: On Wed, Feb 29, 2012 at 8:33 AM, takizo paul...@takizo.com wrote: Ju, What do you mean on more than one address? -- Paul Ooi On Feb 29, 2012, at 11:55 AM, ju wusuo wrote: Have seen some anycast DNS implementations using more than one address, some times even on the same subnet, any considerations or reasons for doing that? I assume he's asking why Google has 8.8.8.8 and 8.8.4.4, and why whoever runs 4.2.2.2 has 4.2.2.1, 4.2.2.2, etc. I don't have an answer. They may have to announce at least a /24 for BGP peers to accept the routes. But 8.8.8.8 and 8.8.4.4 aren't in the same /24, so that doesn't make sense there. The difference is that Google is running a public DNS, while Level(3) is an ISP and their DNS was intended just for their customers (allowing public access is mostly a legacy of inheriting these servers from Genuity, nee BBN Planet -- we never had a central database of all customer address blocks from which to formulate an ACL). So Google has to be concerned about having diverse routes from many different ISPs, and announcing two /24's facilitates this. Level(3) is only concerned with routing within their network, and their OSPF routing can achieve diversity at the /32 level. -- Barry Margolin Arlington, MA ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Anycast DNS
The reason I've heard a few times is that users are uncomfortable using only 1 address. In the past I've done 2 or 3 addresses just so that we can give out 3 addresses that all point to the same pool of servers. Silly, I know, but sometimes it's easier to placate than to change someone/groups understanding of the world/networking/resilience/dns/loadbalancing. $0.02 t. From: bind-users-bounces+tsnyder=rim@lists.isc.org [mailto:bind-users-bounces+tsnyder=rim@lists.isc.org] On Behalf Of ju wusuo Sent: Tuesday, February 28, 2012 10:56 PM To: bind-users@lists.isc.org Subject: Anycast DNS Have seen some anycast DNS implementations using more than one address, some times even on the same subnet, any considerations or reasons for doing that? - This transmission (including any attachments) may contain confidential information, privileged material (including material protected by the solicitor-client or other applicable privileges), or constitute non-public information. Any use of this information by anyone other than the intended recipient is prohibited. If you have received this transmission in error, please immediately reply to the sender and delete this information from your system. Use, dissemination, distribution, or reproduction of this transmission by unintended recipients is not authorized and may be unlawful. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Anycast DNS
Just want to piggy back on this topic is there any documentation available online that shows a deployment guideline for Anycast? -beavis On Wed, Feb 29, 2012 at 10:31 AM, Warren Kumari war...@kumari.net wrote: On Feb 29, 2012, at 11:00 AM, Todd Snyder wrote: The reason I’ve heard a few times is that users are uncomfortable using only 1 address. In the past I’ve done 2 or 3 addresses just so that we can give out 3 addresses that all point to the same pool of servers. Silly, I know, but sometimes it’s easier to placate than to change someone/groups understanding of the world/networking/resilience/dns/loadbalancing. It's partly silly, it's also partly not wanting to have all your eggs in one basket. Having more than one anycast address provides protection against things like routing attacks / leaks, overenthusiastic ACLs, router blackholes and similar. It also provides a backup in case the primary node chosen by your routing infrastructure is unavailable -- if you only have a single anycast address (192.0.2.1) and the instance chosen by your routing system is down (for example though a DoS, misconfiguration, etc) you have no service. If you have a second address (10.10.10.10) that is announced by a different constellation you have redundancy. Also, anycast provide the closest instance according to the *network topology* -- this doesn't always equate to fastest response -- if is not uncommon for a longer BGP path to have a shorter latency. providing multiple addresses allows the resolver to choose based upon time. W $0.02 t. From: bind-users-bounces+tsnyder=rim@lists.isc.org [mailto:bind-users-bounces+tsnyder=rim@lists.isc.org] On Behalf Of ju wusuo Sent: Tuesday, February 28, 2012 10:56 PM To: bind-users@lists.isc.org Subject: Anycast DNS Have seen some anycast DNS implementations using more than one address, some times even on the same subnet, any considerations or reasons for doing that? - This transmission (including any attachments) may contain confidential information, privileged material (including material protected by the solicitor-client or other applicable privileges), or constitute non-public information. Any use of this information by anyone other than the intended recipient is prohibited. If you have received this transmission in error, please immediately reply to the sender and delete this information from your system. Use, dissemination, distribution, or reproduction of this transmission by unintended recipients is not authorized and may be unlawful. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- () ascii ribbon campaign - against html e-mail /\ www.asciiribbon.org - against proprietary attachments Disclaimer: http://goldmark.org/jeff/stupid-disclaimers/ ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Anycast DNS
Have seen some anycast DNS implementations using more than one address, some times even on the same subnet, any considerations or reasons for doing that? ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
