The ungleich DNS infrastructure » History » Version 19
Timothée Floure, 01/20/2020 04:38 PM
Mention unbound server monitoring
| 1 | 1 | Nico Schottelius | h1. The ungleich DNS infrastructure |
|---|---|---|---|
| 2 | |||
| 3 | 6 | Nico Schottelius | {{toc}} |
| 4 | |||
| 5 | 2 | Nico Schottelius | h2. Status |
| 6 | |||
| 7 | 13 | Nico Schottelius | This document is *IN PRODUCTION*. |
| 8 | 2 | Nico Schottelius | |
| 9 | 11 | Nico Schottelius | h2. SEE ALSO |
| 10 | |||
| 11 | * [[The_ungleich_network_infrastructure]] |
||
| 12 | |||
| 13 | 1 | Nico Schottelius | h2. Overview |
| 14 | |||
| 15 | 7 | Nico Schottelius | |
| 16 | 10 | Nico Schottelius | | | *place4* | *place5* | *place6* | |
| 17 | | *DNS64 prefix* | - | 2a0a:e5c0:0:1::/96 | 2a0a:e5c0:2:10::/96 | |
||
| 18 | | *DNS resolver* | - | 2a0a:e5c0::3 2a0a:e5c0::4 | 2a0a:e5c0:2:1::5 2a0a:e5c0:2:1::6 | |
||
| 19 | 18 | Timothée Floure | | *DNS64 resolvers* | - | - | unbound1.place6.ungleich.ch (2a0a:e5c0:2:12:0:f0ff:fea9:c451) |
| 20 | unbound2.place6.ungleich.ch (2a0a:e5c0:2:12:0:f0ff:fea9:c45d)| |
||
| 21 | 13 | Nico Schottelius | | *DNS auth BIND* | dns1.ungleich.ch | dns2.ungleich.ch | dns3.ungleich.ch | |
| 22 | 1 | Nico Schottelius | | | 2a01:4f8:150:7092::2 | 2a0a:e5c0::1 | 2a0a:e5c0:2:1::7 | |
| 23 | 10 | Nico Schottelius | | | 176.9.50.202 | 185.203.112.1 | 185.203.114.1 | |
| 24 | 13 | Nico Schottelius | | *DNS auth KNOT* | - | dns7.ungleich.ch | dns6.ungleich.ch | |
| 25 | 7 | Nico Schottelius | |
| 26 | |||
| 27 | 1 | Nico Schottelius | * Every place has 2 redundant caching nameservers. |
| 28 | * All zones have 3 authorative nameservers, located in 3 different places |
||
| 29 | * Important zones (like ungleich.ch) need to be resolvable, even if a place goes offline |
||
| 30 | ** For this reason some authorative data needs to be on the caching name servers |
||
| 31 | ** For this reason we stay with a bind9 based setup for the moment (might change in the future) |
||
| 32 | 3 | Nico Schottelius | |
| 33 | h2. Architecture |
||
| 34 | |||
| 35 | In total we are running 5 servers that are responsible for caching and authorative answers: |
||
| 36 | |||
| 37 | * Authorative |
||
| 38 | ** 1x server in place4 (bind) |
||
| 39 | ** 1x VRRP IP of routers in place5 (bind) |
||
| 40 | ** 1x VRRP IP of routers in place6 (bind) |
||
| 41 | * Caching |
||
| 42 | ** 2x server ip of router in place5 (bind) |
||
| 43 | ** 2x server ip of router in place6 (bind) |
||
| 44 | |||
| 45 | h2. How to update the ungleich DNS servers |
||
| 46 | 1 | Nico Schottelius | |
| 47 | 12 | Nico Schottelius | To update all servers, use: |
| 48 | 1 | Nico Schottelius | |
| 49 | 3 | Nico Schottelius | <pre> |
| 50 | 12 | Nico Schottelius | cdist config d{1..7}.ungleich.ch |
| 51 | 3 | Nico Schottelius | </pre> |
| 52 | |||
| 53 | 17 | Nico Schottelius | | | | "virtual" | Note | |
| 54 | | d1 | router1.place5 | dns2.ungleich.ch | cache+auth | |
||
| 55 | | d2 | router2.place5 | dns2.ungleich.ch | cache+auth | |
||
| 56 | | d3 | router1.place6 | dns3.ungleich.ch | cache+auth | |
||
| 57 | | d4 | router2.place6 | dns3.ungleich.ch | cache+auth | |
||
| 58 | | d5 | server1.place4 | dns1.ungleich.ch | auth | |
||
| 59 | | d6 | dns6.ungleich.ch | - | auth+synth | |
||
| 60 | | d7 | dns7.ungleich.ch | - | auth+synth | |
||
| 61 | |||
| 62 | |||
| 63 | 4 | Nico Schottelius | h2. How to use the authorative DNS servers in zone files |
| 64 | 3 | Nico Schottelius | |
| 65 | Add the following to your zone file: |
||
| 66 | |||
| 67 | <pre> |
||
| 68 | 5 | Nico Schottelius | ; server1.place4 |
| 69 | IN NS dns1.ungleich.ch. |
||
| 70 | |||
| 71 | ; vrrp active router @ place5 |
||
| 72 | IN NS dns2.ungleich.ch. |
||
| 73 | |||
| 74 | ; vrrp active router @ place6 |
||
| 75 | IN NS dns3.ungleich.ch. |
||
| 76 | 18 | Timothée Floure | </pre> |
| 77 | |||
| 78 | h2. DNS64 at datacenterlight/ipv6onlyhosting |
||
| 79 | |||
| 80 | "NAT64":https://en.wikipedia.org/wiki/NAT64 allows ipv6-only nodes to reach the v4 world. The production infrastructure for DCL/V6OnlyHosting runs at place6 and networks are assigned as follow: |
||
| 81 | |||
| 82 | * IPv6Only VMs are assigned to the `place6-ipv6-nat64` OpenNebula network. |
||
| 83 | * Dual-stack VM are assigned to the `place6-ipv4` and `place6-ipv6` |
||
| 84 | |||
| 85 | The `place6-ipv6-nat64` networks *provides NAT64* but the `place6-ipv6` *does not*: we do not want ipv4-capable VMs to be NAT'ed behind NAT64. Due to *legacy reasons*, some ipv6only VMs are in `place6-ipv6` but have NAT64 due to hardcoded per-ip configuration our bind DNS server (see `type/__ungleich_dns_server` type in dot-cdist). |
||
| 86 | |||
| 87 | h3. place6-ipv6-with-ip-spoofing |
||
| 88 | |||
| 89 | This OpenNebula network is used to routes v6 prefixes (/64, /56, /48) to customer VMs and is shared by Ipv6-Only and Dual-Stack VMs: NAT64 is *disabled* on this network. IPv6-Only customers on this network *MUST* use unbound1.place6.ungleich.ch and unbound2.place6.ungleich.ch as name server. Their `/etc/resolve.conf` file should look like: |
||
| 90 | |||
| 91 | <pre> |
||
| 92 | nameserver 2a0a:e5c0:2:12:0:f0ff:fea9:c451 |
||
| 93 | nameserver 2a0a:e5c0:2:12:0:f0ff:fea9:c45d |
||
| 94 | 3 | Nico Schottelius | </pre> |
| 95 | 19 | Timothée Floure | |
| 96 | h2. Monitoring |
||
| 97 | |||
| 98 | The unbound DNS64 resolvers are monitored by our prometheus blackbox exporter (see `type/__dcl_monitoring_server` in dot-cdist). |