The ungleich DNS infrastructure » History » Revision 23
Revision 22 (Nico Schottelius, 03/26/2020 07:50 PM) → Revision 23/27 (Nico Schottelius, 01/11/2021 12:03 PM)
h1. The ungleich DNS infrastructure {{toc}} h2. Status This document is *IN PRODUCTION*. h2. SEE ALSO * [[The_ungleich_network_infrastructure]] h2. Overview | | *place4* | *place5* | *place6* | | *DNS64 prefix* | - | 2a0a:e5c0:0:1::/96 | 2a0a:e5c0:2:10::/96 | | *DNS resolver* | - | 2a0a:e5c0:0:a::a 2a0a:e5c0:0:a::b | 2a0a:e5c0:2:a::a 2a0a:e5c0:2:a::b | | (NAT64 enabled | | | | | for certain networks) | | | | | | | | | | *DNS64 resolvers* | - | - | unbound1.place6.ungleich.ch (2a0a:e5c0:2:12:0:f0ff:fea9:c451) | | | | | unbound2.place6.ungleich.ch (2a0a:e5c0:2:12:0:f0ff:fea9:c45d) | | *DNS auth BIND* | dns1.ungleich.ch | dns2.ungleich.ch | dns3.ungleich.ch | | | 2a01:4f8:150:7092::2 | 2a0a:e5c0::1 | 2a0a:e5c0:2:1::7 | | | 176.9.50.202 | 185.203.112.1 | 185.203.114.1 | | *DNS auth KNOT* | - | dns7.ungleich.ch | dns6.ungleich.ch | * Every place has 2 redundant caching nameservers. * All zones have 3 authorative nameservers, located in 3 different places * Important zones (like ungleich.ch) need to be resolvable, even if a place goes offline ** For this reason some authorative data needs to be on the caching name servers ** For this reason we stay with a bind9 based setup for the moment (might change in the future) h2. Architecture In total we are running 5 servers that are responsible for caching and authorative answers: * Authorative ** 1x server in place4 (bind) ** 1x VRRP IP of routers in place5 (bind) ** 1x VRRP IP of routers in place6 (bind) * Caching ** 2x server ip of router in place5 (bind) ** 2x server ip of router in place6 (bind) h2. How to update the ungleich DNS servers To update all servers, use: <pre> cdist config d{1..7}.ungleich.ch </pre> | | | "virtual" | Note | | d1 | router1.place5 | dns2.ungleich.ch | cache+auth | | d2 | router2.place5 | dns2.ungleich.ch | cache+auth | | d3 | router1.place6 | dns3.ungleich.ch | cache+auth | | d4 | router2.place6 | dns3.ungleich.ch | cache+auth | | d5 | server1.place4 | dns1.ungleich.ch | auth | | d6 | dns6.ungleich.ch | - | auth+synth | | d7 | dns7.ungleich.ch | - | auth+synth | h2. How to use the authorative DNS servers in zone files Add the following to your zone file: <pre> ; server1.place4 IN NS dns1.ungleich.ch. ; vrrp active router @ place5 IN NS dns2.ungleich.ch. ; vrrp active router @ place6 IN NS dns3.ungleich.ch. </pre> h2. DNS64 at datacenterlight/ipv6onlyhosting "NAT64":https://en.wikipedia.org/wiki/NAT64 allows ipv6-only nodes to reach the v4 world, and requires DNS64 at ungleich. h3. DNS64 resolvers DNS64 is usually provided by BIND (d{1..7}.ungleich.ch) depending on the address/prefix emitting the request (see `type/__ungleich_dns_server` in dot-cdist). It can also be provided by the unbound servers of place6 (unbound{1,2}.place6.ungleich.ch), which unconditionally serve DNS64. h3. Customer VMS The production infrastructure for DCL/V6OnlyHosting runs at place6 and networks are assigned as follow: * IPv6Only VMs are assigned to the `place6-ipv6-nat64` OpenNebula network. * Dual-stack VM are assigned to the `place6-ipv4` and `place6-ipv6` The `place6-ipv6-nat64` networks *provides NAT64* but the `place6-ipv6` *does not*: we do not want ipv4-capable VMs to be NAT'ed behind NAT64. Due to *legacy reasons*, some ipv6only VMs are in `place6-ipv6` but have NAT64 due to hardcoded per-ip configuration our bind DNS server (see `type/__ungleich_dns_server` type in dot-cdist). h4. place6-ipv6-with-ip-spoofing This OpenNebula network is used to routes v6 prefixes (/64, /56, /48) to customer VMs and is shared by Ipv6-Only and Dual-Stack VMs: NAT64 is *disabled* on this network. IPv6-Only customers on this network *MUST* use unbound1.place6.ungleich.ch and unbound2.place6.ungleich.ch as name server. Their `/etc/resolve.conf` file should look like: <pre> nameserver 2a0a:e5c0:2:12:0:f0ff:fea9:c451 nameserver 2a0a:e5c0:2:12:0:f0ff:fea9:c45d </pre> h3. DNS64 in Ungleich IPv6 VPN Using ungleich's DNS64 resolvers also allows to route all traffic via the ungleich VPN when enabled. You'll find more details on the [[Ungleich IPv6 wireguard VPN]] page. h2. Monitoring The unbound DNS64 resolvers are monitored by our prometheus blackbox exporter (see `type/__dcl_monitoring_server` in dot-cdist).