The ungleich DNS infrastructure » History » Revision 24
« Previous |
Revision 24/27
(diff)
| Next »
Nico Schottelius, 02/15/2021 11:09 AM
The ungleich DNS infrastructure¶
- Table of contents
- The ungleich DNS infrastructure
Status¶
This document is IN PRODUCTION.
SEE ALSO¶
Overview¶
| place4 | place5 | place6 | |
| DNS64 prefix | - | 2a0a:e5c0:0:1::/96 | 2a0a:e5c0:2:10::/96 |
| DNS resolver | - | 2a0a:e5c0:0:a::a 2a0a:e5c0:0:a::b | 2a0a:e5c0:2:a::a 2a0a:e5c0:2:a::b |
| (NAT64 enabled | |||
| for certain networks) | |||
| DNS64 resolvers | - | - | unbound1.place6.ungleich.ch (2a0a:e5c0:2:12:0:f0ff:fea9:c451) |
| unbound2.place6.ungleich.ch (2a0a:e5c0:2:12:0:f0ff:fea9:c45d) | |||
| DNS auth BIND | dns1.ungleich.ch | dns2.ungleich.ch | dns3.ungleich.ch |
| 2a01:4f8:150:7092::2 | 2a0a:e5c0::1 | 2a0a:e5c0:2:1::7 | |
| 176.9.50.202 | 185.203.112.1 | 185.203.114.1 | |
| DNS auth KNOT | - | dns7.ungleich.ch | dns6.ungleich.ch |
- Every place has 2 redundant caching nameservers.
- All zones have 3 authorative nameservers, located in 3 different places
- Important zones (like ungleich.ch) need to be resolvable, even if a place goes offline
- For this reason some authorative data needs to be on the caching name servers
- For this reason we stay with a bind9 based setup for the moment (might change in the future)
Architecture¶
In total we are running 8 servers that are responsible for caching and authorative answers:
- Authorative
- 1x server in place4 (bind)
- 1x VRRP IP of routers in place5 (bind)
- 1x VRRP IP of routers in place6 (bind)
- Caching
- 2x server ip of router in place5 (bind)
- 2x server ip of router in place6 (bind)
How to update the ungleich DNS servers¶
To update all servers, use:
cdist config d{1..8}.ungleich.ch
| "virtual" | Note | ||
| d1 | router1.place5 | dns2.ungleich.ch | cache+auth |
| d2 | router2.place5 | dns2.ungleich.ch | cache+auth |
| d3 | router1.place6 | dns3.ungleich.ch | cache+auth |
| d4 | router2.place6 | dns3.ungleich.ch | cache+auth |
| d5 | server1.place4 | dns1.ungleich.ch | auth |
| d6 | dns6.ungleich.ch | - | auth+synth |
| d7 | dns7.ungleich.ch | - | auth+synth |
| d8 | router1.place10 | - | cache+auth |
How to use the authorative DNS servers in zone files¶
Add the following to your zone file:
; server1.place4
IN NS dns1.ungleich.ch.
; vrrp active router @ place5
IN NS dns2.ungleich.ch.
; vrrp active router @ place6
IN NS dns3.ungleich.ch.
DNS64 at datacenterlight/ipv6onlyhosting¶
NAT64 allows ipv6-only nodes to reach the v4 world, and requires DNS64 at ungleich.
DNS64 resolvers¶
DNS64 is usually provided by BIND (d{1..7}.ungleich.ch) depending on the address/prefix emitting the request (see `type/__ungleich_dns_server` in dot-cdist). It can also be provided by the unbound servers of place6 (unbound{1,2}.place6.ungleich.ch), which unconditionally serve DNS64.
Customer VMS¶
The production infrastructure for DCL/V6OnlyHosting runs at place6 and networks are assigned as follow:
- IPv6Only VMs are assigned to the `place6-ipv6-nat64` OpenNebula network.
- Dual-stack VM are assigned to the `place6-ipv4` and `place6-ipv6`
The `place6-ipv6-nat64` networks provides NAT64 but the `place6-ipv6` does not: we do not want ipv4-capable VMs to be NAT'ed behind NAT64. Due to legacy reasons, some ipv6only VMs are in `place6-ipv6` but have NAT64 due to hardcoded per-ip configuration our bind DNS server (see `type/__ungleich_dns_server` type in dot-cdist).
place6-ipv6-with-ip-spoofing¶
This OpenNebula network is used to routes v6 prefixes (/64, /56, /48) to customer VMs and is shared by Ipv6-Only and Dual-Stack VMs: NAT64 is disabled on this network. IPv6-Only customers on this network MUST use unbound1.place6.ungleich.ch and unbound2.place6.ungleich.ch as name server. Their `/etc/resolve.conf` file should look like:
nameserver 2a0a:e5c0:2:12:0:f0ff:fea9:c451 nameserver 2a0a:e5c0:2:12:0:f0ff:fea9:c45d
DNS64 in Ungleich IPv6 VPN¶
Using ungleich's DNS64 resolvers also allows to route all traffic via the ungleich VPN when enabled. You'll find more details on the Ungleich IPv6 wireguard VPN page.
Monitoring¶
The unbound DNS64 resolvers are monitored by our prometheus blackbox exporter (see `type/__dcl_monitoring_server` in dot-cdist).
Updated by Nico Schottelius almost 4 years ago · 24 revisions