Open Infrastructure

h1. The ungleich DNS infrastructure

{{toc}}

h2. Status

This document is *IN PRODUCTION*.

h2. SEE ALSO

* [[The_ungleich_network_infrastructure]]

h2. Overview

|                       | *place4*             | *place5*                          | *place6*                                                      | *any place*                         |

| *DNS64 prefix*        | -                    | 2a0a:e5c0:0:1::/96                | 2a0a:e5c0:2:10::/96                                           |                                     |

| *DNS resolver*        | -                    | 2a0a:e5c0:0:a::a 2a0a:e5c0:0:a::b | 2a0a:e5c0:2:a::a 2a0a:e5c0:2:a::b                             | 2a0a:e5c0:1e:a::a 2a0a:e5c0:1e:a::b |

| (NAT64 enabled        |                      |                                   |                                                               |                                     |

| for certain networks) |                      |                                   |                                                               |                                     |

|                       |                      |                                   |                                                               |                                     |

| *DNS64 resolvers*     | -                    | -                                 | unbound1.place6.ungleich.ch (2a0a:e5c0:2:12:0:f0ff:fea9:c451) |                                     |

|                       |                      |                                   | unbound2.place6.ungleich.ch (2a0a:e5c0:2:12:0:f0ff:fea9:c45d) |                                     |

| *DNS auth BIND*       | dns1.ungleich.ch     | dns2.ungleich.ch                  | dns3.ungleich.ch                                              |                                     |

|                       | 2a01:4f8:150:7092::2 | 2a0a:e5c0::1                      | 2a0a:e5c0:2:1::7                                              |                                     |

|                       | 176.9.50.202         | 185.203.112.1                     | 185.203.114.1                                                 |                                     |

| *DNS auth KNOT*       | -                    | dns7.ungleich.ch                  | dns6.ungleich.ch                                              |                                     |

* Every place has 2 redundant caching nameservers.

* All zones have 3 authorative nameservers, located in 3 different places

* Important zones (like ungleich.ch) need to be resolvable, even if a place goes offline

** For this reason some authorative data needs to be on the caching name servers

** For this reason we stay with a bind9 based setup for the moment (might change in the future)

h2. Architecture

In total we are running 8 servers that are responsible for caching and authorative answers:

* Authorative

** 1x server in place4 (bind)

** 1x VRRP IP of routers in place5 (bind)

** 1x VRRP IP of routers in place6 (bind)

* Caching

** 2x server ip of router in place5 (bind)

** 2x server ip of router in place6 (bind)

h2. How to update the ungleich DNS servers

To update all servers, use:

<pre>

cdist config d{1..8}.ungleich.ch

</pre>

|    |                  | "virtual"        | Type | Note       |

| d1 | router1.place5   | dns2.ungleich.ch | bind | cache+auth |

| d2 | router2.place5   | dns2.ungleich.ch | bind | cache+auth |

| d3 | router1.place6   | dns3.ungleich.ch | bind | cache+auth |

| d4 | router2.place6   | dns3.ungleich.ch | bind | cache+auth |

| d5 | server1.place4   | dns1.ungleich.ch | bind | auth       |

| d6 | dns6.ungleich.ch | -                | knot | auth+synth |

| d7 | dns7.ungleich.ch | -                | knot | auth+synth |

| d8 | router1.place10  | -                | bind | cache+auth |

h2. How to use the authorative DNS servers in zone files

Add the following to your zone file:

<pre>

    ; server1.place4

    IN NS dns1.ungleich.ch.

    ; vrrp active router @ place5

    IN NS dns2.ungleich.ch.

    ; vrrp active router @ place6

    IN NS dns3.ungleich.ch.

</pre>

h2. DNS64 at datacenterlight/ipv6onlyhosting

"NAT64":https://en.wikipedia.org/wiki/NAT64 allows ipv6-only nodes to reach the v4 world, and requires DNS64 at ungleich.

h3. DNS64 resolvers

DNS64 is usually provided by BIND (d{1..7}.ungleich.ch) depending on the address/prefix emitting the request (see `type/__ungleich_dns_server` in dot-cdist). It can also be provided by the unbound servers of place6 (unbound{1,2}.place6.ungleich.ch), which unconditionally serve DNS64.

h3. Customer VMS

The production infrastructure for DCL/V6OnlyHosting runs at place6 and networks are assigned as follow:

* IPv6Only VMs are assigned to the `place6-ipv6-nat64` OpenNebula network.

* Dual-stack VM are assigned to the `place6-ipv4` and `place6-ipv6`

The `place6-ipv6-nat64` networks *provides NAT64* but the `place6-ipv6` *does not*: we do not want ipv4-capable VMs to be NAT'ed behind NAT64. Due to *legacy reasons*, some ipv6only VMs are in `place6-ipv6` but have NAT64 due to hardcoded per-ip configuration our bind DNS server (see `type/__ungleich_dns_server` type in dot-cdist).

h4. place6-ipv6-with-ip-spoofing

This OpenNebula network is used to routes v6 prefixes (/64, /56, /48) to customer VMs and is shared by Ipv6-Only and Dual-Stack VMs: NAT64 is *disabled* on this network. IPv6-Only customers on this network *MUST* use unbound1.place6.ungleich.ch and unbound2.place6.ungleich.ch as name server. Their `/etc/resolve.conf` file should look like:

<pre>

nameserver 2a0a:e5c0:2:12:0:f0ff:fea9:c451

nameserver 2a0a:e5c0:2:12:0:f0ff:fea9:c45d

</pre>

h3. DNS64 in Ungleich IPv6 VPN

Using ungleich's DNS64 resolvers also allows to route all traffic via the ungleich VPN when enabled. You'll find more details on the [[Ungleich IPv6 wireguard VPN]] page.

h2. Monitoring

The unbound DNS64 resolvers are monitored by our prometheus blackbox exporter (see `type/__dcl_monitoring_server` in dot-cdist).