This is an old revision of the document!

Anycast DNS Architecture

The anycast DNS architecture is composed of a main master server serving GLaNET DNS zones to slave servers (designated as ‘core servers’). End-users connect to the closest of theses core servers to access the service.

The communication channel between the main master and the core servers uses the servers' real IP addresses.

A core server advertises one or several of the following prefixes over BGP:

Usage Prefix
Anycast DNS IPv4 192.168.248.53/32
Anycast DNS IPv6 fd00:6b64:f3b0:53::/64
Anycast recursive DNS IPv4 192.168.248.153/32
Anycast recursive DNS IPv6 fd00:6b64:f3b0:153::/64
You must not advertise any GLaNET DNS anycast prefixes whilst your DNS server is not operating properly. It is your responsibility to implement any solution deemed necessary to ensure this requirement.
  • Core servers MUST be declared in acl "glanet_anycast_core".
  • Core servers MUST allow zone transfer to any host querying the anycast DNS address.
  • Core servers MUST NOT allow zone transfer to an host querying the server's real IP address.
  • Core recursive servers MUST allow recursion to any host querying the anycast recursive DNS address.
  • Core recursive servers MUST allow recursion to any host defined in acl "glanet_mon".
  • Core recursive servers MAY allow recursion to any other explicitly white listed host or network, at the administrator's discretion.
  • Core recursive servers MUST deny recursion to any other host.
  • If you want to participate and provide a core DNS server, please contact us.

List of anycast DNS servers

Host IPv4 IPv6 Recursive ASN
ns1.ois.tf 212.83.149.187 2001:bc8:3283:2000::15 Yes 64542
ns2.ois.tf 91.121.34.61 2001:470:1f15:872::1 Yes 64542

BIND9 configuration examples

Common options

named.options
masters "glanet" {
  212.83.149.187;
  2001:bc8:3283:2000::15;
};
 
options {
  directory "/var/cache/bind";
 
  auth-nxdomain no;    # conform to RFC1035
 
  listen-on {
    127.0.0.1;
    <SERVER REAL IP>;
    192.168.248.53;
    192.168.248.153;
  };
 
  listen-on-v6 { any; };
 
  notify-source <SERVER REAL IP>;
  transfer-source <SERVER REAL IP>;
  notify-source-v6 <SERVER REAL IPv6>;
  transfer-source-v6 <SERVER REAL IPv6>;
 
  version "0";
 
  notify yes;
  recursion no;
 
  allow-query-cache { any; };
  allow-transfer { none; };
};

Core GLaNET domain name-server (without recursion)

When adding a master server, don't forget that your DNS server must listen on 192.168.248.53 and/or fd00:6b64:f3b0:53::1, that your BGP router must advertise it and your firewall must not bock it.
named.conf
include named.options;
 
view "glanet" {
  match-destinations { 192.168.248.53; fd00:6b64:f3b0:53::1; };
  allow-transfer { any; };
 
  # GLaNET address space PTR
  zone "168.192.in-addr.arpa" {
    type slave;
    masters { glanet; };
    file "/etc/bind/zones-slave/db.192.168";
  };
 
  # GLaNET IPv6 services address space PTR
  zone "0.b.3.f.4.6.b.6.0.0.d.f.ip6.arpa" {
    type slave;
    masters { glanet; };
    file "/etc/bind/zones-slave/db.fd00:6b64:f3b0";
  };
};
 
view "default" {
  # GLaNET address space PTR
  zone "168.192.in-addr.arpa" {
    type slave;
    masters { glanet; };
    file "/etc/bind/zones-slave/db.192.168";
  };
 
  # GLaNET IPv6 services address space PTR
  zone "0.b.3.f.4.6.b.6.0.0.d.f.ip6.arpa" {
    type slave;
    masters { glanet; };
    file "/etc/bind/slave/db.fd00:6b64:f3b0";
  };
 
  # Your own zones follow
  # ...
};

Core GLaNET domain name-server (with recursion)

Anycast recursive DNS server must resolve GLaNET internal zones (either locally or by forwarding the request to the anycast DNS service).
named.conf
include named.options;
 
view "glanet_recursor" {
  match-destinations { 192.168.248.153; fd00:6b64:f3b0:153::1; };
  match-recursive-only yes;
  recursion yes;
  include "/etc/bind/named.dummy";
  zone "168.192.in-addr.arpa" { type slave; masters { glanet; }; file "/etc/bind/zones-slave/db.192.168"; };
  zone "d.f.ip6.arpa"         { type master; file "/etc/bind/zones-dummy/db.fd"; };
};
 
view "glanet_recursor_sup" {
  match-clients { 192.168.42.5/32; 2001:bc8:3283:2000::5/128; };
  match-recursive-only yes;
  recursion yes;
  include "/etc/bind/named.dummy";
  zone "168.192.in-addr.arpa" { type slave; masters { glanet; }; file "/etc/bind/zones-slave/db.192.168"; };
  zone "d.f.ip6.arpa"         { type master; file "/etc/bind/zones-dummy/db.fd"; };
};
 
view "glanet" {
  match-destinations { 192.168.248.53; fd00:6b64:f3b0:53::1; };
  allow-transfer { any; };
 
  # GLaNET address space PTR
  zone "168.192.in-addr.arpa" {
    type slave;
    masters { glanet; };
    file "/etc/bind/zones-slave/db.192.168";
  };
 
  # GLaNET IPv6 services address space PTR
  zone "0.b.3.f.4.6.b.6.0.0.d.f.ip6.arpa" {
    type slave;
    masters { glanet; };
    file "/etc/bind/zones-slave/db.fd00:6b64:f3b0";
  };
};
 
view "default" {
  # GLaNET address space PTR
  zone "168.192.in-addr.arpa" {
    type slave;
    masters { glanet; };
    file "/etc/bind/zones-slave/db.192.168";
  };
 
  # GLaNET IPv6 services address space PTR
  zone "0.b.3.f.4.6.b.6.0.0.d.f.ip6.arpa" {
    type slave;
    masters { glanet; };
    file "/etc/bind/slave/db.fd00:6b64:f3b0";
  };
 
  # Your own zones follow
  # ...
};
db.fd
$TTL	604800
@	IN	SOA	localhost. root.localhost. (
			      2		; Serial
			 604800		; Refresh
			  86400		; Retry
			2419200		; Expire
			 604800 )	; Negative Cache TTL
;
@	IN	NS	localhost.
 
0.b.3.f.4.6.b.6.0.0 IN NS anycast-dns.glanet.org.