Speaker
Description
At Internet exchanges it is not uncommon to invite DNS operators to connect anycast nodes to their Internet Exchange. This is often done pro-bono, i.e. the DNS provider receives from the IX provider free colocation, IP transit for the management of the server and IX connectivity. Also, at Internet exchanges asymmetric routing is not uncommon, for example a DNS server hosted at the exchange might receive requests from IP addresses for which there is no return route available at the exchange. In this situation, a server defaults to send the response using its default route, which points to the management upstream. If the upstream link has BCP38 configured, the response is usually dropped as the DNS response uses a source IP address that is different from the normal management address of the server. Such drops are bad as they slow down DNS resolution until DNS resolvers fail over to another authoritative server that may respond.
We have observed this problem on several of our RcodeZero DNS local nodes, and some tests revealed that other anycast DNS providers are also affected. To address this issue, we have identified three possible solutions:
- Ask the provider of the management link to add our anycast prefixes to the allow-list of the BCP38 filtering (requires assistance from upstream providers)
- Find a dedicated transit provider at the exchange (that would basically make a global node out of the local node)
- Implement a tunnel workaround that is totally independent from any 3rd party
After evaluation, we decided to implement the tunnel workaround: responses which cannot be routed directly on the exchange get routed via a GRE tunnel to one of our global nodes. This increases the latency but avoids packet loss and unanswered queries. Furthermore, this solution works out of the box without any adjustment of BCP38 filtering. To minimize increased latency and to support automatic rerouting in case of maintenance of global nodes, the GRE endpoint itself is anycasted to our global nodes.
In my talk I describe the terms "DNS local node" and asymmetric routing. I present our tunnel-based solution and how we utilize Linux source based routing for an implementation that separates routing of management traffic and DNS traffic. This presentation requires basic knowledge of Internet routing and BCP38.
| Talk duration | 20 Minutes (+5 for Q&A) |
|---|
