Preferred Anycast Paths for DNS with Quagga BGP

anycastbgpdnsquagga

Background and goal

Am setting up high availability DNS servers based on Unbound. Both DNS servers has in reality twelve BGP sessions against different routers but to make this easier only one router is showed below.

Both DNS servers are configured with the same two addresses on localhost (10.100.0.1, 10.100.0.2) and they both advertise these addresses with BGP. Problem is that if the DNS server that is preferred by other routers hangs, there is a timeout before BGP switches over to the second DNS server for both addresses. My goal is to have each DNS server have a primary responsibility for one of these two addresses so DNS clients do not have to wait for BGP timeout but instead handle failover as they know best. I do not want to add configurations to other routers, only on the DNS servers.

                    +------------+
                    |            |
                +---+  Router 1  +---+
                |   |            |   |
                |   +------------+   |
                |                    |
          +-----+----+          +----+-----+
          |          |          |          |
          |  DNS 1   |          |  DNS 2   |
          |          |          |          |
          +----------+          +----------+

(primary) 10.100.0.1          10.100.0.1
          10.100.0.2          10.100.0.2 (primary)

Problem and question

In the configuration below, how can I make DNS 1 announce 10.100.0.1 with a higher local preference so other routers choose this server instead of DNS 2 that is also announcing this IP but with lower priority?

router bgp 65002
    bgp router-id 10.0.0.1
    bgp confederation identifier 42xxx
    bgp confederation peers 65001 65002

    network 10.100.0.1/32
    network 10.100.0.2/32

    neighbor 10.0.0.10 remote-as 65001
    neighbor 10.0.0.10 route-map only-local-ASes out
!
ip as-path access-list only-local-ASes permit ^$
!
route-map only-local-ASes permit 10
match as-path only-local-ASes

Should I create a route-map that adds local preference 200 for only matched prefix 10.100.0.1? Problem am having is that this makes the router only announce 10.100.0.1 prefix and not both (also 10.100.0.2) at the same time with different preference.

Software

Linux kernel 4.4.0
Ubuntu 16.04 server
Quagga 0.99.24.1

Best Answer

What you have described is not the way anycast works. For anycast, you have all the DNS servers configured with the same address (usually on the loopback interface), they then participate in the routing protocols and advertise that address from each DNS server. Then the router hears the advertisement from each running server (and, of course, not from any dead ones providing robustness) and is configured to do round-robin on equal cost routes. Since DNS uses UDP (at least preferably) and is idempotent, this spreading out of the requests (and ultimately the load) does not impact the service.

As an additional fine tuning, you should have rules in the router for DNS over TCP where all packets in a connection need to go to the same server. There are a number of ways to achieve this, one I have seen used is to have another server with that common address configured, but which does not advertise it into the routing and you send all TCP to that one (so it ends up getting all AXFR requests, for example).

Much more elaborate setups are also possible. I've done some fairly complex ones...

Related Solutions

Bgp – Active / Active BGP with Default routes

Absent any non-standard configuration, it is how you say. For outbound traffic, which uplink is used depends on which router the traffic hits. For inbound traffic, it should work the same way but that depends largely on your upstream's configuration. Full routes are really only required if you intend to peer with another upstream.

BGP – Local Pref vs Prepend AS-Path for Two eBGP Routers

Most of your confusion seems to be related to your other duplicate question, which is the same as 3. above...:

prepend AS path usually running with route-map out to adjust outbound traffic from router which contain this option

I'm sorry, but you are mistaken; prepending your ASN out adjusts traffic inbound to your ASN.

Does prepend work with route-map in at all to adjust inbound traffic?

Yes, it does, but prepending inbound bgp routes influences outbound traffic flow from your BGP router. This is an example prepend in BGP policy to prepend 5 more of the last-as in the received AS path for an eBGP neighbor...

!
route-map FOO_in permit 10
 set as-path prepend last-as 5
!

Let's clarify some things...

neighbor x.x.x.x route-map FOO_out out adjusts traffic inbound to your ASN.
neighbor x.x.x.x route-map FOO_in in adjusts traffic outbound from your ASN; use local-preference or some other criteria to influence your outbound traffic.

Example configuration:

ip prefix-list MATCH_ALL permit 0.0.0.0/0
!
route-map AS100_out
 match ip address prefix-list MATCH_ALL
 ! --> Prepend so other ASN don't prefer this path
 !     NOTE: don't do this... 20 prepends is absurd in the real world.
 !          Five or ten ASN prepends should be sufficient
 set ip as-path prepend 65001 65001 65001 65001 65001 65001 65001 65001 65001 65001 65001 65001 65001 65001 65001 65001 65001 65001 65001 65001 
!
route-map AS100_in
 match ip address prefix-list MATCH_ALL
 ! --> Set local-pref lower than 100, so we don't prefer this peer
 set local-preference 50
!
router bgp 777
 ! insert other "normal" bgp configuration here, network statement, etc..
 !
 neighbor 192.0.2.2 remote-as 100
 ! --> AS100_out adjusts *inbound* traffic
 neighbor 192.0.2.2 route-map AS100_out out
 ! --> AS100_in adjusts *outbound* traffic
 neighbor 192.0.2.2 route-map AS100_in in

NOTE: Prepending is deceptive; it might seem like nobody should select a path if you have prepended a lot of ASNs to your announcements, but even if you did that's no guarantee that downstream routers won't send traffic to you over that prepended path. The reality is that internet routing is still a per-hop / per-ASN decision, and you're still somewhat at the mercy of others. See below for an example.

Problems with AS-prepend traffic engineering

Strictly speaking, you loose complete control of inbound routing paths when you announce your prefix to multiple providers because there are independent routing decisions made downstream for return traffic to you. Furthermore, your announcements could even be modified by downstream providers after you send them.

Example

This is one example of what can happen. Continuing with the example configuration shown above...

Suppose you have AS 777; you got a portable address block (2.2.0.0/22) from AS 100.
You are dual homed to both AS 100 and AS 200
You have services that a company with Router A needs to access.
Assume that AS 100 doesn't have a good link to you (maybe it's intermittently corrupting traffic due to physical-layer problems you haven't been able to fix). So you think to yourself, "I'll just prepend all my announcements to AS100 with a large number of ASNs so nobody will prefer the AS100 link until I can fix this".

bgp asymmetric

The problem is that you only have complete control of your outbound routing decisions. You don't get complete control inbound... so let's suppose Router A's administrator doesn't know your link to AS100 is bad. They are dual-homed to AS200 and AS100, but AS100 offers much cheaper transit, per-Mbps; therefore Router A's engineer takes full routes from AS100 and only uses AS200 as a backup (taking only a default from them).

AS 100's engineering team decides to set a high local-pref for 2.2.2.0/22 announcements from you. As such , the combination of full routes at router A and AS 100’s local pref means that you’ve lost control for ingress traffic through AS 100 to AS 777.

To summarize, As the admin of AS 777, you can force AS 777’s egress traffic to Router A through AS 200, but traffic from Router A to 2.2.0.0/22 would still take AS 100 (because the best route is through AS 100, at Router A).