How to make redundant multihomed anycast IPv4/IPv6 DNS cloud using djbdns/dbndns and tinydns on Debian

At firs you need N+1 servers which will be parts of the cloud. On each server you need at least 2 NICs which will be connected to two different routers.

//You also need a IP range for anycast purpose, the best is to use /23 so you have enough IP space and no problem with BGP filtering across multiple Internet exchange peerings or you can use smaller if you know how to setup it.

From the range you need IP for the DNS service. Two for DNS recursor and two for DNS cache. For each server you need also 3 unique IPs from this range. 2 for each NIC of two NICs and one for identify loopback. .

For example for 4 server you need together (4×3)+4=16 IPs. It is also possible to use anycast range only for loopback and NIC interfaces will have IP from another range depending on the location, but the configuration will be more complicated when adding another server to cloud.  So it is better to use only one range.

This article is using the imaginary example IP range 8.8.8.0/24 which is google using for there anycast servers.

On each server you need to install:

  • quagga routing software (or any other routing daemon)
  • djbdns/dbndns and tinydns (or any other DNS daemon)
  • iptables with DNAT support

# apt-get install quagga dbndns dnscache-run iptables

In our example we use 8.8.8.0/24 as the anycast range in which all IPs are used. We have two Cisco 7600 routers which are on two geological different sites.

Cisco 7600 crs-01 configuration needed for the anycast configuration:

interface GigabitEthernet1/9
description ### ENI_R | ANTI_IT_0030 | xxx | eth1-dns21 ###
ip address 8.8.8.129 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 7 0968415C
ip ospf network point-to-point
ip ospf hello-interval 1

ip ospf dead-interval 5

load-interval 30
ipv6 address 2A02:131:8888:FE01::1/64
ipv6 enable
ipv6 nd ra suppress
no ipv6 pim
ipv6 ospf hello-interval 1
ipv6 ospf dead-interval 5
ipv6 ospf database-filter all out
ipv6 ospf 16 area 8
no cdp enable
end
interface GigabitEthernet1/10
description ### ENI_R | ANTI_IT_0031 | xxx | eth1-dns22 ###
ip address 8.8.8.133 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 7 0968415C
ip ospf network point-to-point
ip ospf hello-interval 1
ip ospf dead-interval 5
load-interval 30
ipv6 address 2A02:131:8888:FE02::1/64
ipv6 enable
ipv6 nd ra suppress
no ipv6 pim
ipv6 ospf hello-interval 1
ipv6 ospf dead-interval 5
ipv6 ospf database-filter all out
ipv6 ospf 16 area 8
no cdp enable
end
interface GigabitEthernet1/11
description ### ENI_R | ANTI_IT_0032 | xxx | eth1-dns11 ###
ip address 8.8.8.137 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 7 0968415C
ip ospf network point-to-point
ip ospf hello-interval 1
ip ospf dead-interval 5
load-interval 30
ipv6 address 2A02:131:8888:FE03::1/64
ipv6 enable
ipv6 nd ra suppress
no ipv6 pim
ipv6 ospf hello-interval 1
ipv6 ospf dead-interval 5
ipv6 ospf database-filter all out
ipv6 ospf 16 area 8
no cdp enable
end

interface GigabitEthernet1/12
description ### ENI_R | ANTI_IT_0033 | xxx | eth1-dns12 ###
ip address 8.8.8.141 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 7 0968415C
ip ospf network point-to-point
ip ospf hello-interval 1
ip ospf dead-interval 5
load-interval 30
ipv6 address 2A02:131:8888:FE04::1/64
ipv6 enable
ipv6 nd ra suppress
no ipv6 pim
ipv6 ospf hello-interval 1
ipv6 ospf dead-interval 5
ipv6 ospf database-filter all out
ipv6 ospf 16 area 8
no cdp enable
endrouter ospf 10
router-id 1.2.3.4
ispf
log-adjacency-changes detail
auto-cost reference-bandwidth 100000
area 8 authentication message-digest
area 8 stub no-summary
timers throttle spf 10 100 5000
timers throttle lsa 10 100 5000
redistribute connected subnets
redistribute static subnets
passive-interface default
no passive-interface GigabitEthernet1/9
no passive-interface GigabitEthernet1/10
no passive-interface GigabitEthernet1/11
no passive-interface GigabitEthernet1/12
network 8.8.8.129 0.0.0.0 area 8
network 8.8.8.133 0.0.0.0 area 8
network 8.8.8.137 0.0.0.0 area 8
network 8.8.8.141 0.0.0.0 area 8
distribute-list prefix OSPF_DENY out
bfd all-interfaces
!

ip prefix-list OSPF_DENY seq 10 permit 0.0.0.0/0 le 32

ipv6 router ospf 16
router-id 8.8.8.1
log-adjacency-changes detail
auto-cost reference-bandwidth 100000
passive-interface default
no passive-interface GigabitEthernet1/9
no passive-interface GigabitEthernet1/10
no passive-interface GigabitEthernet1/11
no passive-interface GigabitEthernet1/12

For the crs-02 router the configuration is almost the same but the ip addresses of interfaces are changed according to the server configuration.

Configuration needed on server dns21:

cat /etc/network/interfaces
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
auto eth0
iface eth0 inet static
address 8.8.8.194
netmask 255.255.255.252

iface eth0 inet6 static

address 2a02:131:8888:fd01::194
netmask 64
gateway 2a02:131:8888:fd01::1

auto eth1
iface eth1 inet static
address 8.8.8.130
netmask 255.255.255.252

iface eth1 inet6 static
address 2a02:131:8888:fe01::130
netmask 64
gateway 2a02:131:8888:fe01::1

auto lo:7
iface lo:7 inet static
address 8.8.8.7
netmask 255.255.255.255
up ip -6 addr add 2a02:131:1:8888::7/128 dev lo:7

auto lo:77
iface lo:77 inet static
address 8.8.8.77
netmask 255.255.255.255
up ip -6 addr add 2a02:131:1:8888::77/128 dev lo:77

auto lo:8
iface lo:8 inet static
address 8.8.8.8
netmask 255.255.255.255
up ip -6 addr add 2a02:131:1:8888::8/128 dev lo:8

auto lo:88
iface lo:88 inet static
address 8.8.8.88
netmask 255.255.255.255
up ip -6 addr add 2a02:131:1:8888::88/128 dev lo:88

auto lo:100
iface lo:100 inet static
address 8.8.8.21
netmask 255.255.255.255
up ip -6 addr add 2a02:131:1:8888::21/128 dev lo:100

dns-cache21:~# iptables-save

# Generated by iptables-save v1.4.2 on Fri Jun 25 11:10:33 2010

*filter

:INPUT ACCEPT [685482823:68925443107]

:FORWARD ACCEPT [22:1681]

:OUTPUT ACCEPT [734294686:70957724473]

COMMIT

# Completed on Fri Jun 25 11:10:33 2010

# Generated by iptables-save v1.4.2 on Fri Jun 25 11:10:33 2010

*nat

:PREROUTING ACCEPT [24359827:1724945664]

:POSTROUTING ACCEPT [294052022:18879912475]

:OUTPUT ACCEPT [294052012:18879911514]

-A PREROUTING -d 8.8.8.8/32 -i eth1 -p tcp -m tcp –dport 53 -j DNAT –to-destination 88.212.8.130:53

-A PREROUTING -d 8.8.8.8/32 -i eth1 -p udp -m udp –dport 53 -j DNAT –to-destination 88.212.8.130:53

-A PREROUTING -d 8.8.8.8/32 -i eth0 -p tcp -m tcp –dport 53 -j DNAT –to-destination 88.212.8.194:53

-A PREROUTING -d 8.8.8.8/32 -i eth0 -p udp -m udp –dport 53 -j DNAT –to-destination 88.212.8.194:53

-A PREROUTING -d 8.8.8.88/32 -i eth1 -p tcp -m tcp –dport 53 -j DNAT –to-destination 88.212.8.130:53

-A PREROUTING -d 8.8.8.88/32 -i eth1 -p udp -m udp –dport 53 -j DNAT –to-destination 88.212.8.130:53

-A PREROUTING -d 8.8.8.88/32 -i eth0 -p tcp -m tcp –dport 53 -j DNAT –to-destination 88.212.8.194:53

-A PREROUTING -d 8.8.8.88/32 -i eth0 -p udp -m udp –dport 53 -j DNAT –to-destination 88.212.8.194:53

COMMIT

The DNAT si needed for translating anycast request from cleint to defined recursor based on source interface  and destination IP, because djbdns can`t listen on one IP addres and make recursive request from another IP. If you will use BIND for recursor  you can do it without this iptables trick and only with one DNS server insteat of two.

On each server are running two IPv4 dns recursor dnscache.
dns-cache21:/etc/sv# cat dnscache/env/IP dnscache/env/IPSEND dnscache/env/ROOT dnscache/env/CACHESIZE dnscache2/env/IP dnscache2/env/IPSEND dnscache2/env/ROOT dnscache2/env/CACHESIZE
8.8.8.194
8.8.8.194
/etc/sv/dnscache/root
1572864000
8.8.8.130
8.8.8.130
/etc/sv/dnscache2/root
1572864000

cat tinydns/env/IP tinydns/env/ROOT tinydns2/env/IP tinydns2/env/ROOT tinydns-ipv6/env/IP tinydns-ipv6/env/ROOT tinydns2-ipv6/env/IP tinydns2-ipv6/env/ROOT
::ffff:8.8.8.7
/etc/sv/tinydns/root
::ffff:8.8.8.77
/etc/sv/tinydns/root
2a02:131:1:8888::7
/etc/sv/tinydns/root
2a02:131:1:8888::77
/etc/sv/tinydns/root

As you can see, we have 4 authoritative DNS server 2xIPv4 and 2xIPv6 but shared ROOT enviroment for easier management. There is no need for iptables, because authoritative DNS uses only one IP address which is the loopback IP address.

The quagga configuration on server looks like this:

dns-cache21:~# cat /etc/quagga/ospfd.conf
hostname ospfd
password secretpassword
log file /var/log/quagga/ospfd.log
service advanced-vty

nterface eth0
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 Dn5
ip ospf network point-to-point
ip ospf hello-interval 1
ip ospf dead-interval 5
!
interface eth1
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 Dn5
ip ospf network point-to-point
ip ospf hello-interval 1
ip ospf dead-interval 5
!
router ospf
router-id 8.8.8.194
network 8.8.8.7/32 area 8
network 8.8.8.77/32 area 8
network 8.8.8.8/32 area 8
network 8.8.8.88/32 area 8
network 8.8.8.21/32 area 8
network 8.8.8.194/30 area 8
network 8.8.8.130/30 area 8
area 8 stub
area 8 authentication message-digest
!
log stdout

dns-cache21:~# cat /etc/quagga/ospf6d.conf

hostname ospf6d@plant
password secretpass
log stdout
log file /var/log/quagga/ospf6d.log
service advanced-vty
!
debug ospf6 neighbor state
!
interface eth1
ipv6 ospf6 hello-interval 1
ipv6 ospf6 dead-interval 5
!
interface eth0
ipv6 ospf6 hello-interval 1
ipv6 ospf6 dead-interval 5

!
interface lo
!
router ospf6
router-id 8.8.8.21
interface eth1 area 0.0.0.8
interface eth0 area 0.0.0.8
interface lo area 0.0.0.8

After that you should have working full redundant multihomed anycast DNS cloud. As next you should make some statistics about how well is your cloud working and devolep some external decentralized monitoring tool for testing your services and act proactive according to that. The dnscache and tinydns are running using sv daemon, so that manage the restarting of service going down, but you have to monitor your configuration mistakes.

No Comments

How to set up a DHCP server to auto install new firmware image and config for Cisco (ME3400/ME2400/Catalyst Blade 3020/Catalyst 2960/Catalyst 3750/Catalyst ME3750) on boot

First of all, you need to have image 12.2(44) and newer to be able to upgrade a image, if you have older image, you are only able to install new configuration.

For ISC DHCP server you need also a configured TFTP server

There are some bugs on Cisco pages regarding option 125 and auto install feature .

Understanding option 125:

If you want to install new firmware image via dhcp you have to use dhcp option 125.

The DHCP option 125 (Vendor-Identifying Vendor-Specific) is used to tell the switch which firmware it have to download. The structure is defined in RFC 3925.

The data has to be send as raw hex string, the data contains for example:

Hex(0000.0009) -> Vendor specific code, for Cisco it is dec(0009)=hex(0000.0009)
Hex(12) -> data lenght,  Hex(12) = dec (18) (data length+  suboption code + string lenght)=(1+1+16)
Hex(05) -> suboption code, has to be 05
Hex(10) ->lenght of the string to be send(autoinstall_dhcp) 16 chars=>dec(16)

Hex(61:75:74:6f:69:6e:73:74:61:6c:6c:5f:64:68:63:70) = String(autoinstall_dhcp)

The final magic string looks like this:
00:00:00:09:12:05:10:61:75:74:6f:69:6e:73:74:61:6c:6c:5f:64:68:63:70

If you want different file name, you have to recalculate these numbers.

If you don`t want to install new firmware, don`t send option 125 or the autoinstall_dhcp file should be empty.

echo “me340x-metroipaccessk9-tar.122-46.SE.tar” > /tftproot/autoinstall_dhcp

This has to be a tar file, not .bin image!

echo “your config here” > /tftproot/me3400.init

For ISC DHCP:

dhcpd.conf:

authoritative;
# defining option code 125 as hex string to be sent.
option option-125 code 125 = string;
# some subnet
subnet 10.1.1.0 netmask 255.255.255.0 {
     # some range
     range 10.1.1.10 10.1.1.250;
     # domain server
     option domain-name-servers 1.2.3.4;
     # default router
     option routers 10.1.1.1;
     # TFTP server name (this is option code 150)
     option tftp-server-name "10.1.1.2";
     # defining TFTP and NTF server
     next-server 10.1.1.2;
     # defining boot file with startup configuration
     option bootfile-name "me3400.init";
     # sending option 125 with encoded filename autoinstall_dhcp which contains filename to be downloaded as new firmware
     send option-125 00:00:00:09:12:05:10:61:75:74:6f:69:6e:73:74:61:6c:6c:5f:64:68:63:70;
     # 5 min lease time
     default-lease-time 600;
     max-lease-time 600;
     }
}

For DHCP server on Cisco router/switch:

option code 150 is equivalent to option tftp-server-name in ISC dhcp server.

Switch# config terminal
Switch(config)# ip dhcp pool pool1
Switch(dhcp-config)# network 10.10.10.0 255.255.255.0
Switch(dhcp-config)# bootfile me3400.init
Switch(dhcp-config)# default-router 10.10.10.1
Switch(dhcp-config)# option 150 10.10.10.1
Switch(dhcp-config)# option 125 hex 0000.0009.1205.1061.7574.6f69.6e73.7461.6c6c.5f64.6863.70
Switch(dhcp-config)# exit
Switch(config)# tftp-server flash:me3400.init
Switch(config)# tftp-server flash:me340x-metroipaccessk9-tar.122-46.SE.tar
Switch(config)# tftp-server flash:autoinstall_dhcp
Switch(config)# interface gigabitEthernet1/0/4
Switch(config-if)# no switchport
Switch(config-if)# ip address 10.10.10.1 255.255.255.0
Switch(config-if)# end

Example of boot:

The switch is booted with 12.2(44)  and then download 12.2(46) image and boot with new firmware, after that new config is downloaded and used as startup-config.

All by itself, don`t touch the keyboard. It looks like this:

Press RETURN to get started!

*Mar 1 00:00:26.801: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to down
*Mar 1 00:00:28.068: %SPANTREE-5-EXTENDED_SYSID: Extended SysId enabled for type vlan
*Mar 1 00:00:49.819: %SYS-5-RESTART: System restarted —
Cisco IOS Software, ME340x Software (ME340x-METROIPACCESSK9-M), Version 12.2(44)SE5, RELEASE SOFTWARE (fc2)
Copyright (c) 1986-2009 by Cisco Systems, Inc.
Compiled Thu 22-Jan-09 07:43 by gereddy
*Mar 1 00:00:51.195: %LINK-3-UPDOWN: Interface GigabitEthernet0/1, changed state to up
*Mar 1 00:00:52.202: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/1, changed state to up
*Mar 1 00:00:52.831: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to up
Loading autoinstall_dhcp from 10.254.5.2 (via Vlan1): !
[OK – 41 bytes]

*Mar 1 00:01:06.060: AUTOINSTALL: Vlan1 is assigned 10.252.4.42
*Mar 1 00:01:06.060: AUTOINSTALL: Obtain tftp server name 10.254.5.2 resolved to 10.254.5.2
*Mar 1 00:01:06.060: AUTOINSTALL: Obtain default router (opt 3) 10.252.4.1
examining image…
extracting info (114 bytes)
extracting me340x-metroipaccessk9-mz.122-46.SE/info (421 bytes)
extracting info (114 bytes)

System Type: 0x00000000
Ios Image File Size: 0x009E4A00
Total Image File Size: 0x009E4A00
Minimum Dram required: 0x08000000
Image Suffix: metroipaccessk9-122-46.SE
Image Directory: me340x-metroipaccessk9-mz.122-46.SE
Image Name: me340x-metroipaccessk9-mz.122-46.SE.bin
Image Feature: IP|LAYER_3|PLUS|SSH|3DES|MIN_DRAM_MEG=128

Old image for switch 1: unknown

Extracting images from archive into flash…
me340x-metroipaccessk9-mz.122-46.SE/ (directory)
me340x-metroipaccessk9-mz.122-46.SE/html/ (directory)
extracting me340x-metroipaccessk9-mz.122-46.SE/html/foo.html (0 bytes)
extracting me340x-metroipaccessk9-mz.122-46.SE/me340x-metroipaccessk9-mz.122-46.SE.bin (10368733 bytes)
extracting me340x-metroipaccessk9-mz.122-46.SE/info (421 bytes)
extracting info (114 bytes)

Installing (renaming): `flash:update/me340x-metroipaccessk9-mz.122-46.SE’ ->
`flash:me340x-metroipaccessk9-mz.122-46.SE’
New software image installed in flash:me340x-metroipaccessk9-mz.122-46.SE

All software images installed.
Requested system reload in progress…
Loading me3400.init from 10.254.5.2 (via Vlan1): !
[OK – 30529 bytes]

*Mar 1 00:04:56.554: AUTOINSTALL: Obtain tftp server name 10.254.5.2 resolved to 10.254.5.2
*Mar 1 00:04:56.554: AUTOINSTALL: Obtain default router (opt 3) 10.252.4.1
000012: *Mar 1 01:04:57.627: %SYS-6-CLOCKUPDATE: System clock has been updated from 00:04:57 UTC Mon Mar 1 1993 to 01:04:57 MET Mon Mar 1 1993, configured from console by console.
000013: *Mar 1 01:04:57.627: %SYS-6-CLOCKUPDATE: System clock has been updated from 01:04:57 MET Mon Mar 1 1993 to 01:04:57 MET Mon Mar 1 1993, configured
Boot Sector Filesystem (bs) installed, fsid: 2
Base ethernet MAC Address: 00:23:ea:94:a5:00
Xmodem file system is available.
The password-recovery mechanism is enabled.

*** The system will autoboot in 5 seconds ***
Send break character to prevent autobooting.

Initializing Flash…
flashfs[0]: 8 files, 5 directories
flashfs[0]: 0 orphaned files, 0 orphaned directories
flashfs[0]: Total bytes: 32514048
flashfs[0]: Bytes used: 26132480
flashfs[0]: Bytes available: 6381568
flashfs[0]: flashfs fsck took 9 seconds.
…done Initializing Flash.
done.
Loading “flash:me340x-metroipaccessk9-mz.122-46.SE/me340x-metroipaccessk9-mz.122-46.SE.bin”…@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
File “flash:me340x-metroipaccessk9-mz.122-46.SE/me340x-metroipaccessk9-mz.122-46.SE.bin” uncompressed and installed, entry point: 0x3000
executing…

, ,

1 Comment

ME 3400 queue setting

With default policy on ME 3400 switches, you can observe some problems with burst traffic coming from GigE interface. This is due to default queue-limit setting. Here is an example,how to increase it and use with triple play policy on customer’s port:

policy-map qosout
description OUTPUT POLICY-MAP
class VOIP
priority
class IPTV
bandwidth remaining percent 80
queue-limit 272
class JUNK
bandwidth remaining percent 10

policy-map shap
description OUTPUT SHAPING
class class-default
shape average 34000000
service-policy qosout

int fast 0/1
service output shap

No Comments