# apt-get install quagga dbndns dnscache-run iptables<\/p>\n
In our example we use 8.8.8.0\/24 as the anycast range in which all IPs are used. We have two Cisco 7600 routers which are on two geological different sites.<\/p>\n
<\/a> Cisco 7600 crs-01 configuration needed for the anycast configuration:<\/p>\n interface GigabitEthernet1\/9 ip ospf dead-interval 5<\/p>\n load-interval 30 interface GigabitEthernet1\/12 ip prefix-list OSPF_DENY seq 10 permit 0.0.0.0\/0 le 32<\/p>\n ipv6 router ospf 16 For the crs-02 router the configuration is almost the same but the ip addresses of interfaces are changed according to the server configuration.<\/p>\n Configuration needed on server dns21:<\/p>\n cat \/etc\/network\/interfaces # The loopback network interface # The primary network interface iface eth0 inet6 static<\/p>\n address 2a02:131:8888:fd01::194 auto eth1 iface eth1 inet6 static auto lo:7 auto lo:77 auto lo:8 auto lo:88 auto lo:100 dns-cache21:~# iptables-save<\/p>\n # Generated by iptables-save v1.4.2 on Fri Jun 25 11:10:33 2010<\/p>\n *filter<\/p>\n :INPUT ACCEPT [685482823:68925443107]<\/p>\n :FORWARD ACCEPT [22:1681]<\/p>\n :OUTPUT ACCEPT [734294686:70957724473]<\/p>\n COMMIT<\/p>\n # Completed on Fri Jun 25 11:10:33 2010<\/p>\n # Generated by iptables-save v1.4.2 on Fri Jun 25 11:10:33 2010<\/p>\n *nat<\/p>\n :PREROUTING ACCEPT [24359827:1724945664]<\/p>\n :POSTROUTING ACCEPT [294052022:18879912475]<\/p>\n :OUTPUT ACCEPT [294052012:18879911514]<\/p>\n -A PREROUTING -d 8.8.8.8\/32 -i eth1 -p tcp -m tcp –dport 53 -j DNAT –to-destination 88.212.8.130:53<\/p>\n -A PREROUTING -d 8.8.8.8\/32 -i eth1 -p udp -m udp –dport 53 -j DNAT –to-destination 88.212.8.130:53<\/p>\n -A PREROUTING -d 8.8.8.8\/32 -i eth0 -p tcp -m tcp –dport 53 -j DNAT –to-destination 88.212.8.194:53<\/p>\n -A PREROUTING -d 8.8.8.8\/32 -i eth0 -p udp -m udp –dport 53 -j DNAT –to-destination 88.212.8.194:53<\/p>\n -A PREROUTING -d 8.8.8.88\/32 -i eth1 -p tcp -m tcp –dport 53 -j DNAT –to-destination 88.212.8.130:53<\/p>\n -A PREROUTING -d 8.8.8.88\/32 -i eth1 -p udp -m udp –dport 53 -j DNAT –to-destination 88.212.8.130:53<\/p>\n -A PREROUTING -d 8.8.8.88\/32 -i eth0 -p tcp -m tcp –dport 53 -j DNAT –to-destination 88.212.8.194:53<\/p>\n -A PREROUTING -d 8.8.8.88\/32 -i eth0 -p udp -m udp –dport 53 -j DNAT –to-destination 88.212.8.194:53<\/p>\n COMMIT<\/p>\n The DNAT si needed for translating anycast request from cleint to defined recursor based on source interface\u00a0 and destination IP, because djbdns can`t listen on one IP addres and make recursive request from another IP. If you will use BIND for recursor\u00a0 you can do it without this iptables trick and only with one DNS server insteat of two.<\/p>\n On each server are running two IPv4 dns recursor dnscache. cat tinydns\/env\/IP tinydns\/env\/ROOT tinydns2\/env\/IP tinydns2\/env\/ROOT tinydns-ipv6\/env\/IP tinydns-ipv6\/env\/ROOT tinydns2-ipv6\/env\/IP tinydns2-ipv6\/env\/ROOT As you can see, we have 4 authoritative DNS server 2xIPv4 and 2xIPv6 but shared ROOT enviroment for easier management. There is no need for iptables, because authoritative DNS uses only one IP address which is the loopback IP address.<\/p>\n The quagga configuration on server looks like this:<\/p>\n dns-cache21:~# cat \/etc\/quagga\/ospfd.conf nterface eth0 dns-cache21:~# cat \/etc\/quagga\/ospf6d.conf<\/p>\n hostname ospf6d@plant ! After that you should have working full redundant multihomed anycast DNS cloud. As next you should make some statistics about how well is your cloud working and devolep some external decentralized monitoring tool for testing your services and act proactive according to that. The dnscache and tinydns are running using sv daemon, so that manage the restarting of service going down, but you have to monitor your configuration mistakes.<\/p>\n","protected":false},"excerpt":{"rendered":" At firs you need N+1 servers which will be parts of the cloud. On each server you need at least 2 NICs which will be connected to two different routers. \/\/You also need a IP range for anycast purpose, the best is to use \/23 so you have enough IP space and no problem with […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[7,3],"tags":[],"_links":{"self":[{"href":"http:\/\/itblog.antik.sk\/index.php?rest_route=\/wp\/v2\/posts\/35"}],"collection":[{"href":"http:\/\/itblog.antik.sk\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/itblog.antik.sk\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/itblog.antik.sk\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/itblog.antik.sk\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=35"}],"version-history":[{"count":44,"href":"http:\/\/itblog.antik.sk\/index.php?rest_route=\/wp\/v2\/posts\/35\/revisions"}],"predecessor-version":[{"id":52,"href":"http:\/\/itblog.antik.sk\/index.php?rest_route=\/wp\/v2\/posts\/35\/revisions\/52"}],"wp:attachment":[{"href":"http:\/\/itblog.antik.sk\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=35"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/itblog.antik.sk\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=35"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/itblog.antik.sk\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=35"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}![\"\"](\"http:\/\/itblog.antik.sk\/wp-content\/anycast5-itblog2.png\" "\\"anycast5-itblog\\"")
<\/a><\/p>\n
\ndescription ### ENI_R | ANTI_IT_0030 | xxx | eth1-dns21 ###
\nip address 8.8.8.129 255.255.255.252
\nno ip redirects
\nno ip unreachables
\nno ip proxy-arp
\nip ospf authentication message-digest
\nip ospf message-digest-key 1 md5 7 0968415C
\nip ospf network point-to-point
\nip ospf hello-interval 1<\/p>\n
\nipv6 address 2A02:131:8888:FE01::1\/64
\nipv6 enable
\nipv6 nd ra suppress
\nno ipv6 pim
\nipv6 ospf hello-interval 1
\nipv6 ospf dead-interval 5
\nipv6 ospf database-filter all out
\nipv6 ospf 16 area 8
\nno cdp enable
\nend
\ninterface GigabitEthernet1\/10
\ndescription ### ENI_R | ANTI_IT_0031 | xxx | eth1-dns22 ###
\nip address 8.8.8.133 255.255.255.252
\nno ip redirects
\nno ip unreachables
\nno ip proxy-arp
\nip ospf authentication message-digest
\nip ospf message-digest-key 1 md5 7 0968415C
\nip ospf network point-to-point
\nip ospf hello-interval 1
\nip ospf dead-interval 5
\nload-interval 30
\nipv6 address 2A02:131:8888:FE02::1\/64
\nipv6 enable
\nipv6 nd ra suppress
\nno ipv6 pim
\nipv6 ospf hello-interval 1
\nipv6 ospf dead-interval 5
\nipv6 ospf database-filter all out
\nipv6 ospf 16 area 8
\nno cdp enable
\nend
\ninterface GigabitEthernet1\/11
\ndescription ### ENI_R | ANTI_IT_0032 | xxx | eth1-dns11 ###
\nip address 8.8.8.137 255.255.255.252
\nno ip redirects
\nno ip unreachables
\nno ip proxy-arp
\nip ospf authentication message-digest
\nip ospf message-digest-key 1 md5 7 0968415C
\nip ospf network point-to-point
\nip ospf hello-interval 1
\nip ospf dead-interval 5
\nload-interval 30
\nipv6 address 2A02:131:8888:FE03::1\/64
\nipv6 enable
\nipv6 nd ra suppress
\nno ipv6 pim
\nipv6 ospf hello-interval 1
\nipv6 ospf dead-interval 5
\nipv6 ospf database-filter all out
\nipv6 ospf 16 area 8
\nno cdp enable
\nend<\/p>\n
\ndescription ### ENI_R | ANTI_IT_0033 | xxx | eth1-dns12 ###
\nip address 8.8.8.141 255.255.255.252
\nno ip redirects
\nno ip unreachables
\nno ip proxy-arp
\nip ospf authentication message-digest
\nip ospf message-digest-key 1 md5 7 0968415C
\nip ospf network point-to-point
\nip ospf hello-interval 1
\nip ospf dead-interval 5
\nload-interval 30
\nipv6 address 2A02:131:8888:FE04::1\/64
\nipv6 enable
\nipv6 nd ra suppress
\nno ipv6 pim
\nipv6 ospf hello-interval 1
\nipv6 ospf dead-interval 5
\nipv6 ospf database-filter all out
\nipv6 ospf 16 area 8
\nno cdp enable
\nendrouter ospf 10
\nrouter-id 1.2.3.4
\nispf
\nlog-adjacency-changes detail
\nauto-cost reference-bandwidth 100000
\narea 8 authentication message-digest
\narea 8 stub no-summary
\ntimers throttle spf 10 100 5000
\ntimers throttle lsa 10 100 5000
\nredistribute connected subnets
\nredistribute static subnets
\npassive-interface default
\nno passive-interface GigabitEthernet1\/9
\nno passive-interface GigabitEthernet1\/10
\nno passive-interface GigabitEthernet1\/11
\nno passive-interface GigabitEthernet1\/12
\nnetwork 8.8.8.129 0.0.0.0 area 8
\nnetwork 8.8.8.133 0.0.0.0 area 8
\nnetwork 8.8.8.137 0.0.0.0 area 8
\nnetwork 8.8.8.141 0.0.0.0 area 8
\ndistribute-list prefix OSPF_DENY out
\nbfd all-interfaces
\n!<\/p>\n
\nrouter-id 8.8.8.1
\nlog-adjacency-changes detail
\nauto-cost reference-bandwidth 100000
\npassive-interface default
\nno passive-interface GigabitEthernet1\/9
\nno passive-interface GigabitEthernet1\/10
\nno passive-interface GigabitEthernet1\/11
\nno passive-interface GigabitEthernet1\/12<\/p>\n
\n# This file describes the network interfaces available on your system
\n# and how to activate them. For more information, see interfaces(5).<\/p>\n
\nauto lo
\niface lo inet loopback<\/p>\n
\nauto eth0
\niface eth0 inet static
\naddress 8.8.8.194
\nnetmask 255.255.255.252<\/p>\n
\nnetmask 64
\ngateway 2a02:131:8888:fd01::1<\/p>\n
\niface eth1 inet static
\naddress 8.8.8.130
\nnetmask 255.255.255.252<\/p>\n
\naddress 2a02:131:8888:fe01::130
\nnetmask 64
\ngateway 2a02:131:8888:fe01::1<\/p>\n
\niface lo:7 inet static
\naddress 8.8.8.7
\nnetmask 255.255.255.255
\nup ip -6 addr add 2a02:131:1:8888::7\/128 dev lo:7<\/p>\n
\niface lo:77 inet static
\naddress 8.8.8.77
\nnetmask 255.255.255.255
\nup ip -6 addr add 2a02:131:1:8888::77\/128 dev lo:77<\/p>\n
\niface lo:8 inet static
\naddress 8.8.8.8
\nnetmask 255.255.255.255
\nup ip -6 addr add 2a02:131:1:8888::8\/128 dev lo:8<\/p>\n
\niface lo:88 inet static
\naddress 8.8.8.88
\nnetmask 255.255.255.255
\nup ip -6 addr add 2a02:131:1:8888::88\/128 dev lo:88<\/p>\n
\niface lo:100 inet static
\naddress 8.8.8.21
\nnetmask 255.255.255.255
\nup ip -6 addr add 2a02:131:1:8888::21\/128 dev lo:100<\/p>\n
\ndns-cache21:\/etc\/sv# cat dnscache\/env\/IP dnscache\/env\/IPSEND dnscache\/env\/ROOT dnscache\/env\/CACHESIZE dnscache2\/env\/IP dnscache2\/env\/IPSEND dnscache2\/env\/ROOT dnscache2\/env\/CACHESIZE
\n8.8.8.194
\n8.8.8.194
\n\/etc\/sv\/dnscache\/root
\n1572864000
\n8.8.8.130
\n8.8.8.130
\n\/etc\/sv\/dnscache2\/root
\n1572864000<\/p>\n
\n::ffff:8.8.8.7
\n\/etc\/sv\/tinydns\/root
\n::ffff:8.8.8.77
\n\/etc\/sv\/tinydns\/root
\n2a02:131:1:8888::7
\n\/etc\/sv\/tinydns\/root
\n2a02:131:1:8888::77
\n\/etc\/sv\/tinydns\/root<\/p>\n
\nhostname ospfd
\npassword secretpassword
\nlog file \/var\/log\/quagga\/ospfd.log
\nservice advanced-vty<\/p>\n
\nip ospf authentication message-digest
\nip ospf message-digest-key 1 md5 Dn5
\nip ospf network point-to-point
\nip ospf hello-interval 1
\nip ospf dead-interval 5
\n!
\ninterface eth1
\nip ospf authentication message-digest
\nip ospf message-digest-key 1 md5 Dn5
\nip ospf network point-to-point
\nip ospf hello-interval 1
\nip ospf dead-interval 5
\n!
\nrouter ospf
\nrouter-id 8.8.8.194
\nnetwork 8.8.8.7\/32 area 8
\nnetwork 8.8.8.77\/32 area 8
\nnetwork 8.8.8.8\/32 area 8
\nnetwork 8.8.8.88\/32 area 8
\nnetwork 8.8.8.21\/32 area 8
\nnetwork 8.8.8.194\/30 area 8
\nnetwork 8.8.8.130\/30 area 8
\narea 8 stub
\narea 8 authentication message-digest
\n!
\nlog stdout<\/p>\n
\npassword secretpass
\nlog stdout
\nlog file \/var\/log\/quagga\/ospf6d.log
\nservice advanced-vty
\n!
\ndebug ospf6 neighbor state
\n!
\ninterface eth1
\nipv6 ospf6 hello-interval 1
\nipv6 ospf6 dead-interval 5
\n!
\ninterface eth0
\nipv6 ospf6 hello-interval 1
\nipv6 ospf6 dead-interval 5<\/p>\n
\ninterface lo
\n!
\nrouter ospf6
\nrouter-id 8.8.8.21
\ninterface eth1 area 0.0.0.8
\ninterface eth0 area 0.0.0.8
\ninterface lo area 0.0.0.8<\/p>\n
![<\/a>](\"http:\/\/itblog.antik.sk\/wp-content\/anycast5-itblog.png\"){kind=link}