4

Let's assume I have setup a pair of anycasted DNS servers on my internal network using bird and they're just talking OSPF to my core routers. I've found this on the internet and made it happen.

If I setup one to have a higher cost path than the other, sweet, I've just made a cute way to do fail-over without causing my clients any timeouts when switching from one host in their resolv.conf to the other resolver in their resolv.conf.

But that's not good enough for me. I want to distribute my load between my DNS servers. So I set the cost for both to be the same, so the routers now should be doing ECMP and sending 50% of the requests to one and 50% of the requests to the other.

But it turns out my enterprise uses TCP for a large fraction of our DNS -- let's say we've got enormous SRV records and we use DNSSEC because we're awesome.

Now, how do I setup my clever anycast setup to cope with the fact that the TCP requests need 3 or 4 packets to get a request done and now one of those 3 packets is always going to go to the wrong router and getting the tcp connection reset.

chris
  • 11,944
  • 6
  • 42
  • 51
  • You really need connection tracking/state. A firewall can do that sort of load balancing. Is there budget for a proper load balancer? – NickW Apr 03 '13 at 11:43
  • 1
    http://www.nanog.org/meetings/nanog37/presentations/matt.levine.pdf – poige Apr 03 '13 at 11:45

2 Answers2

2

Well, in such a scheme you can just block RST responses for invalid session, can't you? :) or (what is even better), don't pass it into service:

— invalid state?

— no that way, try another!

P. S. Yes, I really like presentation "TCP Anycast - Don't believe the FUD - nanog" by the link I gave you in comments. ;)

poige
  • 9,448
  • 2
  • 25
  • 52
  • Ah, so the connection tracking is the key -- http://people.netfilter.org/pablo/docs/login.pdf -- each node runs a firewall that knows the state of each other firewall and forwards traffic to the proper firewall if it happens to receive traffic "for my ip but not for me". – chris Apr 03 '13 at 12:05
2

Just use per-flow OSPF ECMP instead of per-packet and you'll be fine, just like the NANOG presentation says.

Anycast for TCP is only a potential problem for long-lived TCP sessions, and almost every DNS implementation I know of only uses very short-lived TCP sessions.

Alnitak
  • 21,191
  • 3
  • 52
  • 82
  • Which OSPF implementations offer per-flow ECMP instead of a per-packet ECMP? In a perfect world I'd just get the ECMP to chose a path based on a hash of (source IP / source port). – chris Apr 07 '13 at 17:54