Gavin Brown
2012-Aug-16 14:39 UTC
[nsd-users] Question about response source address and dynamic interfaces
Hi there, I have a FreeBSD box (hostA) running NSD. It has a management address (10.0.0.2) and a service address (10.0.0.3). It is part of a clustered pair with a Linux machine (hostB) that has a management address (10.0.0.4) and a service address (10.0.0.5). DNS queries are sent to the two service addresses. Heartbeat is used to co-ordinate the pairs: if hostB goes offline, then the service address (10.0.0.5) is brought up on hostA so that it can answer queries, and vice versa. The problem is this: without an ip-address entry in nsd.conf, responses are sent from the management address (10.0.0.2) since that is the "primary" interface of the host. I can fix this during normal operations by adding an ip-address entry for 10.0.0.3. However, during failover, queries sent to 10.0.0.5 will be answered with the wrong source address. Again, I could fix this using an ip-address entry. But - when the machine boots, this IP address isn't assigned to hostA, so if it appears in nsd.conf, NSD will refuse to start. BIND (which I'm using on hostB) doesn't have this problem. Has anyone else solved this problem? Or do I need to write scripts to munge nsd.conf and restart it during failover/failback? Thanks, -- Gavin Brown Chief Technology Officer CentralNic Ltd Innovative, Reliable and Flexible Registry Services for ccTLD, gTLD and private domain name registries https://www.centralnic.com/ CentralNic Ltd is a company registered in England and Wales with company number 4985780. Registered Offices: 35-39 Moorgate, London, EC2R 6AR.
Paul Wouters
2012-Aug-16 15:16 UTC
[nsd-users] Question about response source address and dynamic interfaces
On Thu, 16 Aug 2012, Gavin Brown wrote:> I have a FreeBSD box (hostA) running NSD. It has a management address > (10.0.0.2) and a service address (10.0.0.3). It is part of a clustered > pair with a Linux machine (hostB) that has a management address > (10.0.0.4) and a service address (10.0.0.5). DNS queries are sent to the > two service addresses. Heartbeat is used to co-ordinate the pairs: if > hostB goes offline, then the service address (10.0.0.5) is brought up on > hostA so that it can answer queries, and vice versa. > > The problem is this: without an ip-address entry in nsd.conf, responses > are sent from the management address (10.0.0.2) since that is the > "primary" interface of the host. I can fix this during normal operations > by adding an ip-address entry for 10.0.0.3. > > However, during failover, queries sent to 10.0.0.5 will be answered with > the wrong source address. Again, I could fix this using an ip-address entry. > > But - when the machine boots, this IP address isn't assigned to hostA, > so if it appears in nsd.conf, NSD will refuse to start. BIND (which I'm > using on hostB) doesn't have this problem. > > Has anyone else solved this problem? Or do I need to write scripts to > munge nsd.conf and restart it during failover/failback?You could probably do something along the lines of[*]: ip rule add fwmark 53 table table53 iptables -t mangle -A PREROUTING -p all --sport 53 -j MARK --set-mark 53 ip route add default via 10.0.0.x dev eth0 table table53 src 10.0.0.3 Although if you failover the nsd service itself, shouldn't you be able to use the 10.0.0.3 in its config file? Paul [*] untested :)
Gavin Brown
2012-Oct-09 09:57 UTC
[nsd-users] Question about response source address and dynamic interfaces
I was never able to resolve this issue, but Bert Hubert recently posted on a related topic. If NSD did what PowerDNS now does, this would resolve my problem! On binding datagram (UDP) sockets to the ANY addresses: http://bert-hubert.blogspot.co.uk/2012/10/on-binding-datagram-udp-sockets-to-any.html On 16/08/2012 15:39, Gavin Brown wrote:> Hi there, > > I have a FreeBSD box (hostA) running NSD. It has a management address > (10.0.0.2) and a service address (10.0.0.3). It is part of a clustered > pair with a Linux machine (hostB) that has a management address > (10.0.0.4) and a service address (10.0.0.5). DNS queries are sent to the > two service addresses. Heartbeat is used to co-ordinate the pairs: if > hostB goes offline, then the service address (10.0.0.5) is brought up on > hostA so that it can answer queries, and vice versa. > > The problem is this: without an ip-address entry in nsd.conf, responses > are sent from the management address (10.0.0.2) since that is the > "primary" interface of the host. I can fix this during normal operations > by adding an ip-address entry for 10.0.0.3. > > However, during failover, queries sent to 10.0.0.5 will be answered with > the wrong source address. Again, I could fix this using an ip-address entry. > > But - when the machine boots, this IP address isn't assigned to hostA, > so if it appears in nsd.conf, NSD will refuse to start. BIND (which I'm > using on hostB) doesn't have this problem. > > Has anyone else solved this problem? Or do I need to write scripts to > munge nsd.conf and restart it during failover/failback? > > Thanks, >-- Gavin Brown Chief Technology Officer CentralNic Ltd Innovative, Reliable and Flexible Registry Services for ccTLD, gTLD and private domain name registries https://www.centralnic.com/ CentralNic Ltd is a company registered in England and Wales with company number 4985780. Registered Offices: 35-39 Moorgate, London, EC2R 6AR.