You are browsing a read-only backup copy of Wikitech. The primary site can be found at

Anycast authoritative DNS

From Wikitech-static
Revision as of 15:52, 22 May 2020 by imported>Ayounsi (Initial draft)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Work in progress.

In order to improve latency and resilience of our authoritative DNS, this setup leverages BGP and anycast.

Tracking task:

Limitation of a non-anycast setup

By definition, GeoDNS can't be used to redirect users to their closest nameserver (NS), like we do for websites.

When asked for a record (eg., the .org zone presents all 3 of our NS to the client, to decide which one to use.

Client side implementations not being great [citation needed], anycast offloads that decision to BGP.


Server side

The server side is a regular internal anycast setup.

modules/profile/manifests/dns/auth.pp and modules/profile/manifests/dns/recursor.pp include ::profile::bird::anycast

hieradata/role/common/dnsbox.yaml and hieradata/role/common/dns/auth.yaml

    address: # VIP to advertise (limited to a /32)
    check_cmd: '/usr/lib/nagios/plugins/check_dns_query -H -a -l -d -t 1'
    ensure: present
    service_type: authdns

Routers side

Policy to only create (and thus advertise) the /24 anycast prefix if the router learns about it locally.

policy-options {
    policy-statement BGP_from_anycast {
        term BGP_local_anycast {
            from {
                protocol bgp;
                as-path local_anycast;
            then accept;
        then reject;
    as-path local_anycast "^64605$";
routing-options {
    aggregate {
      route policy BGP_from_anycast;


Know which server a client is routed to

$ dig +nsid A |grep NSID

Failure tests

Total local AuthDNS failure

  1. Stop gdnsd on all ulsfo servers
  2. The anycast prefix stops being advertised to the routers
  3. The routers don't have any contributing routes to the less specific prefix
  4. The routers stop advertising the prefix to their peers
  5. Start gdnsd back
  6. prefixes are re-advertised


  • L3 header LB: ICMP packet too big sent by routers along the path will not consistently be router to the correct router
  • Non-consistent hashing: if a routing change on the Internet causes a TCP packet to arrive through a different router, the router will not consistently route it to the proper server