0

Is it possible to have 1 or two static IP Address for a cluster of recursive (but not open relay) DNS Bind Servers that are being hosted on different cloud vpn providers? We want to have two DNS servers behind 1 ip address (one at Rackspace, one at AWS).

Edit: I do know we'd likely have to have our own IP Space.

Kladskull
  • 1,265
  • 5
  • 15
  • 32
  • One failure mode which I have seen more than once in anycasted recursive DNS servers is this: The recursive DNS server is able to receive requests from clients and send replies. However the server need a unicast address as well in order to communicate with authoritative servers, and that unicast IP address has for some reason gone down. So the server now responds with server failure to every request it receives from clients. – kasperd Feb 25 '15 at 22:18

1 Answers1

1

Not in the configuration you're talking about - at least, not in a way that would make any kind of sense to implement.

To have two different resources in different locations behind the same IP, you need to use BGP anycast (which you can't do in AWS/Rackspace). Failing that, you'd need to have something behind that IP address that's proxying to AWS/Rackspace - which would also be a single point of failure if it weren't itself anycasted.

Shane Madden
  • 112,982
  • 12
  • 174
  • 248
  • Actually the proxy would be a single point of failure, even it was anycasted. That's because if a server in an anycast pool goes down, it doesn't magically stop receiving traffic. So for all those clients being routed to the server, which is down, that IP is effectively down. – kasperd Feb 25 '15 at 22:15
  • @kasperd Yeah, good point - would need to drop the advertisement (and wait for convergence) to stop sending traffic to the bad node. – Shane Madden Feb 25 '15 at 22:17
  • Any design based on automatically detecting a bad node and no longer sending traffic to it, ends up being fragile. Often systems fail in some way, which is functional enough, that the health checks consider it to be up, but in practice it is broken in some way rendering it unusable to the users. – kasperd Feb 25 '15 at 22:21
  • @kasperd Agreed, that setup would be incredibly fragile. – Shane Madden Feb 25 '15 at 22:23