Practical Analysis of DNS multi-point deployment IP Anycast + BGP

Practical Analysis of DNS multi-point deployment IP Anycast + BGP

Most of the Multi-Point deployment in the DNS field uses the IP Anycast + BGP mode. In this mode, you do not need to purchase additional equipment, and the deployment is flexible and diverse. However, like all other technologies, IP Anycast + BGP technology can play its biggest advantage only in the appropriate fields and scope.

As the Internet continues to grow and the number of Internet users increases, most websites or DNS services are insufficient to carry a large number of user service requests, regardless of server performance or access bandwidth, when using a single node to provide services; the slow access between carriers in China has always existed. In addition, the high availability of services has been gradually paid attention. With these factors in mind, enterprises first think of deploying the same service in multiple physical locations and networks of multiple carriers to solve the above problems. During the download process, most users have seen multiple download links, such as "Telecom download" and "Netcom download". This is an application for Multi-Point deployment. Can I automatically connect requests to the fastest service without the user's choice? The answer is that some application services can be implemented.

Some equipment manufacturers have produced some hardware products for this demand, such as F5 GTM. In the DNS field, IP Anycast + BGP is used for Multi-Point deployment. IP Anycast + BGP is a network technology that requires no additional equipment and flexible deployment. However, when deploying IP Anycast + BGP, you must carefully consider the features of IP Anycast + BGP, just like all other technologies, IP Anycast + BGP technology can play its biggest advantage only in the appropriate fields and scope.

-------------------------------------- Split line --------------------------------------

Install Bind 9.6.1 In the source code of CentOS to build a DNS server

Use BIND to configure the DNS server

BIND + DLZ + MySQL smart DNS implementation of forward and reverse resolution

Domain Name Service BIND construction and application configuration

Ubuntu BIND9 wildcard domain name resolution Configuration

Install BIND9.6 in CentOS 5.2

DNS Server Configuration

-------------------------------------- Split line --------------------------------------

Anycast technical advantages

Anycasting was initially proposed and defined in RFC1546. According to RFC1546, The Anycasting address of IPv4 is different from that of IPv4, it is recommended to allocate an independent address space from the IPv4 address space as any play address space. RFC1546 defines that this type of anycast is not widely used in IPv4 networks, but its original semantics is widely used in IPv4: On an IP network, an Anycast address is used to identify a group of hosts that provide specific services. At the same time, service accessors are not concerned with the specific host that provides services (such as DNS or image service ), packets accessing this address can be routed to any host in this group by the IP network. It provides stateless and best-effort services.

In practical applications, Anycast assigns a unicast address to multiple hosts in different physical locations on the Internet, the packets sent to this host are routed to the "nearest" target host measured by the routing protocol.

Anycast technology has the following advantages:

1. Different clients access different target hosts. This process is transparent to the client, so as to achieve Load Balancing for the target host;

2. When a network connection failure occurs on any target host and the target host becomes unavailable, client requests can be automatically routed to the nearest target host without human intervention, to some extent, redundancy is provided for the target host;

3. When the target host cannot be reached due to DoS attacks, client requests will also be routed to other target hosts because the network cannot be reached. In the case of DDoS attacks, due to the load balancing effect of Anycast, the security of the target host is improved to a certain extent because a single target host cannot bear all attack traffic;

4. Anycast uses routes to measure the "nearest" target host, improving the client response speed.

However, Anycast technology also has some limitations:

The shared Unicast address in Anycast cannot be used as the client to initiate a request, because the request response may not necessarily return to the initiated Anycast Unicast address. Therefore, currently Anycast is only applicable to some specific upper-layer protocols. From the perspective of actual application, Anycast is most widely used in DNS deployment.

Anycast Application Method

Anycast is essentially a network technology. It uses dynamic routing protocols in the network to achieve load balancing and redundancy of services. In terms of implementation types, it can be divided into subnet Anycast and Global Anycas: subnet Anycast means that all target hosts are located in the same network segment. This method only provides Server Load balancer and redundancy, and has no substantial effect on security improvement. Global Anycast means that the target host is in different network segments, it may be located in different cities or even around the world. In actual applications, the deployment of the target host in Global Anycast can be connected to networks of different autonomous domains in addition to geographical locations.

When the target host using Anycast is connected to different autonomous domains, it is difficult to use the IP address of an autonomous domain. Therefore, the shared Unicast address of Anycast usually has an independent autonomous domain number, and exchange routes with different autonomous domain networks through the BGP protocol, that is, IP Anycast + BGP.

IP Anycast + BGP deployment

The deployment of IP Anycast + BGP must use devices that can run BGP to exchange routes with other autonomous domains. Generally, the devices used are routers or layer-3 switches. Then, connect the target host directly to the vro or connect multiple hosts to the vro through the Server Load balancer device. At this time, you can also use subnet Anycast to access the target host. The vro broadcasts the unicast address shared by the target host in the uplink Autonomous Region. The vro can receive the full route table from the uplink Autonomous Region, you can also direct the next hop of the default route to the router interface of the uplink Autonomous Region.

This combination of routers and target hosts forms a single node, which is replicated to a single node and uplinked to different autonomous domains in different geographic locations. The same broadcast address of the router forms Anycast. Of course, the internal structure of each single node can be different. As long as the BGP broadcast address is the same, the target host can provide the same service. A single node can use the same autonomous domain number or different autonomous domain numbers.

The deployment of IP Anycast + BGP can solve the problem of load balancing and redundancy of the distributed service. It also improves the security of the distributed service to a certain extent, but there are also some problems:

First, when the target host is connected to a route, such as the target host down or Nic failure, the router cannot find the route of the target host in IGP, BGP automatically stops IP address broadcasting for the uplink autonomous domain, and client requests are routed to other target hosts. However, if the target host's network is reachable and the service is unavailable, BGP cannot be detected, and the shared Unicast address is continuously connected to the autonomous domain. Client requests routed to the target host cannot obtain services and cannot be automatically routed to other target hosts. For the above reasons, the network administrator must always monitor the services of each target host, once an exception occurs, you can manually stop the BGP broadcast on the vrobgp to route client requests to other target hosts.

Second, because the unicast address used for Anycast cannot initiate a request as a client, the Network monitored by the network administrator cannot use the shared Unicast address of Anycast, in addition, Anycast requires that the services provided by each node be consistent and transparent to the client. Therefore, the source IP address for service synchronization is the same as that for the monitoring network, and the shared Unicast address of Anycast cannot be used. Because the two are similar in nature, they are collectively referred to as the monitoring network.

Third, when the network administrator monitors nodes in Anycast, the network administrator cannot determine which node to monitor or control the nodes to which the monitoring resides. To achieve real-time network and service monitoring by network administrators, in addition to using shared unicast addresses, all Anycast nodes must configure non-shared unicast addresses for network management and monitoring. The non-Unicast address can be obtained in two ways: the first method is the allocation of the uplink autonomous domain. The uplink autonomous domain directs the address to the vro of the Anycast node through a static route; the second method is to broadcast an independent CIDR block on the routers of each Anycast node, because the autonomous domain receives only the CIDR Block broadcast with a mask length less than 24, if the second method is used, it will cause a great waste of IP addresses. Therefore, if conditions permit, try to use the first method to obtain non-shared unicast addresses of nodes. Non-shared unicast addresses are also used for service synchronization on the target host. Address allocation must be carefully considered during the planning period of node construction.

Fourth, when you use the second method to obtain a non-shared Unicast address for management, if the network administrator monitors the host and the Anycast node using the same autonomous domain number, the monitoring host cannot manage and monitor the Anycast node, to avoid routing loops, BGP does not receive route broadcasts from the same autonomous domain number. Therefore, when conditions permit, the monitored network segment and Anycast node should use different autonomous domain numbers as much as possible, alternatively, Anycast nodes that obtain non-shared unicast addresses should use different autonomous domain numbers than other nodes and monitoring network segments. However, we should also avoid the use of independent autonomous domain numbers for monitoring network segments and each Anycast node. First, we should avoid the waste of autonomous domain numbers, second, an autonomous system with independent autonomous domain numbers, such as APNIC, needs to be connected to two or more autonomous systems. Generally, an Anycast node is connected to only one autonomous system.

If you cannot apply for more than one autonomous domain number, the monitoring network and the node that obtains the non-shared Unicast address in the second way will use the same autonomous domain number, however, there is also a work und: On the monitoring network border router, route the node's non-shared Unicast address to the VBR interface of the uplink autonomous region through a static route, at the same time, the node router also needs to direct the routing of the monitoring network address to the VBR interface of the uplink autonomous region through a static route.

Fifth, when an Anycast node is connected to other autonomous systems, in addition to a single autonomous system, it may also be connected to some Internet exchange centers. Generally, the Internet exchange center uses a Routing Server for Route exchange, but the Routing Server does not undertake packet forwarding. Therefore, the routing server does not provide default routes, anycast nodes cannot direct the default route to any specific address. Therefore, the Anycast node router needs to receive the full route table. In this case, you also need to consider the node router selection to ensure that you can receive the required route entries, which may increase the node investment. When a single Anycast node is uplinked, there are numerous similar problems. Many of these problems are access problems, which are the same as non-Anycast connections. This should be taken seriously during the construction of a single node. We should know the situation in detail before implementation, and make adequate preparations.

Tips

IP Anycast + BGP has been widely used in DNS system deployment. However, due to different Autonomous Systems for connecting Anycast nodes, there are various access methods, making it difficult to form a unified and standardized node Deployment Solution. Therefore, various factors should be considered before the overall deployment of IP Anycast + BGP, focusing on autonomous domain number application and IP address planning. During the implementation of a node, enough attention should be paid to it. The network access should be understood in detail and adequate preparation should be made. Do not think that a unified mode has been formed to despise the construction of a single node.

This article permanently updates the link address: