JH0project's DNS for DN42

2025-01-14

We host our own BIND 9 DNS server that are mainly for DN42 network. To allow easy management and versioning of Bind 9 config and the DNS records, we containerized the Bind 9 server and run it as docker container on each server. The DNS records are DNSSEC signed, and the DNS server are configured to use DNS over TLS (DoT) for secure DNS query.

To allow it to be highly available, we use anycast to announce the DNS server IP address, and use BGP to route the traffic to the nearest server. When one of the server goes down, the traffic will be routed to the next nearest server allowing active active DNS server. Since we're using ECMP, the traffic will be distributed evenly across servers without any special configuration.

In the container, ExaBGP will monitor the health of the DNS server, and announce the anycast address to Bird, which will then announce the anycast address to the BGP peers. The BGP peers are configured to use ECMP to distribute the traffic evenly across all servers.

Why we announce it in the container? Because we can't set the server loopback IP address as the anycast address. If the Bind 9 server goes down, while it will route the traffic to the next nearest server, all DNS query go through the server will be accepted-ish by the server, but no response will be sent back.