[dns-operations] Anycast resolver addresses (Was: Do Unix stubs round robin nameserver addresses?)

Doug Barton dougb at dougbarton.us
Fri Apr 17 23:09:47 UTC 2015

On 4/17/15 3:53 PM, Roland Dobbins wrote:
> On 18 Apr 2015, at 5:44, Chuck Anderson wrote:
>> 2. Use anycast to make your multiple DNS servers appear as one IP, and
>>  put that one IP in /etc/resolv.conf.  You can have multiple IPs,
>>  but each one should still be anycasted.
> The problem with using only one IP is that if someone accidentally
> fat-fingers an ACL or a routing statement or a firewall rule or
> whatever, all recursive DNS is hosed.
> So, anycasting *two* IP addresses (on differing netblocks) is probably
> warranted.

IME the behavior in failover to a secondary resolver address is so 
troublesome that if you're going to go to the trouble of anycasting (or 
load balancing) a resolver address it's better to go with just one.

In the unlikely event that someone does what you describe Roland (i.e., 
fat-finger access to a core services network), you're going to have so 
many other problems that resolver failover is going to be the least of 
your worries.



I am conducting an experiment in the efficacy of PGP/MIME signatures. 
This message should be signed. If it is not, or the signature does not 
validate, please let me know how you received this message (direct, or 
to a list) and the mail software you use. Thanks!

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP digital signature
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20150417/2334f527/attachment.sig>

More information about the dns-operations mailing list