query-source for multiple interfaces

Sam Wilson Sam.Wilson at ed.ac.uk
Thu May 18 09:21:07 UTC 2006 

In article <e4gd1a$4bm$1 at sf1.isc.org>,
 Mark Andrews <Mark_Andrews at isc.org> wrote:

> Barry Margolin <barmar at alum.mit.edu> wrote:
> 
> > In article <e4feh9$12k9$1 at sf1.isc.org>,
> >  Sam Wilson <Sam.Wilson at ed.ac.uk> wrote:
> > 
> > > Looking at the ARM the "query-source" option seems to be able to specify 
> > > only one address.  We are investigating anycast DNS on multihomed 
> > > servers.  It looks as though I can't use "query-source" to allow queries 
> > > to be sent from any address except the multicast address.  Is this true 
> > > and is there any obvious workaround?  I've already thought of adding a 
> > > second local /32 address that's specific to the box and sourcing the 
> > > queries from there, but that's getting rather messy.
> > 
> > If the anycast address is an alias IP, I don't think you need to do 
> > anything.  I think the OS will automatically default the source address 
> > to the primary IP of the outgoing interface rather than an alias.
> 
>  Also it does not make sence to send queries from a anycast
>  address as the replies are not guarenteed to go back to the
>  correct instance.

Of course it doesn't - that's why I'm trying to make sure that BIND 
doesn't use its anycast address to source anything.  Barry's answer is 
plausible though the address isn't an external alias as such - it's an 
additional address on the lo0 interface which might well make it even 
less likely to be used as a source address.  If it hadn't been for 
slides 49-50 of <http://www.nanog.org/mtg-0310/pdf/miller.pdf> then I 
might have thought of that myself (though that setup is different from 
ours, not being multihomed).

If you're saying that BIND knows it's not sensible to use an anycast 
source and won't do it then that's great, I'm just not sure how BIND 
would know that.  I think Barry is saying that the OS will never choose 
the anycast address as a source because of the aliasing and routing, in 
which case the query-source option at the above URL is superfluous and 
(at least to those of us of limited intelligence) misleading.

>  For local anycast the you can sometimes get away with it
>  if the load balancer / router has enough smarts to get the
>  reply to the right instance.  Even then you it need to map
>  both UDP and TCP connections to the same instance.

That's not our issue.  On rudimentary testing our routing setup seems to 
Do The Right Thing.  Hooray!


Sam Wilson                             one of hostmaster at ed.ac.uk
Infrastructure Services Division
Computing Services, The University of Edinburgh
Edinburgh, Scotland, UK

More information about the bind-users mailing list