[nsd-users] Geographic IP Location Based DNS Query Responding

Bry8 Star bry8star at inventati.org
Mon Aug 26 17:40:16 UTC 2013 

Hi, If i were to place 3 NS/DNS servers in 3 different
geographic/country location (for a set of domain-names), and want to
serve dns services to users(site-visitors) from their geographic
closest location based NS/DNS server first, how would i configure NSD ?

For example:

Let's assume, my primary domain-name is "dom1.tld".
Some of my other domain-names are using the primary domain-name's
services.

"s-us" server is in US, "s-br" is in BR, "s-nl" is in NL,
and currently, s-us is primary server,
and, let's assume, a visitor/user from US is v_us, and v_br is from
BR, and v_nl is from NL.

Then:

I want to send NS response in this specific order to user v_us who
is from US:
dom1.tld. 3000 IN NS s-us.dom1.tld.
dom1.tld. 3000 IN NS s-br.dom1.tld.
dom1.tld. 3000 IN NS s-nl.dom1.tld.

and, want to send NS response in this specific order to v_br:
dom1.tld. 3000 IN NS s-br.dom1.tld.
dom1.tld. 3000 IN NS s-us.dom1.tld.
dom1.tld. 3000 IN NS s-nl.dom1.tld.

and, send NS RRs in such order to v_nl:
dom1.tld. 3000 IN NS s-nl.dom1.tld.
dom1.tld. 3000 IN NS s-us.dom1.tld.
dom1.tld. 3000 IN NS s-br.dom1.tld.

And/Or, then, i also want to send, different set of other DNS RR
based on visitor's geographic location:

s-us.dom1.tld server will send it's own A, AAAA, MX, CNAME, SRV,
TLSA, etc, as first DNS RR, for user like v_us:
dom1.tld. 900 IN A    IP.ADRS_S-US_IPv4
dom1.tld. 900 IN A    IP.ADRS_S-BR_IPv4
dom1.tld. 900 IN A    IP.ADRS_S-NL_IPv4
dom1.tld. 900 IN AAAA IP::ADRS_S-US_IPv6
dom1.tld. 900 IN AAAA IP::ADRS_S-BR_IPv6
dom1.tld. 900 IN AAAA IP::ADRS_S-NL_IPv6
s-us.dom1.tld. 900 IN A    IP.ADRS_S-US_IPv4
s-br.dom1.tld. 900 IN A    IP.ADRS_S-BR_IPv4
s-nl.dom1.tld. 900 IN A    IP.ADRS_S-NL_IPv4
s-us.dom1.tld. 900 IN AAAA IP::ADRS_S-US_IPv6
s-br.dom1.tld. 900 IN AAAA IP::ADRS_S-BR_IPv6
s-nl.dom1.tld. 900 IN AAAA IP::ADRS_S-NL_IPv6

s-br.dom1.tld will send it's own A, AAAA, MX etc, as first, for v_br:
dom1.tld. 900 IN A    IP.ADRS_S-BR_IPv4
dom1.tld. 900 IN A    IP.ADRS_S-US_IPv4
dom1.tld. 900 IN A    IP.ADRS_S-NL_IPv4
dom1.tld. 900 IN AAAA IP::ADRS_S-BR_IPv6
dom1.tld. 900 IN AAAA IP::ADRS_S-US_IPv6
dom1.tld. 900 IN AAAA IP::ADRS_S-NL_IPv6
s-br.dom1.tld. 900 IN A    IP.ADRS_S-BR_IPv4
s-us.dom1.tld. 900 IN A    IP.ADRS_S-US_IPv4
s-nl.dom1.tld. 900 IN A    IP.ADRS_S-NL_IPv4
s-br.dom1.tld. 900 IN AAAA IP::ADRS_S-BR_IPv6
s-us.dom1.tld. 900 IN AAAA IP::ADRS_S-US_IPv6
s-nl.dom1.tld. 900 IN AAAA IP::ADRS_S-NL_IPv6

s-nl.dom1.tld will send it's own A, AAAA, MX etc, as first, for v_nl:
dom1.tld. 900 IN A    IP.ADRS_S-NL_IPv4
dom1.tld. 900 IN A    IP.ADRS_S-US_IPv4
dom1.tld. 900 IN A    IP.ADRS_S-BR_IPv4
dom1.tld. 900 IN AAAA IP::ADRS_S-NL_IPv6
dom1.tld. 900 IN AAAA IP::ADRS_S-US_IPv6
dom1.tld. 900 IN AAAA IP::ADRS_S-BR_IPv6
s-nl.dom1.tld. 900 IN A    IP.ADRS_S-NL_IPv4
s-us.dom1.tld. 900 IN A    IP.ADRS_S-US_IPv4
s-br.dom1.tld. 900 IN A    IP.ADRS_S-BR_IPv4
s-nl.dom1.tld. 900 IN AAAA IP::ADRS_S-NL_IPv6
s-us.dom1.tld. 900 IN AAAA IP::ADRS_S-US_IPv6
s-br.dom1.tld. 900 IN AAAA IP::ADRS_S-BR_IPv6

A local ns/dns server for a local user/visitor, will send non-local
server's DNS RR as 2nd or 3rd DNS RR, so that, if closest local
server(s) is/are down, only then user's/visitor's dns-client
will/can re-attempt to connect user with another non-local server(s).

If dns query received in any server is from a different (that is,
non-local) geo location/zone based user/visitor, then NSD will have
to send that user's closest location based server's A, AAAA, MX etc
first.

So basically, there will be 3 different set of DNS configurations,
pre-tuned for mentioned 3 different geographic locations, and NSD
needs to detect visitor's/user's IP address (based on maxmind
geolite db) and then based geoip deliver the related set of DNS
responses, AND, also periodically check for each server's
inactivity/fail/delay status, and when (lesser level of) inactivity
situation occurs, then NSD need to send another alternate set of DNS
response.

And if these functionalities are possible without depending directly
on manually added static IPtables (or pf) rules, that would be
better, i think.

Actually, each geographic location will have two (authoritative)
NS/DNS server, so it will be in total 6 servers for dom1.tld in 3
different geographic locations, for redundancy/failover, update,
load-balance, etc purpose.  But i used one server now in each above
mentioned location, as its easier to elaborate in this email
message, so pls consider that in your response/suggestion.

- - - - -

If such(GeoIP based load-balancing) feature(native, built-in, or
plugin-based) do not exist currently yet in NSD, is there a
possibility of such feature(s), or, its in what development stage ?

There are open-source and free database available, which includes
IP-address and ranges, their geographic location related various
info.  And these are updated & shared for free as well by their
publishers.

There are few other GPL based DNS-server software which can provide
geographic location based services to users, and can also provide
load balancing, redirection, etc, but do not yet support full
DNSSEC, can related libraries or codes be used from those software
in/with NSD ?

And i can already see, now NSD supports few RRL features as well.
Various rate-limiting features for a DNSSEC based DNS server is
(almost) essential now.  (And my understanding is) it also supports
ECDSA for DNSKEY and TLSA.

Some authorities/areas have already passed laws+restrictions, that,
users who are physically inside their area, such user's sensitive
info, data MUST have to be kept inside servers which are physically
located inside that area, not on an outside server.  Many others
will soon follow.

Thanks in advance,
-- Bright Star.

bry 8 st ar a. at t. in ven ta ti d.o.t. or g:
GPG-FPR:C70FD3D070EB5CADFC040FCB80F68A461F5923FA.
bry 8 st ar a. at t. ya hoo d.o.t. c om:
GPG-FPR:12B77F2C92BF25C838C64D9C8836DBA2576C10EC.


GeoIP resources:
http://dev.maxmind.com/
http://dev.maxmind.com/geoip/geoip2/geolite2/
http://www.maxmind.com/en/geoip_resources
http://opensourcegis.org/

Geo-location based DNS:
https://github.com/blblack/gdnsd

(Please do not send/response any emails directly to me, send your
response for this/any thread to only one email address of this
mailing-list's email-address, thanks : nsd-users at nlnetlabs.nl )

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <http://lists.nlnetlabs.nl/pipermail/nsd-users/attachments/20130826/ceab164f/attachment.bin>

More information about the nsd-users mailing list