Achieving High-Availability DNS

-

Implementing Anycast with MikroTik OSPF and AdGuard Home

In high-availability infrastructure, DNS is a non-negotiable critical service. Conventional "Primary and Secondary" DNS configurations often suffer from client-side timeout issues. By leveraging Anycast via OSPF, we ensure that DNS failover is handled instantly by the router, providing a truly redundant and load-balanced experience.

I. The Evolution: Before vs After

Traditional Setup (Unicast)

Clients have two separate IPs. If Server 1 dies, the client "hangs" waiting for a timeout before trying Server 2. This causes perceptible delays.

[ CLIENT ] (DNS: .3 & .4) | (Waiting for .3...) v +----------------+ | ROUTER | +-------+--------+ | +----+----+ | | v v [ ADGUARD 1 ] [ ADGUARD 2 ] (.88.3) (.88.4) FAILED! IDLE

Anycast Setup (OSPF)

Both servers share a "Magic IP" (.100). The MikroTik router sees two paths to the same IP. If one server fails, traffic is instantly rerouted.

[ CLIENT ] (DNS: .100) | (Zero Latency) v +----------------+ | MIKROTIK | (OSPF Core) +-------+--------+ | +----+----+ (ECMP Split) | | v v [ ADGUARD 1 ] [ ADGUARD 2 ] (.100) (.100) ACTIVE ACTIVE

II. Technical Terminology & Core Concepts

To understand how this high-availability system works, we must define its core components:

  • OSPF (Open Shortest Path First): A dynamic routing protocol that allows routers and servers to share information about available paths. In this setup, AdGuard "advertises" its availability to the MikroTik router.
  • Anycast: A network addressing method where a single IP address is shared by multiple endpoints. The router directs traffic to the best available path.
  • FRR (Free Range Routing): An open-source routing suite for Linux that enables our AdGuard Containers (LXC) to communicate with the MikroTik router using OSPF.

III. Deep Dive: The Mechanics of FRR & OSPF Anycast

To master this setup, we must understand how FRR (Free Range Routing) transforms a standard DNS server into a network-aware node.

1. The Role of FRR

FRR is the engine that allows your Linux server to "speak" the language of routers. Instead of the MikroTik router manually checking if the server is up, the server uses FRR to announce its own existence. If the DNS service or the server itself fails, the announcement stops, and the router immediately knows the path is gone.

2. The Link-State Advertisement (LSA)

In OSPF, every node (AdGuard LXCs) acts as a neighbor to the MikroTik. Through FRR, the LXC sends an LSA. It tells the MikroTik: "I have a route to 192.168.88.100." Since both instances send the same advertisement, the MikroTik's Link-State Database sees two valid paths.

3. Understanding ECMP (Equal-Cost Multi-Path)

This triggers the + in DAo+. When OSPF finds multiple paths with the exact same cost and Administrative Distance (110), it uses ECMP to distribute traffic mathematically across all available healthy gateways.

4. The "Anycast" Illusion

The servers aren't "clustering" in the traditional sense. Instead, the Network is being gracefully manipulated. By assigning the IP to a loopback interface, the server accepts traffic for that IP locally, while FRR ensures the router knows where to send those packets.

5. Convergence and Health Checking

OSPF uses Hello Packets. If an AdGuard LXC freezes or FRR stops, the OSPF adjacency drops. The MikroTik immediately removes that path, redirecting all .100 traffic to the healthy node in seconds.

IV. Concept Architecture

The core of this setup is the "Magic IP"—a single IP address (192.168.88.100) shared by multiple instances. The MikroTik router uses OSPF to determine reachability and perform load balancing.

[ CLIENT SUBNETS ] | +-------------------+ | MikroTik Router | <--- Area 0 Backbone | (192.168.88.1) | +---------+---------+ | +-------+-------+ +----------+ +----------+ | AdGuard1 | | AdGuard2 | +----------+ +----------+ \--(.100)--/ <--- Anycast IP

V. Server-Side Configuration (Linux LXC)

1. Assigning the Anycast Loopback IP

We use a loopback interface so the IP exists independently of the physical network card.

# Immediate Application:
ip addr add 192.168.88.100/32 dev lo

# Persistent Configuration: Edit /etc/network/interfaces
auto lo:1
iface lo:1 inet static
    address 192.168.88.100
    netmask 255.255.255.255

2. AdGuard Home Listener Settings

AdGuard must listen on all interfaces to respond to the loopback IP.

  1. Open config: nano /opt/AdGuardHome/AdGuardHome.yaml
  2. Modify: bind_host: 0.0.0.0
  3. Restart: systemctl restart AdGuardHome

3. Dynamic Routing with OSPF (FRR)

We use FRR (Free Range Routing) to "advertise" our Anycast IP.

# 1. Install FRR
apt update && apt install frr -y

# 2. Enable OSPF: Edit /etc/frr/daemons and set 'ospfd=yes'
sed -i 's/ospfd=no/ospfd=yes/' /etc/frr/daemons
systemctl restart frr

# 3. Configure via vtysh
vtysh
conf t
router ospf
  network 192.168.88.0/24 area 0
  network 192.168.88.100/32 area 0
exit
wr

VI. MikroTik Router Configuration

1. OSPF Interface Template

Navigate to Routing > OSPF > Interface Templates:

  • Interfaces: Select the Bridge/VLAN where AdGuard resides.
  • Area: backbone (Area 0).
  • Network Type: broadcast.

2. Verification: Decoding the MikroTik Route Status (DAo+)

Navigate to IP > Routes. You should see 192.168.88.100 with status DAo+. These flags are the primary indicators of a successful Anycast setup:

  • D (Dynamic): The route was learned automatically via a protocol, not entered manually.
  • A (Active): The route is currently valid and in use.
  • o (OSPF): Confirms the route was learned through the OSPF protocol.
  • + (ECMP - Equal-Cost Multi-Path): Indicates the router sees two or more equal paths to the same IP and is load-balancing traffic between them.
📷 PROOF: MIKROTIK ROUTE LIST (DAo+)

VII. Testing and Failover

The beauty of this setup is in its resilience:

  1. Shutdown Node 1: Observe MikroTik routes; the status changes from DAo+ to DAo as the path is withdrawn.
  2. Client Experience: Zero interruption. The router instantly shifts traffic to the healthy node.

Conclusion

By moving the "intelligence" of failover to the network infrastructure, you achieve an enterprise-grade DNS environment. Maintenance and hardware failures no longer impact your users.

Comments

Post a Comment

Popular posts from this blog

Suricata on Mikrotik(IDS+IPS) = Part 4 - Configuration of the IPS Part

-
Image
  Configuration Disclaimer:  this one again is only for  ubuntu 18.04  and login as  root  user to be sure Make sure you have a good understanding of the suricata rules before doing this This might cause some disconnection from the site or services you are visiting and even the internet if not properly configured. In the real environment it is best not to run as root user but for the sake of just testing it I opted to run as root configure the following rules on your mikrotik router: /ip firewall filter add action=drop chain=input comment="Block bad actors" src-address-list=Blocked /ip firewall filter add action=drop chain=forward comment="Drop any traffic going to bad actors" dst-address-list=Blocked create a user group with all policies checked except telnet create a user allowing your local addresses with the group you created earlier Lets Start ... 1.      Install PHP         apt install php -y 2.   Navigate...
Read more

DHCP for Dummies: How Your Devices Get Online Without You Lifting a Finger

-
Image
DHCP for Dummies: How Your Devices Get Online Without You Lifting a Finger Introduction Ever wondered how your phone, laptop, or smart TV connects to the internet without you having to do anything? One minute you’re tapping "Connect to Wi-Fi," and the next, boom—you’re online. That magic? It’s all thanks to DHCP. DHCP (Dynamic Host Configuration Protocol) is what hands out IP addresses to your devices, kind of like a hotel receptionist giving guests room keys. It’s automatic, invisible, and keeps everything running smoothly—until something breaks. In this guide, you’ll learn: ✔️ What DHCP is (in plain English). ✔️ How it works behind the scenes. ✔️ Why it’s better than manually assigning IP addresses. ✔️ How to fix common DHCP problems without calling IT. By the end, you’ll have a solid grip on DHCP—even if tech stuff usually makes your head hurt. Let’s go! --- What is DHCP? (The No-Nonsense Explanation) Okay, imagine you walk into a hotel. You don’t pick a room or set up a k...
Read more

Media Server vs File Server in a nutshell

-
Image
Media Server vs File Server in a nutshell A media server is like your personal Netflix. It doesn’t just store your movies, shows, or music – it also organises them, adds cool stuff like posters and descriptions, and remembers where you stopped watching. It can even adjust the files so they play perfectly on any device you’re using. Examples? Plex, Jellyfin, or Emby. A file server , on the other hand, is like a shared storage box. It just holds your files and lets you access them from your devices. You can still watch your movies or listen to music from it, but there’s no fancy organisation, no movie posters, no “resume playback,” and it won’t fix any file that doesn’t work on your device. So, think of it this way: Media server = organised, smart, user-friendly. File Server = simple, no-frills file storage. References: - https://www.geeksforgeeks.org/what-is-file-server/ - https://medium.com/@divitia/jellyfin-vs-plex-what-should-you-choose-4f8337cd...
Read more