Using two VyOS instances (Lab Router 1) LR1 and (Lab Router 2) LR2 with the following config
LR1
interfaces { ethernet eth0 { address 172.16.37.240/24 vrrp { vrrp-group 200 { authentication { password foooo type plaintext-password } priority 10 virtual-address 172.16.37.222 } } } } ... service { dns { forwarding { cache-size 0 ignore-hosts-file listen-on eth0 name-server 1.1.1.1 } } } # netstat -npl | grep ":53" (No info could be read for "-p": geteuid()=1000 but you should be root.) tcp 0 0 172.16.37.222:53 0.0.0.0:* LISTEN - tcp 0 0 172.16.37.240:53 0.0.0.0:* LISTEN - tcp6 0 0 fe80::250:56ff:feaa::53 :::* LISTEN - udp 0 0 172.16.37.222:53 0.0.0.0:* - udp 0 0 172.16.37.240:53 0.0.0.0:* - udp6 0 0 fe80::250:56ff:feaa::53 :::* -
LR2
interfaces { ethernet eth0 { address 172.16.37.241/24 smp-affinity auto speed auto vrrp { vrrp-group 200 { authentication { password foooo type plaintext-password } priority 10 virtual-address 172.16.37.222 } } } } ... service { dns { forwarding { cache-size 4 ignore-hosts-file listen-on eth0 name-server 1.1.1.1 } } } # netstat -npl | grep ":53" (No info could be read for "-p": geteuid()=1000 but you should be root.) tcp 0 0 172.16.37.241:53 0.0.0.0:* LISTEN - tcp6 0 0 fe80::250:56ff:feaa::53 :::* LISTEN - udp 0 0 172.16.37.241:53 0.0.0.0:* - udp6 0 0 fe80::250:56ff:feaa::53 :::* -
... had the effect that when LR1 died and LR2 took over the DNS forwarder (PowerDNS recursor) was not listening on the VRRP IP address of LR2.
The reason why LR1 is listening on the VRRP address and LR2 is not, is the generation of the PDNS recursor configuration file /etc/powerdns/recursor.conf.
LR1
$ cat /etc/powerdns/recursor.conf | grep local-addr local-address=172.16.37.240,172.16.37.222,fe80::250:56ff:feaa:8b61%eth0
LR2
$ cat /etc/powerdns/recursor.conf | grep local-addr local-address=172.16.37.241,fe80::250:56ff:feaa:e4e5%eth0
It's simple, when running in VRRP BACKUP state we don't have this IP address assigned.
LR2
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000 link/ether 00:50:56:aa:e4:e5 brd ff:ff:ff:ff:ff:ff inet 172.16.37.241/24 brd 172.16.37.255 scope global eth0 valid_lft forever preferred_lft forever inet6 fe80::250:56ff:feaa:e4e5/64 scope link valid_lft forever preferred_lft forever
comapred to LR1
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 link/ether 00:50:56:aa:8b:61 brd ff:ff:ff:ff:ff:ff inet 172.16.37.240/24 brd 172.16.37.255 scope global eth0 valid_lft forever preferred_lft forever inet 172.16.37.222/32 scope global eth0 valid_lft forever preferred_lft forever inet6 fe80::250:56ff:feaa:8b61/64 scope link valid_lft forever preferred_lft forever
Simple problem but I yet don't know how to solve it.
Possible solutions:
- https://raymii.org/s/tutorials/Keepalived_notify_script_execute_action_on_failover.html
- Upgrade to PDNS recursor 4.0.4 in jessie-backports to add https://doc.powerdns.com/recursor/settings.html#non-local-bind
- For both solutions we have to retrieve the VRRP IP address from our configuration