I am forwarding dns queries onto another external dns server. I would like the queries to appear as they’re coming from the floating ip, not the public ip address of my droplet. Any ideas on how to force outgoing traffic through the floating ip address?

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

×
1 answer

Assuming you are using Bind9 as your forwarding DNS server, setting the transfer-source and the query-source to the Droplet’s “anchor IP” should cause outgoing traffic to come from your Floating IP.

From How To Use Floating IPs on DigitalOcean:

An anchor IP is only accessible to the Droplet that it belongs to, and to a Floating IP that is assigned to the Droplet. The implication of this is that the anchor IP is where you should bind any public services that you want to make highly available through a Floating IP. For example, if you are using a Floating IP in an active/passive load balancer setup, you should bind your load balancer services to their respective Droplet anchor IPs so they can only be accessed via the Floating IP address. This will prevent your users from using the public IP addresses of your Droplets to bypass your Floating IP.

You can find it using:

  • ip addr show eth0

The “anchor IP” (highlighted) will be under your normal public IP address information:

2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 04:01:19:f7:52:01 brd ff:ff:ff:ff:ff:ff
    inet 104.236.70.41/18 brd 104.236.127.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet 10.10.0.5/16 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::601:19ff:fef7:5201/64 scope link 
       valid_lft forever preferred_lft forever

Or you could find it via the metadata service. It will be returned if you query:

  • curl -s http://169.254.169.254/metadata/v1/interfaces/public/0/anchor_ipv4/address

So the options section of your Bind9 configuration should have a section that looks like:

/etc/bind/named.conf.options
        query-source 10.10.0.5;
        transfer-source 10.10.0.5;

For more info on Bind’s usage of addresses and ports, this excerpt of O'Reilly’s DNS & Bind is helpful.

Submit an Answer