Assuming you are using Bind9 as your forwarding DNS server, setting the transfer-source and the query-source to the Droplet’s “anchor IP” should cause outgoing traffic to come from your Floating IP.
From How To Use Floating IPs on DigitalOcean:
An anchor IP is only accessible to the Droplet that it belongs to, and to a Floating IP that is assigned to the Droplet. The implication of this is that the anchor IP is where you should bind any public services that you want to make highly available through a Floating IP. For example, if you are using a Floating IP in an active/passive load balancer setup, you should bind your load balancer services to their respective Droplet anchor IPs so they can only be accessed via the Floating IP address. This will prevent your users from using the public IP addresses of your Droplets to bypass your Floating IP.
You can find it using:
The “anchor IP” (highlighted) will be under your normal public IP address information:
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 04:01:19:f7:52:01 brd ff:ff:ff:ff:ff:ff
inet 104.236.70.41/18 brd 104.236.127.255 scope global eth0
valid_lft forever preferred_lft forever
inet 10.10.0.5/16 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::601:19ff:fef7:5201/64 scope link
valid_lft forever preferred_lft forever
Or you could find it via the metadata service. It will be returned if you query:
- curl -s http://169.254.169.254/metadata/v1/interfaces/public/0/anchor_ipv4/address
So the options section of your Bind9 configuration should have a section that looks like:
/etc/bind/named.conf.options
query-source 10.10.0.5;
transfer-source 10.10.0.5;
For more info on Bind’s usage of addresses and ports, this excerpt of O'Reilly’s DNS & Bind is helpful.
