Course list Sign in

Information

Author(s) Noah Van Horenbeke
Deadline No deadline
Submission limit No limitation

Sign in

Sign in

1 - Anycast with BGP and secure DNS

🎯 Learning Objectives

This lab will allow you to:

  • Observe BGP Anycast routing in action where multiple servers share the same IP prefix.
  • Understand how the BGP AS-path length determines which server a client reaches.
  • Compare two modern encrypted DNS protocols: DoT (DNS over TLS) and DoH (DNS over HTTPS).
  • Manipulate BGP routing to redirect traffic between anycast servers.

Lab Presentation

Lab network topology

This lab demonstrates BGP Anycast applied to DNS infrastructure.

Both NS1 and NS2 advertise the same anycast prefix into BGP.

NS1 serves DNS over HTTPS (DoH), NS2 serves DNS over TLS (DoT).

Unlike previous labs, there are no errors to fix here. The network is fully functional from the start. Your goal is to explore, observe, and understand the routing and DNS behavior.

📥 Download the Base Lab

Download the starting archive
To begin the exercise, you need to download the archive. It contains the configuration (without errors).

🔍 What to Explore

The lab is structured around three progressive investigations.

Step 1 : Find the anycast prefix

Before sending any DNS query, identify the anycast prefix advertised by both NS1 and NS2.

Once you have found the prefix, use it as PREFIX in all commands below.

Step 2 : Observe BGP Anycast routing

Identify which DNS server the client reaches by default and understand why.

The domain is lab.be. Use traceroute6 to confirm the physical path taken.

Step 3 : Compare DoT, DoH and standard DNS

Send the same query using each protocol and capture the traffic simultaneously. Open two terminals: one for tcpdump, one for the query.

Pay attention to what a network observer can and cannot see in each capture. This is the key operational difference between DoT and DoH from a firewall perspective.

Step 4 : Redirect traffic to the other server

The lab archive includes a helper script bgpRemovePrefix.sh to withdraw the anycast prefix from the currently active DNS server, forcing BGP to switch to the other one. Run it inside the DNS server container you want to withdraw from:

# usage: ./bgpRemovePrefix.sh <as_number> <anycast_prefix>
# example:
./bgpRemovePrefix.sh 100 PREFIX

After running it, verify the switch and confirm the client now reaches the other server.

Useful Commands

# Inspect the routing table and find the anycast prefix
vtysh -c "show bgp ipv6 unicast"

# Check BGP session state
vtysh -c "show bgp neighbors"

# Confirm the path taken to the anycast address
traceroute6 PREFIX

# DNS
dig -6 lab.be @PREFIX

# Capture: content is fully readable
tcpdump -i eth0 -n port 53

# DNS over HTTPS — DoH (port 443)
dig -6 @PREFIX -p 443 +https lab.be

# Capture: encrypted, indistinguishable from normal HTTPS traffic
tcpdump -i eth0 -n port 443

# DNS over TLS — DoT (port 853)
dig -6 @PREFIX -p 853 +tls lab.be

# Capture: encrypted TLS stream, but port 853 is visible and identifiable
tcpdump -i eth0 -n port 853
🔗 Useful Links
Question 1: Anycast routing

In Anycast routing, multiple servers share the same:

Question 2: Default NS

Which DNS server is used by default before running any script ? Provide the number only

Question 3: Observation with tcpdump

You run tcpdump -i eth0 -n port 443 on the client while sending a DoH query.

What do you observe compared to a standard DNS capture on port 53?