Reply
Highlighted

Delegate subzone AWS Name Servers

otakuinside
Techie
Posts: 2
1594     0

Hi all,

 

I'm trying to configure a Delegated subzone inside one of my zone domains but I have noticed that I have to set my external NS server via IP (only IP), but I cannot set a aws dns in the field. AWS provides the name of their NS, but not IP addresses (in fact, IMHO setting external servers with the IP addresses is a really bad practice since you don't have control of those remote services)

 

I also tried creating a Name Server group and add this group to the delegated zone, but the server definition works the same way: Name <> IP (just IP address)

 

Does anyone know how to workaround or solve it?

 

Thanks!

 

Re: Delegate subzone AWS Name Servers

Adviser
Posts: 126
1595     0

Hello There,

 

 

Can you try the following & let us know if this works for you :

 

 

  • While creating the delegated zone in Infoblox, just add some dummy IP address for the FQDN of the AWS server -> Save the configuration.

 

  • I’ll call the FQDN of the AWS name server to be “ns1.aws.dns.com” & the Infoblox DNS server to be ‘NS’.

 

  • Now add appropriate DNS forwarder for the Infoblox name server(NS) in such a way that : While doing a ‘dig ns1.aws.dns.com’ from the CLI of ‘NS’, it should return the updated IP address of the AWS name server. -> This is the key factor here.

 

  • Now I believe things should work just fine for you. The reason being that, even if you add a dummy IP address during the configuration, your Infoblox DNS server still tries to resolve the FQDN of the delegated name server & if you set up things to favour this resolution, you’ll be good to go with this.

 

One important note : The resolved name of ‘ns1.aws.dns.com’ gets cached for the TTL given by the AWS server. So let’s say, AWS changes this IP address right after ‘NS’ learns  an IP address, there are chances that ‘NS’ would attempt to connect to an incorrect IP address of the ‘ns1.aws.dns.com’ for a resolution. Now if the ‘Max cache TTL’ of your Infoblox DNS server(NS) is small enough to have the updated record in its cache each time, then there’s nothing much to worry.  

 

 

As this is a work around that I can suggest, please have this tested before implementation & let us know if this works for you.

 

 

Best regards,

Mohammed Alman.

Re: Delegate subzone AWS Name Servers

otakuinside
Techie
Posts: 2
1595     0

Hi @malman

 

thanks for your proposal.

 

Let me be sincere: Looks a quite tricky solution and not very trustworthy :/ This is required for a very high criticity service in an international company project, so I have to be quite sure that it's not going to be a problem in the future. Since it's a proposal you haven't experienced I'm concerned about it to fail.

 

It's difficult for me to understand that Infoblox cannot do that basic configuration Smiley Happy

 

I'm VERY gratefull of your response, time, effort and free colaboration, but I think I'll try to find out another solution. I hope you understand my position.

 

King Regards!

Re: Delegate subzone AWS Name Servers

TTiscareno Community Manager
Community Manager
Posts: 361
1595     0

It is not mentioned if this is Route 53 or not, but the steps would be the same for setting up a delegation:

 

  1. Create the zone in AWS/Route 53.
  2. From an instance within a VPC that the zone is associated with, query the first .2 IP address in the subnet for the zone, asking for all records.
  3. If the glue (A) record for the authoritative name server(s) is not included in the answer, query for the A record for the name that corresponds to the NS record(s)

 

If you are working with Route 53, another option is to use the Route 53 sync feature in Infoblox. This allows you to configure a synchronization task in NIOS which will pull all Route 53 data into NIOS. The zones will be replicated as authoritative zones in NIOS, enabling you to serve these from any server in your Grid, plus external servers.

 

This gives you flexibility so that you do not have to worry about making any updates for a static delegated zone, nor about any new zones that may be added in the future and that you would also be able to serve your Route 53 private hosted zone data outside of AWS.

 

 

To demonstrate this, here is a working example how to query AWS DNS to obtain name server information:

 

-------------------

Note: Here are the environment details used for this example:

  • zone name = us-west-2.compute.internal
  • subnet = 172.31.0.0/16):

-------------------

 

_________________________________________________________

  •  dig @172.31.0.2 us-west-2.compute.internal any

    ; <<>> DiG 9.10.4-P2 <<>> @172.31.0.2 us-west-2.compute.internal any
    ; (1 server found)
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6923
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 4096
    ;; QUESTION SECTION:
    ;us-west-2.compute.internal.    IN      ANY

    ;; ANSWER SECTION:
    us-west-2.compute.internal. 60  IN      NS      ns0.us-west-2.compute.internal.
    us-west-2.compute.internal. 60  IN      SOA     ns0.us-west-2.compute.internal. hostmaster.amazon.com. 2012103100 3600 3600 3600 60

    ;; Query time: 2 msec
    ;; SERVER: 172.31.0.2#53(172.31.0.2)
    ;; WHEN: Wed Mar 14 16:21:10 UTC 2018
    ;; MSG SIZE  rcvd: 130

 

-----------------------------------------------------------------------------------

 

  • dig @172.31.0.2 ns0.us-west-2.compute.internal

    ; <<>> DiG 9.10.4-P2 <<>> @172.31.0.2 ns0.us-west-2.compute.internal
    ; (1 server found)
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7244
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 4096
    ;; QUESTION SECTION:
    ;ns0.us-west-2.compute.internal.        IN      A

    ;; ANSWER SECTION:
    ns0.us-west-2.compute.internal. 60 IN   A       172.16.0.23

    ;; Query time: 1 msec
    ;; SERVER: 172.31.0.2#53(172.31.0.2)
    ;; WHEN: Wed Mar 14 16:23:42 UTC 2018
    ;; MSG SIZE  rcvd: 75

 

__________________________________________________________________

 

 

 

Showing results for 
Search instead for 
Do you mean 

Recommended for You

Demo: Infoblox integration with Cisco CliQr (now called Cloud Center)