Reply

External DNS Recursion and NS Public Natting

New Member
Posts: 3
7781     0

Hi,

 

I want to configure IB in order to resolve internal DNS queries and external (recurssion).

 

For the internal, I will create the required Zones and Records but I don't want to enable Recurssion on the DNS level, instead I want IB to forward all unknown DNS queries to Upstream ISP DNS Server in order to get resolved. How to do it for the configuration point of view.

 

Moreover, I have 3 NS, publically natted to their respectable public IP's. When one of the NS is down for a reason, the Firwall will still send traffic to the said NS server.

 

Since I have infoblox, is it possible to load balance among all the 3 NS servers and once one of the NS is not avaiable, the IB stops sending it queries? Same concept like in LTM (F5).

 

I believe its GSLB  but how to configure it.

 

Edit : I find out that I can assign multiple IP's to a single Host Record, whats the advantage of assigning multiple IP's? Is it going to load balance? Or simply choose the first mention?

 

I know that the questions are quite different from one another in a single post, but in the given scenario from my end left me no choice.

 

Thank you

Re: External DNS Recursion and NS Public Natting

Authority
Posts: 18
7781     0

Hi Shujaswati,


1) for the recursion/forwarding configuration, NIOS (which uses BIND) does not forward queries or contact upstream servers if recursion is disabled. You can enabled recursion and then set the ISP's DNS server as a global forwarder ("Forwarders" tab) with the option "Use forwarders only" enabled to achieve your goal. Recursion and global forwarders can be configured at Grid DNS level, Member DNS level and at DNS View level. View level inherits the values from member level and member level inherits the value from Grid level. You can choose to override the upper level setting at the lower levels.

 

 

2) for the load balancing issue, since its the firewall that's forwarding the traffic- there's not much NIOS can do about it. If the firewall has a health check feature, I suppose that can help here. If not, perhaps it is best to add a load balancer in between with a health check option (preferably a DNS health check rather than a simple ping or SNMP monitoring).
    If the QPS is low, then may be Anycast will work out for you (no additional licenses required). It does not load balance but it can failover to a working server when one of the servers go down. In my lab I found that BGP works better than OSPF if the servers are at the same location (BGP failover faster when BFD is not used).

 

 

3) A host record with multiple IPs behaves the same way multiple A records with same name but different IPs do. By default the consecutive responses from NIOS for that record returns all the IPs in a round robin fashion. So for example, if you have a host named "host.test.com" with 3 IPs "1.1.1.1, 2.2.2.2, 3.3.3.3" - then the consecutive responses from the server for the query "host.test.com" will be as follows:

 

> query: host.test.com
Answer: 1.1.1.1, 2.2.2.2, 3.3.3.3

 

> query: host.test.com
Answer: 2.2.2.2, 3.3.3.3, 1.1.1.1

 

> query: host.test.com
Answer: 3.3.3.3, 1.1.1.1, 2.2.2.2

 

> query: host.test.com
Answer: 1.1.1.1, 2.2.2.2, 3.3.3.3

 

Typically clients only use the first item in the answer, so it does have a basic load balancing aspect to it. "sortlist" feature can control the order of the answers based on the source IP of the inbound query, but its not enabled by default.

ks Re: External DNS Recursion and NS Public Natting

[ Edited ]
New Member
Posts: 3
7781     0

Many thanks @Jrajan, that was to the point and "what I was looking for" reply. 

 

All points are quite clear now. For the point 3 "multiple IP's within same Host record", doesn't IB detects if a end host/server to whom the record belongs to is unavailable and points the incoming DNS queries to the one avaialable?

 

4. Moreover, correct me if I'm wrong, the different between HA and Grid member is :

 

HA : both active / active simultaniously 

Grid Member : Active / Passive

 

5. I know there's a dedicated ad-on called DTC for smart load balancing, then what's the benifit I can acheive from GSLB, does this required additional licensing and how to configure it?

 

6. Is it possible to create VIP in case I have 2 IB Appliance/VM's so that Users are pointing towards 1 ip representing both IB nodes?

Re: ks Re: External DNS Recursion and NS Public Natting

New Member
Posts: 3
7781     0

Any guidance will be really appreciated, thanks

Re: ks Re: External DNS Recursion and NS Public Natting

Authority
Posts: 18
7782     0

doesn't IB detects if a end host/server to whom the record belongs to is unavailable and points the incoming DNS queries to the one available?

   - Not for regular DNS records. DTC can do this.


4) This is not correct.
    A member can be standalone or HA. Standalone member is just 1 physical appliance or a VM. An HA member can be 2 physical appliances or 2 VM appliances (but cant be formed of 1 VM and 1 physical). One would be active while the other remains passive under normal conditions. Only the active will be running services, meanwhile- the passive will sync with the active and have all the configuration and data to go active if it detects that it's partner has gone down. The active node will have the 'VIP' (on HA port, not LAN1/LAN2) and this is used by DNS/DHCP by default. If the active node goes down and the passive node transitions to active mode, it will take over the VIP and continue running services with the configuration and data it has.


5) Today NIOS does not have an internal load balancing mechanism for inbound DNS queries. The server that receives the query is expected to handle the resolution on its own based on the DNS service configuration. As for DTC, we can consider that as an extension of DNS. It is used to control the 'answer' given to a client that's querying a server that has DTC rather than load balance inbound queries to multiple Infoblox DNS servers.
     To give you an example of DTC.. say you have a website "www.mywebpage.com" that's served by multiple webservers, each with different IPs (say "1.1.1.1" in US and "2.2.2.2" in EMEA region). If you have 2 A records configured with these IPs, they will just round robin the answers for all incoming clients. With DTC configuration we can provide 1.1.1.1 but not 2.2.2.2 for US clients but provide 2.2.2.2 if 1.1.1.1 is down. Vice versa for EMEA clients (Based on IP location or networks/network tags if configured). The health monitor that's checking the health of these server can be a simple ICMP, SNMP, HTTP(S), PDP, TCP, SIP or any combination of the above.
     This is just one simple example, DTC allows much more complex configurations.


6) Yes, HA pair members have this. Only the active node will hold the VIP and run services on it. If passive detects that the active (it's partner) has gone down, it goes active taking over the VIP and starts running services. Typical service interruption can last about 30 seconds during an HA failover. It can take longer depending on configuration complexity and size of DNS/DHCP data mainly.

Showing results for 
Search instead for 
Did you mean: 

Recommended for You