How to Configure DNS Delegation Using BIND in NetScaler
Article ID: CTX124727
Updated On:
Description
This article describes how to configure a DNS delegation for a sub-domain in BIND to be used for Global Server Load Balancing (GSLB).
Instructions
To delegate a sub-domain to the NetScaler appliance to be used in a GSLB environment, you must have a working BIND server as the authoritative name-server for the domain to use.
The following configuration example uses BIND 9.4.3:
rosa bind # /usr/sbin/named -vBIND 9.4.3-P4
rosa bind #
-
Modify the BIND configuration file to resolve queries for your domain. In this example, the “example.net” name-space is used.
rosa bind # cat named.conf include "/etc/bind/advanced-log.conf"; options { directory "/var/bind"; // uncomment the following lines to turn on DNS forwarding, // and change the forwarding ip address(es) : forward only; forwarders { 10.9.3.22; 10.9.3.23; }; listen-on-v6 { none; }; listen-on { 10.12.17.4; }; // to allow only specific hosts to use the DNS server: allow-query { any; }; pid-file "/var/run/named/named.pid"; // collect statitistics zone-statistics yes; statistics-file "/var/log/bind/named.stats"; recursion yes; // rrset-order is how you set up round robin dns. rrset-order { order cyclic; }; }; zone "." IN { type hint; file "named.ca"; }; zone "localhost" IN { type master; file "pri/localhost.zone"; allow-update { none; }; notify no; }; zone "127.in-addr.arpa" IN { type master; file "pri/127.zone"; allow-update { none; }; notify no; }; zone "example.net" IN { type master; file "pri/example.net.zone"; allow-update { none; }; notify no; // Cancel the forwarding for this authoritative domain. forwarders { }; };Note: It is very important to disable forwarding for the authoritative zone if the name-server is used for recursive name resolution. Otherwise, queries to the sub-domain are not sent to the NetScaler appliance, but forwarded to the global forwarders defined above. -
Create the main zone file for the domain name-space that you are working with. This example uses “example.net”. The sub-domain name used is “gslb.example.net” and this is delegated to the ADNS services on each NetScaler appliance.
example.net.zone: rosa pri # cat example.net.zone $TTL 1200 $ORIGIN example.net. ; Everything under the following "@" block is for $ORIGIN. @ IN SOA dns1.example.net. dnsadmin.example.net. ( 2009032201 ; serial (YYYYMMDDrr) 1800 ; refresh (30 minutes) 900 ; retry (15 minutes) 1209600 ; expire (2 weeks) 1200 ; minimum TTL (20 min) ) ; main domain name servers IN NS dns1.example.net. mail A 1.1.1.1 dns1 A 10.12.17.4 mx1 A 10.12.17.6 www.example.net. IN CNAME www.gslb.example.net. ; alias to GSLB object on NetScaler ;sub-domain definition www.gslb.example.net. IN NS dns1.gslb.example.net. ; primary DNS for sub-domain www.gslb.example.net. IN NS dns2.gslb.example.net. ; secondary DNS for sub-domain (SECONDARY_SITE) dns1.gslb.example.net. IN A 10.12.17.9 ; glue record. (ADNS Service NS1) dns2.gslb.example.net. IN A 10.12.17.23 ; glue record (ADNS Service NS2)Note: Glue records are very important. Otherwise, the query is not forwarded properly to the name servers that handle the sub-domain, in this scenario the NetScaler appliance. -
Verify if it works:
Querying for an FQDN outside the authoritative domain is forwarded to the external DNS servers:
C:\>dig @10.12.17.4 www.citrix.com ; <<>> DiG 9.3.2 <<>> www.citrix.com ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 365 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;www.citrix.com. IN A ;; ANSWER SECTION: www.citrix.com. 3600 IN A 66.165.176.15 ;; Query time: 0 msec ;; SERVER: 10.12.17.4#53(10.12.17.4) ;; WHEN: Wed Mar 31 18:43:00 2010 ;; MSG SIZE rcvd: 48 C:\> -
A packet capture on the BIND server shows the query being forwarded to the Global Forwarders defined in the zone configuration file:
rosa pri # tcpdump -n udp port 53 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes 22:36:39.530000 IP 10.12.17.30.1215 > 10.12.17.4.53: 365+ A? www.citrix.com. (32) 22:36:39.530000 IP 10.12.17.4.40722 > 10.9.3.22.53: 57464+% [1au] A? www.citrix.com. (43) 22:36:39.530000 IP 10.9.3.22.53 > 10.12.17.4.40722: 57464* 1/0/1 A 66.165.176.15 (59) 22:36:39.530000 IP 10.12.17.4.53 > 10.12.17.30.1215: 365 1/0/0 A 66.165.176.15 (48) -
Querying for a record in the sub-domain is delegated to the NetScaler appliance:
C:\>dig @10.12.17.4 www.example.net ; <<>> DiG 9.3.2 <<>> @10.12.17.4 www.example.net ; (1 server found) ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1892 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 0 ;; QUESTION SECTION: ;www.example.net. IN A ;; ANSWER SECTION: www.example.net. 1200 IN CNAME www.gslb.example.net. www.gslb.example.net. 5 IN A 10.12.17.21 ;; AUTHORITY SECTION: gslb.example.net. 1200 IN NS dns2.gslb.example.net. gslb.example.net. 1200 IN NS dns1.gslb.example.net. ;; Query time: 0 msec ;; SERVER: 10.12.17.4#53(10.12.17.4) ;; WHEN: Wed Mar 31 18:53:24 2010 ;; MSG SIZE rcvd: 105 C:\> -
Inspecting the traffic on the BIND server, the query is delegated to one of the NetScaler appliances for proper name resolution:
rosa bind # tcpdump -n udp port 53 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes 22:47:03.860000 IP 10.12.17.30.1219 > 10.12.17.4.53: 1892+ A? www.example.net. (28) 22:47:03.870000 IP 10.12.17.4.54160 > 10.12.17.9.53: 64789% [1au] A? www.gslb.example.net. (44) 22:47:03.870000 IP 10.12.17.9.53 > 10.12.17.4.54160: 64789 FormErr- 0/0/1 (44) 22:47:03.870000 IP 10.12.17.4.41264 > 10.12.17.9.53: 7001 A? www.gslb.example.net. (33) 22:47:03.870000 IP 10.12.17.9.53 > 10.12.17.4.41264: 7001*- 1/0/0 A[|domain] 22:47:03.870000 IP 10.12.17.4.53 > 10.12.17.30.1219: 1892* 2/2/0 CNAME[|domain] 22:49:45.370000 IP 10.12.17.30.1220 > 10.12.17.4.53: 1379+ A? www.example.net. (28) 22:49:46.170000 IP 10.12.17.4.37783 > 10.12.17.9.53: 1816 A? www.gslb.example.net. (33) 22:49:46.170000 IP 10.12.17.9.53 > 10.12.17.4.37783: 1816*- 1/0/0 A[|domain] 22:49:46.170000 IP 10.12.17.4.53 > 10.12.17.30.1220: 1379* 2/2/0 CNAME[|domain]
Environment
The above mentioned sample code is provided to you as is with no representations, warranties or conditions of any kind. You may use, modify and distribute it at your own risk. CITRIX DISCLAIMS ALL WARRANTIES WHATSOEVER, EXPRESS, IMPLIED, WRITTEN, ORAL OR STATUTORY, INCLUDING WITHOUT LIMITATION WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE AND NONINFRINGEMENT. Without limiting the generality of the foregoing, you acknowledge and agree that (a) the sample code may exhibit errors, design flaws or other problems, possibly resulting in loss of data or damage to property; (b) it may not be possible to make the sample code fully functional; and (c) Citrix may, without notice or liability to you, cease to make available the current version and/or any future versions of the sample code. In no event should the code be used to support ultra-hazardous activities, including but not limited to life support or blasting activities. NEITHER CITRIX NOR ITS AFFILIATES OR AGENTS WILL BE LIABLE, UNDER BREACH OF CONTRACT OR ANY OTHER THEORY OF LIABILITY, FOR ANY DAMAGES WHATSOEVER ARISING FROM USE OF THE SAMPLE CODE, INCLUDING WITHOUT LIMITATION DIRECT, SPECIAL, INCIDENTAL, PUNITIVE, CONSEQUENTIAL OR OTHER DAMAGES, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Although the copyright in the code belongs to Citrix, any distribution of the sample code should include only your own standard copyright attribution, and not that of Citrix. You agree to indemnify and defend Citrix against any and all claims arising from your use, modification or distribution of the sample code.
Issue/Introduction
This article explains how to configure DNS domain delegation using BIND to be used in a GSLB deployment.
Was this article helpful?
Yes
No
Powered by
