DNS is critical for all types of web applications because it allows us to use domain names—for instance www.citrix.com—instead of remembering IP addresses. It also helps SSL-based web applications with certificates to work since the trust underneath is built upon the hostname attribute or FQDN. DNS is also crucial for GSLB because it is mainly a DNS-based load-balancing feature.
NetScaler can operate as its own authoritative DNS server or use another DNS server as source and NetScaler can also serve as a proxy between authoritative DNS servers and clients.
Now by default if we add an external DNS server, the DNS communication between the NetScaler and the DNS server is sourced from the SNIP address, which is closest to the source. This means that if we have multiple SNIP addresses it will choose the closest.
To add an external DNS server we can use the following command:
Add nameserver ip-address –type UDP
We also have an option here to define the nameserver as running locally; note that this is not a fully functional DNS server, since it will hand out any records (even GSLB records) without checking with the GSLB services. Features such as zone transfers are not supported in this mode, but this is the only option that works with DNS recursion. Recursion is a feature that allows NetScaler to ask other DNS servers on behalf of a querying client.
add dns nameserver <IP address> -local set dns parameter -recursion ENABLED -cacheRecords YES
Now when we add a DNS server to NetScaler, it is added to the NS OS part of the kernel. Therefore we cannot use regular DNS-based tools such as dig
, nslookup
and so on to verify if the DNS server is active; this is because running these tools will only point to the local service of the DNS server. In order to verify connectivity we can use:
Show dns addrec FQDN
This will do a DNS query to the DNS server to see if the A-record is available. We can use the command:
Show nameserver
This will give us a status if the DNS server is available. Note that this is an ICMP-based monitor that is used to verify its status. So if ICMP is blocked to the DNS server the status will show as down. We can also set up NetScaler to use its own load balanced DNS server. This allows for high availability of DNS and we do not need to enable ICMP-based monitoring from the SNIP to the DNS servers. Then it will use the built-in lb
monitor for DNS, which can be a specific DNS query (this ensures that DNS is operational and responding, not just that the host is alive).
To set up a load balanced DNS service we can just add the DNS servers as servers, add the DNS service, bind it to the backend servers, and then create a load balanced DNS vServer.
This can be done using the following command-line commands. First we add the different backend DNS servers:
Add server SERVERNAME 192.168.0.1 Add server SERVERNAME2 192.168.0.2
Then we need to create a DNS-based monitor, which is used to run a query against the different DNS servers. In this example it will query for demo.local
and the DNS servers need to reply with the 192.168.60.1
address; if not, they will be marked as DOWN
:
add lb monitor MONITORNAME DNS -query demo.local -queryType Address -LRTM DISABLED -IPAddress 192.168.60.1
Create the service that we bind to the backend servers:
add service SERVICENAME SERVERNAME DNS 53 add service SERVICENAME2 SERVERNAME2 DNS 53
Bind the monitor to the service we created:
bind service SERVICENAME -monitorName MONITORNAME bind service SERVICENAME2 -monitorName MONITORNAME
Then we can create a load balanced DNS vServer:
add lb vserver DNSLBVSERVER DNS IPaddress 53
Bind the services to the lb
vServer:
Bind lb vserver SERVICENAME Bind lb vserver SERVICENAME2
If we want traffic to the backend DNS servers to come from a specific NetScaler IP address we can use netprofile
to assign it to a particular SNIP address.
Add netprofile NAMEOFPROFILE –SrcIP 192.168.60.20 Set lb DNSLBVSERVER –netprofile NAMEOFNETPROFILE
Note that we cannot reference a DNS server as a regular nameserver and then try to add a lb
vServer with DNS containing the same backend server. So after we have created a load-balanced DNS vServer we can use it as a nameserver for internal name resolving for NetScaler.
Add nameserver NAMEOFDNSVSERVER –type UDP
As stated we can also use NetScaler as an authoritative DNS server. This way we can support setting up GSLB, which we will be going through later in this chapter. We can add this as a service on NetScaler by using the following command:
add service SERVICENAME 192.168.60.53 adns 53
We can check if the DNS server is working properly, just by adding an A-record to the DNS server and checking from our local client:
add addrec test.local 192.168.60.77
Then we have to do a nslookup
from our client using the following parameters:
nslookup test.local IPADDRESSOFDNS