This section discusses the support for authoritative domains of the Avi Load Balancer.
When an Avi Load Balancer DNS virtual service has a pass-through pool (of back-end servers) configured and the FQDNs are not found in the DNS table, it proxies these requests to the pool of servers. An exception is when the Avi Load Balancer is configured with an authoritative domain, and the queried FQDN is within the authoritative domain, in which case an NXDOMAIN is returned.
The Avi Load Balancer DNS virtual service includes a Start of Authority (SOA) record with its NXDOMAIN (and other) replies.
Features
An SOA record accompanies an NXDOMAIN
(non-existent domain) response if the incoming query’s domain is a subdomain of one of the configured authoritative domains in the DNS application profile.
Negative caching, such as, the caching of the fact of non-existence of a record, is determined by name servers authoritative for a zone which must include the Start of Authority (SOA) record when reporting no data of the requested type exists. The minimum field value of the SOA record and the TTL of the SOA itself is used to establish the TTL for the negative answer.
If the query’s FQDN matches an entry in the DNS table, but the query type is not supported by default then, the Avi Load Balancer SE generates a NOERROR
response, optionally with an SOA record if the domain matches a configured authoritative domain.
Configuration using the Avi Load Balancer UI
Queries for FQDNs that are subdomains of the authoritative domain names and do not have any DNS record in the Avi Load Balancer are dropped or the NXDOMAIN
response is sent. The Avi Load Balancer System-DNS profile comes preconfigured to respond to unhandled DNS requests. However, when creating a new DNS profile, it is necessary to change (Options for) Invalid DNS Query processing field to respond to unhandled DNS requests to ensure NXDOMAIN
responses are sent when appropriate.
When an NXDOMAIN
reply is appropriate for an FQDN that ends with one of the authoritative domains, the value appearing in the Negative TTL field will be incorporated into the attached SOA record. This value is 30-seconds by default. However, the allowed range is 1 to 86400 seconds.
An Avi Load Balancer DNS virtual service need not have a back-end DNS server pool. If it does have a back-end pool, the Avi Load Balancer DNS Service Engines will only load balance to it if the FQDN is not a subdomain of one of those configured in the Authoritative Domain Names field.
The values in the Valid subdomains field are specified for validity checking and thus optional. If not configured, all subdomains of acme.com will be processed and looked up in the DNS table.
Configuration using the Avi Load Balancer CLI
In the below example, the before and after configurations of the System-DNS application profile is shown. Various applicationprofile:dns_service_profile subcommands are used to:
Define the authoritative domain names.
Enable
NXDOMAIN
responses. To do this, the value oferror_response
is changed fromDNS_ERROR_RESPONSE_NONE
(the default) toDNS_ERROR_RESPONSE_ERROR
. Thenegative_caching_ttl
is left unchanged from its 30-second default.Specify subdomains of acme.com for which the DNS can provide an IP address. The subdomains are sales.acme.com, docs.acme.com, and support.acme.com. These subdomains are for validity checking and thus optional. If not configured, all subdomains of acme.com and coyote.com will be processed and looked up in the DNS table.
[admin:10-10-25-20]: > configure applicationprofile System-DNS Updating an existing object. Currently, the object is: +-------------------------+---------------------------------------------+ | Field | Value | +-------------------------+---------------------------------------------+ | uuid | applicationprofile-fdb6a5d6-bbf8-4f15-b851-f436b599992c | | name | System-DNS | | type | APPLICATION_PROFILE_TYPE_DNS | | dns_service_profile | | | num_dns_ip | 1 | | ttl | 30 sec | | error_response | DNS_ERROR_RESPONSE_NONE | | edns | False | | dns_over_tcp_enabled | True | | aaaa_empty_response | True | | negative_caching_ttl | 30 sec | | ecs_stripping_enabled | True | | preserve_client_ip | False | | tenant_ref | admin | +-------------------------+---------------------------------------------+ [admin:10-10-25-20]: applicationprofile> dns_service_profile [admin:10-10-25-20]: applicationprofile:dns_service_profile> authoritative_domain_names acme.com [admin:10-10-25-20]: applicationprofile:dns_service_profile> authoritative_domain_names coyote.com [admin:10-10-25-20]: applicationprofile:dns_service_profile> error_response dns_error_response_error Overwriting the previously entered value for error_response [admin:10-10-25-20]: applicationprofile:dns_service_profile> domain_names sales.acme.com [admin:10-10-25-20]: applicationprofile:dns_service_profile> domain_names docs.acme.com [admin:10-10-25-20]: applicationprofile:dns_service_profile> domain_names support.acme.com [admin:10-10-25-20]: applicationprofile:dns_service_profile> save [admin:10-10-25-20]: applicationprofile> save +---------------------------------+-------------------------------------+ | Field | Value | +---------------------------------+-------------------------------------+ | uuid | applicationprofile-fdb6a5d6-bbf8-4f15-b851-f436b599992c | | name | System-DNS | | type | APPLICATION_PROFILE_TYPE_DNS | | dns_service_profile | | | num_dns_ip | 1 | | ttl | 30 sec | | error_response | DNS_ERROR_RESPONSE_ERROR | | domain_names[1] | sales.acme.com | | domain_names[2] | docs.acme.com | | domain_names[3] | support.acme.com | | edns | False | | dns_over_tcp_enabled | True | | aaaa_empty_response | True | | authoritative_domain_names[1] | acme.com | | authoritative_domain_names[2] | coyote.com | | negative_caching_ttl | 30 sec | | ecs_stripping_enabled | True | | preserve_client_ip | False | | tenant_ref | admin | +---------------------------------+-------------------------------------+ [admin:10-10-25-20]: >
Support for SOA rdata Queries
Avi Load Balancer supports SOA queries for configured authoritative domains, and the customization of SOA fields MNAME
and RNAME
(see RFC 1035), which are configured using the Avi Load Balancer CLI configuration sub-command applicationprofile>dns_service_profile to supply two corresponding parameters:
name_server: The <domain-name> of the name server that was the original or primary source of data for this zone. This field is used in SOA records pertaining to all domain names specified as authoritative domain names. If not configured, domain name is used as name server in SOA response.
admin_email: Email address of the administrator responsible for this zone. This field is used in SOA records pertaining to all domain names specified as authoritative domain names. If not configured, the default value
hostmaster
is used in SOA responses.
CLI Example
[admin:10-10-25-20]: applicationprofile> dns_service_profile admin_email [email protected] [admin:10-10-25-20]: applicationprofile:dns_service_profile> name_server roadrunner.com [admin:10-10-25-20]: applicationprofile:dns_service_profile> save [admin:10-10-25-20]: applicationprofile> save +---------------------------------+-------------------------------------+ | Field | Value | +---------------------------------+-------------------------------------+ | uuid | applicationprofile-fdb6a5d6-bbf8-4f15-b851-f436b599992c | | name | System-DNS | | type | APPLICATION_PROFILE_TYPE_DNS | | dns_service_profile | | | num_dns_ip | 1 | | ttl | 30 sec | | error_response | DNS_ERROR_RESPONSE_ERROR | | domain_names[1] | sales.acme.com | | domain_names[2] | docs.acme.com | | domain_names[3] | support.acme.com | | edns | False | | dns_over_tcp_enabled | True | | aaaa_empty_response | True | | authoritative_domain_names[1] | acme.com | | authoritative_domain_names[2] | coyote.com | | negative_caching_ttl | 30 sec | | name_server | roadrunner.com | | admin_email | [email protected] | | ecs_stripping_enabled | True | | preserve_client_ip | False | | tenant_ref | admin | +---------------------------------+-------------------------------------+ [admin:10-10-25-20]: >
When a SOA request is made, the SOA response is sent in the answer section. For non-existent records of domains for which the Avi Load Balancer is the authority, the response is sent in the authority section.
Avi Load Balancer supports SOA queries for authoritative domains that are members of an array of DNS zones, and the customization of SOA fields MNAME and RNAME (see RFC 1035) within them, which are configured using the Avi Load Balancer CLI configuration sub-command applicationprofile>dns_service_profile:dns_zones
to supply three corresponding parameters:
domain_name
: A domain name for which the DNS service is authoritative.name_server
: The primary name server for this zone. This field is used in SOA records asMNAME
(RFC 1035). If not configured,domain_name
is used instead.admin_email
: Email address of the administrator responsible for this zone. This field is used in SOA records asRNAME
RFC 1035). If not configured, the default valuehostmaster
is used.
Avi Load Balancer supports configuration of
admin_email
addresses andname_server
hostnames at both the per-domain level and the DNS application level.If the name server's hostname is not configured for a zone, it is inherited from the hostname found in the DNS application profile. If even that hostname is not configured, the domain name is used instead.
If the email address of the administrator responsible for a zone is not specified, it is inherited from the email address found in the DNS application profile.
If a DNS zone has its own
admin_email
address andname_server
hostname configured, those values take precedence over the values configured at the DNS application level.
UI Example
When editing a DNS application profile, scroll down to the Domain Names/ Subdomains section to configure name_server
hostnames and admin_email
addresses.
CLI Example
[admin:my-cntrlr]: > configure applicationprofile System-DNS [admin:my-cntrlr]: applicationprofile> dns_service_profile [admin:my-cntrlr]: applicationprofile:dns_service_profile> [admin:my-cntrlr]: applicationprofile> dns_service_profile [admin:my-cntrlr]: applicationprofile:dns_service_profile> dns_zones New object being created [admin:my-cntrlr]: applicationprofile:dns_service_profile:dns_zones> domain_name acme.com [admin:my-cntrlr]: applicationprofile:dns_service_profile:dns_zones> admin_email hostmaster.acme.com [admin:my-cntrlr]: applicationprofile:dns_service_profile:dns_zones> name_server ns.acme.com [admin:my-cntrlr]: applicationprofile:dns_service_profile:dns_zones> save [admin:my-cntrlr]: applicationprofile:dns_service_profile> dns_zones New object being created [admin:my-cntrlr]: applicationprofile:dns_service_profile:dns_zones> domain_name test.vmware.com [admin:my-cntrlr]: applicationprofile:dns_service_profile:dns_zones> admin_email hostmaster.vmware.com [admin:my-cntrlr]: applicationprofile:dns_service_profile:dns_zones> name_server ns.test.vmware.com [admin:my-cntrlr]: applicationprofile:dns_service_profile:dns_zones> save [admin:my-cntrlr]: applicationprofile:dns_service_profile> save [admin:my-cntrlr]: applicationprofile> save +-------------------------+---------------------------------------------------------+ | Field | Value | +-------------------------+---------------------------------------------------------+ | uuid | applicationprofile-4c7c86b0-b677-4ea2-b8a9-882dda76a22c | | name | System-DNS | | type | APPLICATION_PROFILE_TYPE_DNS | | dns_service_profile | | | num_dns_ip | 1 | | ttl | 30 sec | | error_response | DNS_ERROR_RESPONSE_NONE | | edns | True | | dns_over_tcp_enabled | True | | aaaa_empty_response | True | | negative_caching_ttl | 30 sec | | dns_zones[1] | | | domain_name | acme.com | | name_server | ns.acme.com | | admin_email | hostmaster.acme.com | | dns_zones[2] | | | domain_name | test.vmware.com | | name_server | ns.test.vmware.com | | admin_email | hostmaster.vmware.com | | ecs_stripping_enabled | True | | preserve_client_ip | False | | preserve_client_port | False | | tenant_ref | admin | +-------------------------+---------------------------------------------------------+ [admin:my-cntrlr]: >
When a SOA request is made, the SOA response is sent in the answer section. For non-existent records of domains for which Avi Load Balancer is the authority, the response is sent in the authority section.