Features

An SOA record accompanies an NXDOMAIN (non-existent domain) response if the incoming query’s domain is a subdomain of one of the configured authoritative domains in the DNS application profile.

Negative caching, such as, the caching of the fact of non-existence of a record, is determined by name servers authoritative for a zone which must include the Start of Authority (SOA) record when reporting no data of the requested type exists. The minimum field value of the SOA record and the TTL of the SOA itself is used to establish the TTL for the negative answer.

If the query’s FQDN matches an entry in the DNS table, but the query type is not supported by default then, the Avi Load Balancer SE generates a NOERROR response, optionally with an SOA record if the domain matches a configured authoritative domain.

Configuration using the Avi Load Balancer UI

Queries for FQDNs that are subdomains of the authoritative domain names and do not have any DNS record in the Avi Load Balancer are dropped or the NXDOMAIN response is sent. The Avi Load Balancer System-DNS profile comes preconfigured to respond to unhandled DNS requests. However, when creating a new DNS profile, it is necessary to change (Options for) Invalid DNS Query processing field to respond to unhandled DNS requests to ensure NXDOMAIN responses are sent when appropriate.

When an NXDOMAIN reply is appropriate for an FQDN that ends with one of the authoritative domains, the value appearing in the Negative TTL field will be incorporated into the attached SOA record. This value is 30-seconds by default. However, the allowed range is 1 to 86400 seconds.

An Avi Load Balancer DNS virtual service need not have a back-end DNS server pool. If it does have a back-end pool, the Avi Load Balancer DNS Service Engines will only load balance to it if the FQDN is not a subdomain of one of those configured in the Authoritative Domain Names field.

The values in the Valid subdomains field are specified for validity checking and thus optional. If not configured, all subdomains of acme.com will be processed and looked up in the DNS table.

Configuration using the Avi Load Balancer CLI

In the below example, the before and after configurations of the System-DNS application profile is shown. Various applicationprofile:dns_service_profile subcommands are used to:

• Define the authoritative domain names.

• Enable NXDOMAIN responses. To do this, the value of error_response is changed from DNS_ERROR_RESPONSE_NONE (the default) to DNS_ERROR_RESPONSE_ERROR. The negative_caching_ttl is left unchanged from its 30-second default.

• Specify subdomains of acme.com for which the DNS can provide an IP address. The subdomains are sales.acme.com, docs.acme.com, and support.acme.com. These subdomains are for validity checking and thus optional. If not configured, all subdomains of acme.com and coyote.com will be processed and looked up in the DNS table.

[admin:10-10-25-20]: > configure applicationprofile System-DNS Updating an existing object. Currently, the object is:
+-------------------------+---------------------------------------------+ | Field                   | Value                                       | +-------------------------+---------------------------------------------+ | uuid                    | applicationprofile-fdb6a5d6-bbf8-4f15-b851-f436b599992c                                                            | 
| name                    | System-DNS                                  | | type                    | APPLICATION_PROFILE_TYPE_DNS                | | dns_service_profile     |                                             | |   num_dns_ip            | 1                                           | |   ttl                   | 30 sec                                      | |   error_response        | DNS_ERROR_RESPONSE_NONE                     | |   edns                  | False                                       | |   dns_over_tcp_enabled  | True                                        | |   aaaa_empty_response   | True                                        | |   negative_caching_ttl  | 30 sec                                      | |   ecs_stripping_enabled | True                                        | | preserve_client_ip      | False                                       | | tenant_ref              | admin                                       | +-------------------------+---------------------------------------------+ [admin:10-10-25-20]: applicationprofile> dns_service_profile 
[admin:10-10-25-20]: applicationprofile:dns_service_profile> authoritative_domain_names acme.com 
[admin:10-10-25-20]: applicationprofile:dns_service_profile> authoritative_domain_names coyote.com 
[admin:10-10-25-20]: applicationprofile:dns_service_profile> error_response dns_error_response_error Overwriting the previously entered value for error_response 
[admin:10-10-25-20]: applicationprofile:dns_service_profile> domain_names sales.acme.com 
[admin:10-10-25-20]: applicationprofile:dns_service_profile> domain_names docs.acme.com 
[admin:10-10-25-20]: applicationprofile:dns_service_profile> domain_names support.acme.com 
[admin:10-10-25-20]: applicationprofile:dns_service_profile> save [admin:10-10-25-20]: applicationprofile> save
+---------------------------------+-------------------------------------+ | Field                           | Value                               | +---------------------------------+-------------------------------------+ | uuid                            | applicationprofile-fdb6a5d6-bbf8-4f15-b851-f436b599992c                                                  | 
| name                            | System-DNS                          | | type                            | APPLICATION_PROFILE_TYPE_DNS        | | dns_service_profile             |                                     | |   num_dns_ip                    | 1                                   | |   ttl                           | 30 sec                              | |   error_response                | DNS_ERROR_RESPONSE_ERROR            | |   domain_names[1]               | sales.acme.com                      | |   domain_names[2]               | docs.acme.com                       | |   domain_names[3]               | support.acme.com                    | |   edns                          | False                               | |   dns_over_tcp_enabled          | True                                | |   aaaa_empty_response           | True                                | |   authoritative_domain_names[1] | acme.com                            | |   authoritative_domain_names[2] | coyote.com                          | |   negative_caching_ttl          | 30 sec                              | |   ecs_stripping_enabled         | True                                | | preserve_client_ip              | False                               | | tenant_ref                      | admin                               | +---------------------------------+-------------------------------------+ [admin:10-10-25-20]: >

Support for SOA rdata Queries

Avi Load Balancer supports SOA queries for configured authoritative domains, and the customization of SOA fields MNAME and RNAME (see RFC 1035), which are configured using the Avi Load Balancer CLI configuration sub-command applicationprofile>dns_service_profile to supply two corresponding parameters:

• name_server: The <domain-name> of the name server that was the original or primary source of data for this zone. This field is used in SOA records pertaining to all domain names specified as authoritative domain names. If not configured, domain name is used as name server in SOA response.

• admin_email: Email address of the administrator responsible for this zone. This field is used in SOA records pertaining to all domain names specified as authoritative domain names. If not configured, the default value hostmaster is used in SOA responses.

CLI Example

[admin:10-10-25-20]: applicationprofile> dns_service_profile admin_email [email protected] 
[admin:10-10-25-20]: applicationprofile:dns_service_profile> name_server roadrunner.com 
[admin:10-10-25-20]: applicationprofile:dns_service_profile> save [admin:10-10-25-20]: applicationprofile> save 
+---------------------------------+-------------------------------------+ | Field                           | Value                               | +---------------------------------+-------------------------------------+ | uuid                            | applicationprofile-fdb6a5d6-bbf8-4f15-b851-f436b599992c                                                  | 
| name                            | System-DNS                          | | type                            | APPLICATION_PROFILE_TYPE_DNS        | | dns_service_profile             |                                     | |   num_dns_ip                    | 1                                   | |   ttl                           | 30 sec                              | |   error_response                | DNS_ERROR_RESPONSE_ERROR            | |   domain_names[1]               | sales.acme.com                      | |   domain_names[2]               | docs.acme.com                       | |   domain_names[3]               | support.acme.com                    | |   edns                          | False                               | |   dns_over_tcp_enabled          | True                                | |   aaaa_empty_response           | True                                | |   authoritative_domain_names[1] | acme.com                            | |   authoritative_domain_names[2] | coyote.com                          | |   negative_caching_ttl          | 30 sec                              | |   name_server                   | roadrunner.com                      | |   admin_email                   | [email protected]                   | |   ecs_stripping_enabled         | True                                | | preserve_client_ip              | False                               | | tenant_ref                      | admin                               | +---------------------------------+-------------------------------------+ [admin:10-10-25-20]: > 

When a SOA request is made, the SOA response is sent in the answer section. For non-existent records of domains for which the Avi Load Balancer is the authority, the response is sent in the authority section.

Avi Load Balancer supports SOA queries for authoritative domains that are members of an array of DNS zones, and the customization of SOA fields MNAME and RNAME (see RFC 1035) within them, which are configured using the Avi Load Balancer CLI configuration sub-command applicationprofile>dns_service_profile:dns_zones to supply three corresponding parameters:

• domain_name: A domain name for which the DNS service is authoritative.

• name_server: The primary name server for this zone. This field is used in SOA records as MNAME (RFC 1035). If not configured, domain_name is used instead.

• admin_email: Email address of the administrator responsible for this zone. This field is used in SOA records as RNAME RFC 1035). If not configured, the default value hostmaster is used.