NSX Advanced Load Balancer supports DNS resolution on the Controller by default. In cases where the Controller does not have reachability to the DNS resolver and the configuration objects need FQDN resolution, the DNS resolution on SE enables FQDN resolution through SE.

Note:

  • DNS resolution on Service Engines can be done with IPv6 DNS resolver IP addresses.

  • FQDN resolution of pool member objects is supported only through SE.

  • It is currently supported on VMware and No access clouds.

To enable the DNS Resolution on SE, dns_resolution_on_se must be set in cloud configuration.

The Service Engine needs DNS resolver configuration for resolving the FQDNs from the Service Engine. For this a DNSResolver object needs to be configured in the cloud configuration. Only one DNSResolver object is supported per cloud.

By default, the refresh of the records is based on TTL.

Configuring DNS Resolution on SE

The following is the CLI command for enabling the DNS resolution on SE:

 [admin:Avi-Controller]: > configure cloud Default-Cloud
 [admin:Avi-Controller]: cloud > dns_resolution_on_se
 [admin:Avi-Controller]: cloud > save

The following is the CLI command for configuring the DNS resolver in cloud:

[admin:Avi-Controller]: > configure cloud Default-Cloud
[admin:Avi-Controller]: cloud> dns_resolvers
[admin:Avi-Controller]: cloud:dns_resolvers> resolver_name  resolver1
[admin:Avi-Controller]: cloud:dns_resolvers> nameserver_ips 100.64.88.201
[admin:Avi-Controller]: cloud:dns_resolvers> nameserver_ips 100.64.89.202
[admin:Avi-Controller]: cloud:dns_resolvers> save
[admin:Avi-Controller]: cloud> save

The following are the configurable attributes in the DNS Resolver:

  • resolver_name: Name of the resolver.

  • nameserver_ips: The IPv4 addresses of DNS servers to be used for resolution.

  • fixed_ttl: If configured, this value is used for refreshing the DNS entries. This will override both received_ttl and min_ttl. The entries are refreshed only on fixed_ttl even when received_ttl is less than fixed_ttl.

  • min_ttl: If configured, this TTL overrides the TTL from responses if TTL is less than min_ttl.effectively and if TTL is equal to max(received_ttl, min_ttl).

  • use_mgmt: If this is enabled, DNS resolution is performed through management network.

The output is as follows:

[admin:demo-cntrlr]: > show serviceengine demo-se2 resolverdb
+----------------------+-------------------------------------------+
| Field                | Value                                     |
+----------------------+-------------------------------------------+
| se_ref               | demo-se2                                  |
| dns_resolution_on_se | True                                      |
| fqdns[1]             |                                           |
|   fqdn               | ntest17.foo.avi.com                       |
|   obj_uuids[1]       | pool-da9e76ad-9bf3-4a8b-9dce-13bf7d36b96d |
|   ips[1]             | 1.1.1.17                                  |
|   ttl                | 300                                       |
|   last_resolved_time | Mon Apr 12 06:54:12 2021                  |
|                      |                                           |
|   last_updated_time  | Mon Apr 12 05:03:35 2021                  |
|                      |                                           |
| fqdns[2]             |                                           |
|   fqdn               | ntest15.foo.avi.com                       |
|   obj_uuids[1]       | pool-f4e9743c-0585-4d67-897e-38328702813c |
|   ttl                | 0                                         |
|   last_resolved_time | Mon Apr 12 06:53:53 2021                  |
|                      |                                           |
|   last_updated_time  | Thu Jan  1 00:00:00 1970                  |
|                      |                                           |
|   err_response       | ERROR                                     |
| resolvers[1]         |                                           |
|   resolver_name      | resolver6                                 |
|   nameserver_ips[1]  | 100.64.88.201                             |
|   nameserver_ips[2]  | 100.64.92.40                              |
|   total_fqdns        | 2                                         |
| resolvers[2]         |                                           |
|   resolver_name      | Default-ResolvConf                        |
|   total_fqdns        | 0                                         |
+----------------------+-------------------------------------------+

  • If the resolution needs to be done through SE and the DNS resolvers are updated through DHCP, you can enable only dns_resolution_on_se code and do not have to configure dns_resolver code in the cloud.

  • If a dns_resolver object is configured, it will always be used for FQDN resolution.

IPv6 configuration for DNS resolution on Service Engine over IPv6

IPv6 nameserver IPs could be provided in DNS resolvers. This would ensure DNS resolution over IPv6 for a given cloud. A sample configuration for adding IPv6 nameserver for DNS resolution on Service Engine over IPv6 is shown below:

admin:10-79-175-173]: > configure cloud test-cloud-vj
[admin:10-79-175-173]: cloud> dns_resolution_on_se
Overwriting the previously entered value for dns_resolution_on_se
[admin:10-79-175-173]: cloud> dns_resolvers
New object being created
[admin:10-79-175-173]: cloud:dns_resolvers> resolver_name ipv4resolver
[admin:10-79-175-173]: cloud:dns_resolvers> nameserver_ips 100.64.88.201
[admin:10-79-175-173]: cloud:dns_resolvers> where
Tenant: admin
Cloud: test-cloud-vj
+-------------------+---------------+
| Field             | Value         |
+-------------------+---------------+
| resolver_name     | ipv4resolver  |
| nameserver_ips[1] | 100.64.88.201 |
+-------------------+---------------+
[admin:10-79-175-173]: cloud:dns_resolvers> save
[admin:10-79-175-173]: cloud> dns_resolvers
New object being created
[admin:10-79-175-173]: cloud:dns_resolvers> resolver_name ipv6resolver
[admin:10-79-175-173]: cloud:dns_resolvers> nameserver_ips 2402:740:0:42a:250:56ff:fe81:6f11,2402:740:0:429:250:56ff:fe81:45b
[admin:10-79-175-173]: cloud:dns_resolvers> where
Tenant: admin
Cloud: test-cloud-vj
+-------------------+--------------------------------------------------------------------+
| Field             | Value                                                              |
+-------------------+--------------------------------------------------------------------+
| resolver_name     | ipv6resolver                                                       |
| nameserver_ips[1] | 2402:740:0:42a:250:56ff:fe81:6f11,2402:740:0:429:250:56ff:fe81:45b |
+-------------------+--------------------------------------------------------------------+
[admin:10-79-175-173]: cloud:dns_resolvers> save
[admin:10-79-175-173]: cloud> save
Note:

Comma-separated IPv6 nameservers can be added in case of more than one IP addresses.

Limitations of Configuring DNS Resolution on SE

The following are the limitations of DNS resolution on SE:

  • Prior to NSX Advanced Load Balancer version 22.1.3, only IPv4 transport was supported for FQDN resolution. Starting with NSX Advanced Load Balancer version 22.1.3, IPv6 is supported for FQDN resolution.

  • Only A records are queried.

  • DNS resolution is done over UDP only.

Configuring DNS Nameservers on Service Engine for Client Log Streaming and for External Health Monitor

If DNS resolver in cloud is configured as per steps in 'Configuring DNS on Service Engine' section, /etc/systemd/resolved.conf for management network and /etc/netns/{namespace-name}/resolv.conf for all VRF on SE virtual machine are updated.

Domain names configured in external_server under Analytics Profile, client_log_streaming_config to client logs and domain names present in the Script Code for External Health Monitor will be resolved through the configured name servers.