Search

Page tree

Contents

You can enable the appliance to respond to recursive queries and create a list of allowed networks, IP addresses, and remote servers that present specified TSIG (transaction signature) keys. When using TSIG keys, it is important that the appliances and servers involved with the authentication procedure use NTP (Network Time Protocol) for their time settings (see Using NTP for Time Settings).
A recursive query requires the appliance to return requested DNS data, or locate the data through queries to other servers. When a NIOS appliance receives a query for DNS data it does not have and you have enabled recursive queries, it first sends a query to any specified forwarders. If a forwarder does not respond (and you have disabled the Use Forwarders Only option in the Forwarders tab of the Member DNS Properties editor), the appliance sends a non-recursive query to specified internal root servers. If no internal root servers are configured, the appliance sends a non-recursive query to the Internet root servers. For information on specifying root name servers, see About Root Name Servers.
You can enable recursion for a Grid, individual Grid members, and DNS views. For information about enabling recursion in a DNS view, see Configuring DNS Views. If you do not enable recursion, the appliance denies recursive queries from all clients.

Enabling Recursion

To enable recursion and create a list of recursive queriers:

  1. Grid: From the Data Management tab, select the DNS tab, expand the Toolbar and click Grid DNS Properties.
    Member: From the Data Management tab, select the DNS tab -> Members tab -> member check box -> Edit icon. To override an inherited property, click Override next to it and complete the appropriate fields.
  2. In the Grid DNS Properties or Member DNS Properties editor, click Toggle Advanced Mode, select the Queries tab.
  3. Click Allow recursion, and then in the Allow recursive queries from section, select one of the following:
    • None: Select this if you do not want to configure access control for recursive queries. When you select None, the appliance allows recursive queries from all clients. This is selected by default.
    • Named ACL: Select this and click Select Named ACL to select a named ACL. Grid Manager displays the Named ACLs Selector. Select the named ACL you want to use. If you have only one named ACL, Grid Manager automatically displays the named ACL. When you select this, the appliance allows clients that have the Allow permission to send and receive recursive DNS queries. You can click Clear to remove the selected named ACL.
    • Set of ACEs: Select this to configure individual ACEs. Click the Add icon and select one of the following from the drop-down list. Depending on the item you select, Grid Manager either adds a row for the selected item or expands the panel so you can specify additional information about the item you are adding, as follows.
      • IPv4 Address and IPv6 Address: Select this to add an IPv4 address or IPv6 address. Click the Value field and enter the IP address of the remote querier. The Permission column displays Allow by default. You can change it to Deny by clicking the field and selecting Deny from the drop-down list.
      • IPv4 Network: In the Add IPv4 Network panel, complete the following, and then click Add to add the network to the list:
        • Address: Enter an IPv4 network address and either type a netmask or move the slider to the desired netmask.
        • Permission: Select Allow or Deny from the drop-down list.
      • IPv6 Network: In the Add IPv6 Network panel, complete the following, and then click Add to add the network to the list:
        • Address: Enter an IPv6 network address and select the netmask from the drop-down list.
        • Permission: Select Allow or Deny from the drop-down list.
      • TSIG Key: In the Add TSIG Key panel, complete the following, and then click Add to add the TSIG key to the list:
        • Key name: Enter a meaningful name for the key, such as a zone name or the name of the remote name server. This name must match the name of the same TSIG key on other name servers.
        • Key Algorithm: Select either HMAC-MD5 or HMAC-SHA256.
        • Key Data: To use an existing TSIG key, type or paste the key in the Key Data field. Alternatively, you can select the key algorithm, select the key length from the Generate Key Data drop down list, and then click Generate Key Data to create a new key.
      • Any Address/Network: Select to allow or deny queries from any IP addresses.
        After you have added access control entries, you can do the following:
        • Select the ACEs that you want to consolidate and put into a new named ACL. Click the Create new named ACL icon and enter a name in the Convert to Named ACL dialog box. The appliance creates a new named ACL and adds it to the Named ACL panel. Note that the ACEs you configure for this operation stay intact.
        • Reorder the list of ACEs using the up and down arrows next to the table.
        • Select an ACE and click the Edit icon to modify the entry.
        • Select an ACE and click the Delete icon to delete the entry. You can select multiple ACEs for deletion.
  4. Save the configuration.

Configuring Resolver Queries Timeout

You can configure the amount of time that a recursive query will wait for a response before timing out. The default timeout behavior is to wait for 30 seconds before timing out.
To configure the resolver queries timeout value:

  1. Grid: From the Data Management tab, select the DNS tab, expand the Toolbar and click Grid DNS Properties.
    Member: From the Data Management tab, select the DNS tab and click the Members tab -> member check box -> Edit icon.
    To override an inherited property, click Override next to it and complete the appropriate fields.
  2. In the Grid DNS Properties or Member DNS Properties editor, click Toggle Advanced Mode, select the Queries tab and complete the following:
    • Resolver queries timeout: Specify the maximum time allowed for a recursive query to wait for a response before timing out. You can enter either 0 or a value between 10 and 30 seconds. Setting the timeout value to 0 returns to the default timeout behavior, which is to wait for 30 seconds before timing out.
  3. Save the configuration.

Restricting Recursive Client Queries

By default, the appliance can serve up to 1,000 outstanding recursive client queries. You can change this default value according to your business needs. After you configure the recursive client queries limit, you can enable the appliance to send SNMP traps for recursive queries. Enabling SNMP traps for recursive clients can help you identify possible flood attacks on the DNS recursive server. The appliance sends SNMP traps when the number of recursive client queries exceeds the configured thresholds. For information about how to set the threshold and reset values, see Defining Thresholds for Traps.

  1. From the Data Management tab, select the DNS tab and click the Members tab -> member check box -> Edit icon.
  2. In the Member DNS Properties editor, click Toggle Advanced Mode.
  3. When the additional tabs appear, click the Advanced subtab of the Queries tab.
  4. Select the Limit number of recursive clients to option and enter a number. The default is 2000 and the maximum is 40000.
  5. Save the configuration and click Restart if it appears at the top of the screen.

Enabling Recursive Resolution Using EDNS Client Subnet (ECS) Option

The EDNS Client Subnet (ECS) option is a DNS extension you use to optimize recursive resolution for query sources that are not topologically close to the recursive resolvers. When you enable ECS for recursive resolution, the appliance includes subnet information of the host that originates a DNS query. Thus, your recursive resolver can perform geotargeting by passing the subnet information to authoritative servers so that the response will be more optimized for the end clients. For example, when you enable ECS and/or ECS forwarding on your recursive resolver, CDNs (Content Delivery Networks) can deliver content faster and more efficiently to the end user by providing information about the end user's subnet to the authoritative DNS server operated by the CDNs.
You can enable the NIOS appliance to handle recursive queries using ECS option and enable ECS forwarding support at the Grid level. You can then add whitelisted zone names that are subject to ECS recursion and specify the source prefix length for IPv4 and IPv6 addresses. Make sure you enter only apex zones. Example: foo.com, corpxyz.com, etc. The whitelisted zone name indicates the zone to which ECS tagged queries must be sent.
Note the following while adding whitelisted zone names:

  • ECS options are sent only when the name being queried and the apex of the zone being queried both match ECS zones. For example, if the zone "foo.com" contains a subdomain "www.foo.com", then you must configure "foo.com" as ECS zone and not "www.foo.com". The latter configuration might result in no ECS queries being sent, because the apex zone, "foo.com" does not match with "www.foo.com".
  • Queries for subdomains of the specified zone name, with prefix lengths greater than the specified prefix length is not applicable for the subdomains of the specified zone name. For example, if you specify "foo.com" with IPv4 prefix length 20, then IPv4queries with prefix length greater than 20 is not applicable for the subdomains of "foo.com".
  • You can exclude certain subdomains by adding a leading exclamation mark (!) to the subdomain name. Example: ! foo.example.org, ! test.foo.com, etc.

Guidelines for Using ECS and ECS Forwarding

The following are the guidelines for using ECS and ECS forwarding:

  • When recursive ECS is enabled, the appliance applies ECS handling for queries that meet both of the following criteria:
    • If the source prefix length is not set to zero.
    • If the query name matches one of the listed whitelisted zone names.
  • If you enable ECS forwarding, all queries that contain a valid ECS option will be forwarded to the authoritative server.
  • Queries with the source prefix length set to zero will be forwarded unchanged, regardless of whether ECS forwarding is enabled or disabled.
  • When recursive ECS and ECS forwarding are enabled, then response to queries that contain a valid ECS option with a non-zero source prefix length will contain an ECS option.
  • When recursive ECS is enabled and ECS forwarding is disabled, and if the original query contains a valid ECS option with a non-zero source prefix length, then the resolver returns a REFUSED response.

To enable recursive ECS and configure DNS resolver parameters, complete the following:

  1. From the Data Management tab, select the DNS tab, expand the Toolbar and click Grid DNS Properties.
  2. In the Grid DNS Properties editor, click the Advanced subtab of the Queries tab and complete the following:
    • Enable Recursive ECS: Select this check box to enable recursive resolution using ECS. This is disabled by default. If recursive ECS is enabled, the appliance applies ECS handling for queries that meet both of the following criteria:
      • If the source prefix length is not set to zero.
      • If the query zone name is listed in the whitelisted domains.
    • Enable ECS Forwarding: Select this check box to enable ECS forwarding. If you enable ECS forwarding, all queries containing a valid ECS option will be forwarded to the authoritative server.

      Note: Queries with the source prefix length set to zero will be forwarded unchanged, regardless of whether ECS forwarding is enabled or disabled.

    • Query Zone Permissions: Click the Add icon to add a list of query zone names that are subject to ECS recursion and the corresponding permission. Grid Manager adds a row to the table. Complete the following:
      • Zone Name: Enter the zone name.
      • Permission: Select Allow or Deny from the drop-down list.
    • IPv4SourcePrefix: Specify the IPv4 source prefix length. You can enter a value between 1 and 24. The default value is 24.
    • IPv6SourcePrefix: Specify the IPv6 source prefix length. You can enter a value between 1 and 56. The default value is 56.

Enabling DNS Fault Tolerant Caching

When an authoritative DNS server experiences an outage, all web sites served by the DNS server become inaccessible. Enabling the DNS fault tolerant caching option allows users to access the web sites served by the DNS server despite the DNS server outage. When you enable the DNS fault tolerant caching option, DNS records are retained in the recursive cache even after they expire. Whenever recursive query times out or returns a SERVFAIL response, the appliance returns the cached response to the client instead of the SERVFAIL response.

When you enable DNS fault tolerant cache, you can also specify the TTL (time-to-live) and timeout settings for the expired records. TTL specifies the time duration for which the expired record is retained in the recursive cache. Setting a high TTL might cause the client to use incorrect data for a longer duration. Conversely, setting a low TTL renders more current cached data, but also increases the traffic on your network. The expired record is deleted from the recursive cache after the specified timeout duration.

Only DNS members with recursion enabled can support this feature. You can enable this feature at the Grid level and override it at member level with recursion enabled. For information on enabling recursion for a Grid or member, see Enabling Recursive Queries. Note that DNS fault tolerant caching does not work when you set the DNS Resolver Type to Unbound

To enable DNS fault tolerant caching, complete the following:

  1. Grid: From the Data Management tab, select the DNS tab, expand the Toolbar and click Grid DNS Properties.
    Member: From the Data Management tab, select the DNS tab and click the Members tab -> member check box -> Edit icon.
    To override Grid settings, click Override next to it and complete the appropriate fields.
  2. In the Grid DNS Properties or Member DNS Properties editor, click Advanced subtab of the Queries tab and complete the following:
    • Enable Fault Tolerant Caching: Select this check box to enable the retention of expired records in the recursion. When you enable this option, the appliance retains the expired records in the recursive cache. Whenever recursive queries times out or returns a SERVFAIL response, the appliance returns the cached response to the client instead of the SERVFAIL response. This is disabled by default.
      • Expired Record TTLSpecify the time duration that the appliance must serve the expired records from the recursive cache before attempting to refresh the records.  The default is five seconds. Select the time period in minutes, hours, or days from the drop-down list.

      • Expired Record Timeout: Specify the time duration that the appliance waits before deleting the expired records from recursive cache. The default is 24 hours. Select the time period in minutes, hours, or days from the drop-down list.

  3. Save the configuration.

This page has no comments.