Page tree

Contents

The software-based DNS acceleration feature supports IB-Flex and non-IB-Flex (IB-2215, IB-2225, IB-v2215, IB-v2225, IB-4015, IB-4025, IB-v4015, and IB-v4025) platforms. When you enable the virtual DNS cache acceleration feature on IB-Flex and non IB-Flex appliances, it acts as a high-speed DNS caching-only name server. This feature provides DNS cache acceleration support for recursive UDP DNS queries.

The DNS cache acceleration feature is bundled with the Tiered licensing for IB-Flex appliances and for non-IB-Flex appliances it is based on the type of tiered license that is installed. Only the Tier 1 (unlimited QPS up to capability) license can be installed on IB-2215 and IB-V2225 appliances. When you install the license, you are entitled to use the DNS cache acceleration feature. For non-IB-Flex appliances, the warning message is based on the tiered license that is installed, and the QPS is rate-limited which is based on the type of license installed. If the tiered license and the QPS exceed the threshold, a warning message is displayed. For more information on the Tiered licensing feature, see the table below for features on the Software DNS cache acceleration platforms.

All the appliances support RPZ, but the response for RPZ queries are not cached by the DNS cache accelerator. Instead, these queries are bypassed to the host. You can configure the cache expiry period for RPZ queries. Note that the maximum cache lifetime for DNS cache acceleration is set to 300 seconds if the RPZ license is installed. However, for IB-Flex appliances, you must configure RPZ zones for a member.

You can also use Elastic Scaling to pre-provision DNS cache acceleration. These appliances support Intel x86_64 systems with IOMMU, Hugepages processors, virtio-net, and Intel 82599 10 G NIC and SRIOV with Intel 82599 ethernet controllers for DNS cache acceleration.

You can configure DNS cache acceleration using the Grid Manager or API. To view accelerated cache details, you can either log in to Grid Manager, or use CLI commands, or Infoblox API. Infoblox supports Auto Scaling that contains OpenStack packages to automatically scale the required number of resources based on your application. For more information, refer to Auto Scaling for Virtual DNS Cache Acceleration.

Associated characteristics of the supported appliance include the following:

  • Cache delete through the Grid Manager, CLI, or Infoblox API. For more information, see Clearing DNS Cache.
  • ACL for IPv4 and IPv6.
  • Sending SNMP traps for DNS cache acceleration service.
  • SNMP queries for supported appliances.
  • Fixed RRSET order for accelerated responses, for A and AAAA record types, for IPv4, and IPv6.
  • Both non-accelerated recursive and authoritative DNS with Software ADP.

The following table lists the features that are either supported or not supported on the Software DNS cache acceleration platforms:

FeaturesIB-Flex

IB-2215

IB-2225

IB-v2215

IB-v2225

IB-4015IB-4025

IB-v4015

IB-v4025

Tiered licensing

Licensing is based on the Flex Grid Activation license on the Grid. Note that the queries per second are limited by the number of CPUs for IB-FLEX.

IB-40x5 appliances support four tiers of DNS QPS and the QPS levels are enforced by rate limiting 

RPZ

Yes, the maximum cache lifetime for DNS cache acceleration is set to 300 seconds if RPZ zones are configured for the member.

Yes, the maximum cache lifetime for DNS cache acceleration is set to 300 seconds if the RPZ license is installed.

Caching (A, AAAA, MX, CNAME, PTR)

Yes

Yes

Do not cache (EDNS, TCP, Any, TSIG)

Yes

Yes

Caching over additional interfaces (v4, v6)

Yes

Yes

Dump Acceleration Cache (CLI, GUI, PAPI)

Yes

Yes

Clear Acceleration Cache (CLI, GUI, PAPI)

Yes

Yes

Cache pre-fetch and cache refresh

Yes

Yes

ACLs (Allow-queries/Responses, Match-Clients/Destination, Blackhole)

Yes

Yes

AAAA Filtering (Bypassed but support configuring)

Yes

Yes

Fixed RRSET ordering

Yes

Yes

DNS64

Yes

Yes

DNS monitoring feature (netmon)

Yes, but unlike IB-4030, this feature captures DNS cached queries on the virtual DNS cache acceleration platform.

Yes, but unlike IB-4030, this feature captures DNS cached queries on the virtual DNS cache acceleration platform.

DNS Query logging (BIND only)

Yes

Yes

DNS Views

Yes, it supports up to six DNS views.

Yes, it supports up to six DNS views.

Forward/Stub zones

Yes

Yes

Unbound as DNS resolver

Yes, unbound is supported through the Flex Grid Activation license.

Yes, unbound is supported if the Dual Engine DNS license is installed.

DNS cache acceleration related restrictions for configuration

Yes, for NIOS version 8.2.0, restrictions are enforced based on whether the DNS cache acceleration feature is enabled or disabled.

No

Reporting

Yes, for more information, see the Reports for IB-FLEX section in About IB-FLEX.

Yes

VLAN

Yes

Yes

DSCP

No, Infoblox does not support DSCP for virtual appliances.

Infoblox does not support DSCP for physical or virtual appliances only if DCA is enabled.

Sort list

Yes

Yes

Anycast (OSPF and BGP)

Yes

Yes

BFD (Bidirectional Forwarding Detection)

Yes


HA Support

Yes, only for non-SRIOV.

Yes

NIC Bonding

Yes

Yes

Multiple-Interfaces on the same subnet

No

No

IP Rate-limit and Response logging

No

No

EDNS Client Subnet support

No

No

NXDomain-redirection

Yes

Ye

DNSSEC (Bypassed but support configuring)

Yes

Yes

Debug enhancements

Yes

Yes

SNMP Support for DCA service-related traps

Yes

Yes

SNMP stats support for DNS QPS and CHR

Yes

Yes

NX Mitigation

No

No

NetFilter (Tracking tables)

No


Traffic-capture (All modes)

Yes, there is partial support. Note that tcpdump captures both queries and responses.

Yes, there is partial support. Note that tcpdump captures both queries and responses.

No flush-mode support for DNS cache acceleration cache

Yes

Yes

Per-interface UDP DNS cache acceleration response counters

Yes

Yes

CLI commands

You can use the commands set dns-accel and show dns-accel to view and set DNS cache acceleration information. For more information, see CLI Commands.

You can use the commands set dns-accel and show dns-accel to view and set DNS cache acceleration information. For more information, see CLI Commands.

DNS Query rewrite (Bypassed but supports configuring)

No

No

Threat Protection

Supported on IB-FLEX platforms. Allows enabling Software ADP and DNS cache acceleration simultaneously on IB-FLEX platforms.

Supported on IB-FLEX platforms. Allows enabling Software ADP and DNS cache acceleration simultaneously.

Note

By default, all malformed packets are dropped early when the accelerated threat protection service is enabled.

Viewing Accelerated Cache Details

When you view cached contents of the DNS accelerator through the Grid Manager, there might be a slight impact on the DNS query performance of the selected member.

To view accelerated cache from the Grid Manager:

  1. From the Data Management tab, select the DNS tab and click the Members tab -> Member checkbox. Choose View from the Toolbar, and then click View Cache.
  2. Click Yes in the View Acceleration Cache dialog box.
  3. The system displays a File Download was Successful message and the cache data is displayed in table format in a new browser tab or browser window.

Limitations for Virtual DNS Cache Acceleration

  • You cannot enable the DNS cache acceleration feature during a scheduled NIOS upgrade, but if you have already enabled this feature, it will function normally during the upgrade process.
  • The appliance prompts for a reboot when you enable the DNS cache acceleration feature for the first time. You must accept it to start the service.
  • You must disable the DNS cache acceleration feature and reboot the appliance manually to switch from virtual DNS cache acceleration to authoritative servers.
  • The appliance prompts for a reboot when you enable virtual DNS cache acceleration and Software ADP on IB-FLEX, IB-22x5 and IB-40x5 platforms .
  • DSCP is not supported if vDCA is enabled on IB-FLEX 22x5 and IB-40x5.

  • DHCP license cannot be installed if the DCA license is installed and vice versa.

  • DCA and Microsoft Management licenses cannot be installed and configured simultaneously.

Limitations for DNS Cache Acceleration in Subscriber Parental Control

Enabling DNS Cache Acceleration for subscriber services in the Parental Control tab has the following limitations:

  • The DNS Cache Acceleration subscriber site features, query count logging and blocked and allowed list support are applicable on Virtual DNS Cache Acceleration, and the features are available on IB-4030, however they are not supported.
  • The DNS Cache Acceleration subscriber site features, query count logging and blocked and allowed list support retains only unknown bits and does not support unknown policies (AVP).
  • DNS Cache Acceleration uses BIND to process the guests behind Customer Premises Equipment (CPEs).
  • The appliance prompts for a reboot when there is a configuration change.
  • DNSTAP is required for query logging.
  • DNS Cache Acceleration does not cache blocked domains from BIND as it only uses category information for resolved domains.
  • At Virtual DNS Cache Acceleration, the subscriber has access only to the primary MSP IP address.
  • DNS Cache Acceleration subscriber site feature supports only 16 additional blocking policies.
  • Before blocking another opt in subscriber at DNS Cache Acceleration, an opt in subscriber must resolve a domain.
  • Proxy-All replies will come from DNS Cache Acceleration as long as the client connection status to MSP is "connected." If the client connection status is "disconnected," the first few queries will go to BIND, and future requests will come from DNS Cache Acceleration. Please note that, TCP idle connections are closed every 20 seconds by MSP.
  • The query name for the subscriber allowed and blocked list must contain a known TLD (top-level domain) and, if there are any prefixes, must conclude with a '.'.
  • Only domain names are supported by the subscriber allowed and blocked lists, the wildcards and services are not supported.

For Information on Upgrading Parental Control at DNS Cache Acceleration, see Upgrading Parental Control at DNS Cache Acceleration.

IB-FLEX Platform Settings for DNS Cache Acceleration

When you enable the DNS cache acceleration feature on IB-FLEX, ensure that it has enough CPU and memory to start the service, and that it does not contain any authoritative zones. Note that you cannot start the service if the total CPU is less than 8 cores or if memory is less than 12G. To start the service, see the number of mandatory resources mentioned in Table 8.8.

If the DNS cache acceleration feature is enabled on a pre-provisioned member and fails to start due to insufficient resources on the member, the DCA status is displayed as failed. If you disable DCA on a member with insufficient resources, the member is not displayed in the DCA -> Members tab.

Note

  • Under certain circumstances, the DNS cache acceleration feature may not function normally when you perform a product restart. This happens due to increased resource allocation on the virtual machine and the appliance does not log any entries in the syslog. Infoblox recommends that you restart or reboot the system and free up server resources if you encounter this issue.
  • Before enabling DNS Cache Acceleration or ADP on virtual platforms, ensure that the ssse3, sse4_1, and sse4_2 CPU flags are set on the host server. For more information, see https://help.ubuntu.com/lts/serverguide/DPDK.html.en

  • If you see the "/usr/bin/fast-path.sh: error starting /usr/bin/fp-rte. Check logs for details" error message in the infoblox.log file, ensure that the ssse3, sse4_1, and sse4_2 flags are set for the VM.
  • No labels

This page has no comments.