Jump to content
Welcome to our new Citrix community!

GSLB and pinpoint DNS zone with MS DNS


Kari Ruissalo

Recommended Posts

Hi,

 

 

I'm rather new to GSLB but am now implementing several environments and I need to get my head around one thing.

 

I have already completed the GSLB eLearning and read through Carl Stalhoods great article about setting up GSLB and the DNS delegation part (https://www.carlstalhood.com/global-server-load-balancing-gslb-netscaler-12/#dnsdelegation).

 

The DNS delegation seems to cover mainly the whole DNS zone, but we're often implementing a split-DNS scenario, where the clients always connect to for example applications.company.com address, whether they are working from the internal network or internet. To achieve this, we often need to create a "pinpoint DNS zone" (=single record DNS zone) for the internal DNS for that specific record. We do this to only direct the internal DNS queries to an internal GW IP rather than the public one and this also allows us to avoid replicating all the DNS records from the top-level domain (company.com.) to to internal DNS (often hosted by MS AD integrated DNS).

 

However, we now noticed that if we create a pinpoint DNS zone and delegate that zone to the ADC hosted ADNS IP, the name lookup doesn't pass through.

 

We figured out to create a conditional forwarder instead for that specific record (applications.company.com), which seems to be working perfectly. Are there any downsides with this approach?

Link to comment
Share on other sites

Delegating a single record is actually the same as for delegating a zone.

 

Imagine you have "mysite.com".... and your DNS lists the "www.mysite.com" and a few other records, including the "mysite.com" one.

 

Now imagine you want to delegate the "remote.mysite.com" zone: you create a couple of NS records to point "remote" to the Netscaler's DNS.... the DNS doesn't care if it's a zone (eg user will go to "a.remote.mysite.com" or just to "remote.mysite.com".

 

I've done this a couple of times now, works fine. For finesse, you maybe want to create an SOA for the delegated zone, keeps the world happier!

 

Of course, if the "mysite.com" DNS site is being load-balanced by netscaler, then you don't need to delegate: DNS automaticaly looks in the DNS table before sending traffic to the DNS service (it caches DNS entries there).

 

Link to comment
Share on other sites

Hi @Paul Blitz,

 

One more question. If I have an SSL service running (Gateway in this case) and I would like to also handle HTTP for the same IP address via GSLB (just to allow HTTP->HTTPS redirect), how can this be achieved? I tried creating GSLB services and vServer for HTTP, but I can't bind the same domain name for two different GSLB vServers apparently.

Link to comment
Share on other sites

I would rather not create a SOA record. What would it be good for? Who would query for this?

2) You don't need 2 GSLB vServers. GSLB is all about DNS, not about HTTP or HTTPS. Actually the query comes from a DNS server on the internet for gw.test.com. It gets to Citrix ADC, and Citrix ADC resolves the name. The result is returned to the client PC. The client PC then connects to the IP address, using the protocol it likes (i.e.: HTTP.). You need a service redirecting to SSL, same host name, so same IP (it gets cached for a minute or so, so no 2nd DNS query is needed)

Cheers Johannes Norz

@Citrix_ADC

visit my blog

Link to comment
Share on other sites

  • 1 month later...
On 11/28/2019 at 8:10 PM, Johannes Norz said:

2) You don't need 2 GSLB vServers. GSLB is all about DNS, not about HTTP or HTTPS. Actually the query comes from a DNS server on the internet for gw.test.com. It gets to Citrix ADC, and Citrix ADC resolves the name. The result is returned to the client PC. The client PC then connects to the IP address, using the protocol it likes (i.e.: HTTP.). You need a service redirecting to SSL, same host name, so same IP (it gets cached for a minute or so, so no 2nd DNS query is needed)

 

 

Ok. Thank Johannes. I just got confused as the GSLB vServer itself is configured for a specific protocol.

Link to comment
Share on other sites

  • 2 weeks later...
On 11/28/2019 at 8:01 AM, Kari Ruissalo said:

One more question. If I have an SSL service running (Gateway in this case) and I would like to also handle HTTP for the same IP address via GSLB (just to allow HTTP->HTTPS redirect), how can this be achieved? I tried creating GSLB services and vServer for HTTP, but I can't bind the same domain name for two different GSLB vServers apparently.

 

If the HTTP is no more than a redirect, then it is pretty minimal traffic, so doesn't really matter THAT much if it's not optimally load-balanced between the sites.... just create the HTTP (redirecting) vserver on both sites on the same IPs (and FQDN) as the SSL vservers, but keep the GSLB looking at the SSL vservers.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...