GSLB DNS proxy

[Royce Mendoza1709160095]

Hi 

 

I just want to check if my understanding is right. I'm planning to implement GSLB on my Citrix ADC and use DNS proxy aside from Citrix ADC as the ADNS.

 

Based on my understanding on the below image, i will have a DNS load balancing virtual server IP address that is NAT to a public ip address. So meaning i have 1 Public IP address for each data center that is resolvable using 1 domain (example.com)? So i need to create A record on the external DNS.

 

1 DNS = 2 public IP (for 2 data centers)

 

After that, i was wondering where did the 10.217.146.40 / 10.217.146.45 (image below) comes from? Is this the Load balancing virtual server of my backend servers resolved by the internal DNS servers?

 

Please correct me if i am wrong.

 

Thank you.

 

[Rhonda Rowland1709152125]

The diagram isn't as clear as it needs to be.

 

You have your DNS lookup phase which gets you to the DNS LB VIP (the dns proxy) and then you have your GSLB FQDN to IP resolution phase (which is what I assume the destination IPs: 10.217.145.40 and .45 are referring to).

 

During the DNS lookup:

Client initiates lookup of support.example.com (which is a GSLB-based FQDN).

This request goes to Root nameserver (10.10.128.30), who sends them to COM (TLD nameserver) at 10.10.112.30.

COM sends request to your DNS authority(ies) which are the DNS LB VSERVER in SiteA and SiteB at 10.10.178.77 or 10.10.178.78. 

Site A DNS LB VSERVER (10.10.178.77) is set up to do DNS load balancing...

 

If the request being looked up was NOT GSLB based, then the DNS LB vserver would serve the request out of its DNS cache (if previously retrieved) or forward to either of the actual DNS servers to resolve.

 

However, if the request comes in to the DNS LB VSERVER is owned by GSLB (the bound fqdn's appear as placeholders in the DNS table with a mapping to the GSLB vserver to use).  The request is handled by GSLB resolution instead of your DNS servers.  GSLB's job is to resolve in this case the name support.example.com to the destinations services (which in this example) appears to be 10.217.146.40 or .45 (can't tell for sure, because neither your gslb service IPs or your external DNS IPs are listed)

 

So if GSLB makes the decision, it will return to client via the DNS VIP. Then they will proceed to the connection phase to the VIP specified.

But bottom line, once a dns resolution request GETS to the DNS vserver, the order is:

1) if FQDN is associated with GSLB, GSLB will make the DNS resolution decision and DNS Proxy will return it to client. (Dyanamic, always resolved by GSLB, never cached by dns on adc)

2) If not, and the DNS resolution was previously cached, the DNS proxy will return cached result

3)Finally, DNS lb vserver will direct to either DNS service for resolution, cache this new response and return IP to client.

 

 

 

 

 

[Royce Mendoza1709160095]

Hi Rhonda,

 

Thanks for your inputs. I'm just having an confusion regarding the external DNS and internal DNS servers. 

 

The external DNS servers associated with the 2 Public IP address (Lets assume this is public ip: 10.10.178.77 & 10.10.178.78) will resolve to my Load balancing virtual server. And my Internal DNS load balancing virtual server will resolve to my GSLB FQDN which is support.example.com? Am i correct?

 

Thank you.

[Rhonda Rowland1709152125]

External DNS resolutions will be forwarded to your external DNS Authority whether that's a DNS Proxy or an ADNS config depends on your goals.  

The point of GSLB is to handle the DNS resolution dynamically instead of relying on DNS doing a static resolution.

So any GSLB entity that gets to your External DNS resolver has to either be forwarded/delegated to the NS as an ADNS OR in the case of a DNS LB VSERVER, we just intercept the request as "ours" and it lets the GSLB system resolve the IPS and provides the response; for non-gslb entities, your regular DNS will handled.

For internal DNS, the same thing, what is the DNS resolution process for internal DNS and again, do you direct it to an internal facing DNS lb vserver (proxy) and let it again handle GSLB- vs non-gslb requests. Or do you have queries go to your internal dns and be delegated to the ADC ADNS authority for GSLB entities.

 

If you want one DNS to do both internal and external, then you may need DNS views or other mechanism to separate the external from internal resolutions.

 

The above diagram doesn't have internal dns, it just shows "fronting" the external DNS with the DNS Proxy as the dns authority.

 

GSLB DNS is covered in the GSLB Primer and a few related articles. But if this is still, unclear, we'll try to get you more info:

 

GSLB Primer (pdf at top for download):  https://support.citrix.com/article/CTX123976

https://support.citrix.com/article/CTX122619