Introduction:
A DNS Forwarder is a Domain Name System (DNS) server on a network used to forward DNS queries for external DNS names to DNS servers outside of that network. Also, the forwarding of queries according to specific domain names is known as conditional forwarding. In this article, we will take a look at configuring DNS forwarding in NSX-T.
DNS Forwarders cache results from previous requests. When a DNS forwarder receives a DNS request, it first checks it’s local cache. If the result of the request is not cached, then the DNS Forwarder forwards the DNS query to a DNS server outside the network. Cached DNS records reduce the load on upstream nameservers, improving system performance.
In NSX-T DNS Forwarding is performed by dnsmasq, an open-source lightweight caching DNS server.
Perform DNS Forwarding configuration changes from two main sections in the NSX-T User Interface:
- Networking is the recommended configuration method for NSX-T 2.4 onwards, as backed by the Policy API.
- Advanced Networking & Security is the configuration method for NSX-T 2.3 and older, as backed by the Management Plane API.
In this case, we will be reviewing configuration steps in an NSX-T 2.5 Lab, using the Networking section, to future proof the configuration for subsequent NSX-T releases. This Policy API based setup will prepare for future lab enhancements in this series of articles.
Three-Step Configuring DNS Forwarding in NSX-T Summary:
Step 1: Create a DNS Zone
Step 2: Create a DNS Service
Step 3: Configure Tier Gateway Route Advertisement of All DNS Forwarder Routes
Step 4: Optional DNS Forwarder Configuration Changes
Lab Topology:
The DNS Forwarder is a logical construct, not connected to a segment, but is associated with a Tier-0 or Tier-1 Gateway.
Three-Step Configuration Details:
Step 1: Create a DNS Zone
Add a Default Zone under the Networking section, not under Advanced Networking & Security, to future proof the setup. The DNS Servers IP address, 192.168.110.10, is the external DNS server(s) to which the DNS Forwarder will forward DNS queries.
Step 2: Create a DNS Service
Add a DNS Service, where:
- The DNS Service IP is the address that DNS clients use to reference the DNS Forwarder.
- The Default DNS Zone is the DNS Zone created in Step 1.
Step 3: Configure Tier Gateway Route Advertisement of All DNS Forwarder Routes
The DNS Forwarder IP will need to be reachable from the external DNS server. Here the Tier-1 Gateway is configured to advertise All DNS Forwarder Routes.
To propagate the DNS Forwarder IP to the physical BGP Peer, the Tier-0 Gateway is configured to redistribute the advertised Tier-1 DNS Forwarder IP.
Step 4: Optional DNS Forwarder Configuration Changes:
You have the option of adding FQDN Zones if you have additional DNS namespaces that you would like to conditionally forward. My lab uses the core.hypervizor.com namespace, for which I have created a sample FQDN Zone. It’s not required, since it points to the same DNS Server as the Default DNS Zone, and has been added to demonstrate conditional forwarding.
Once created, FQDN Zones need to be associated with a DNS Service.
Notice that I’ve not been specifying Source IP in DNS Zones. This optional parameter gives you the ability to have further control over the source IP of the DNS Forwarder request. If you leave the Source IP blank, the forwarder request comes from the DNS Service IP, as specified in the DNS Service.
Lab DNS Forwarder Configuration
Here is an overview of the resulting configuration using optional DNS Zones Source IPs. Note the FQDN Zone is not required, since it points to the same DNS Server as the Default DNS Zone, and has been added to demonstrate conditional forwarding.
Announcing the Forwarding Service route:
Without specifying Source IP in DNS Zones, the DNS Service IP is announced:
vRouter_DC01#show ip bgp
BGP table version is 38, local router ID is 192.168.150.2
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found
Network Next Hop Metric LocPrf Weight Path 0.0.0.0 0.0.0.0 0 i
*> 10.155.14.0/24 0.0.0.0 0 32768 ?
*> 10.160.110.0/24 0.0.0.0 0 32768 ?
*> 192.168.21.0 0.0.0.0 0 32768 ?
192.168.50.1/32 192.168.100.103 0 0 65111 ? <--- DNS Forwarder IP being learned by the physical network is the the DNS Service IP.
*> 192.168.100.102 0 0 65111 ?
192.168.70.0 192.168.100.103 0 0 65111 ?
*> 192.168.100.102 0 0 65111 ?
192.168.100.0 192.168.100.103 0 0 65111 ?
192.168.100.102 0 0 65111 ?
*> 0.0.0.0 0 32768 ?
*> 192.168.150.0 0.0.0.0 0 32768 ?
vRouter_DC01#
For comparison, the Source IP in DNS Zones has been specified:
When specifying the Source IP in DNS Zones, the Source IP is announced:
vRouter_DC01#show ip bgp
BGP table version is 41, local router ID is 192.168.150.2
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found
Network Next Hop Metric LocPrf Weight Path 0.0.0.0 0.0.0.0 0 i
*> 10.155.14.0/24 0.0.0.0 0 32768 ?
*> 10.160.110.0/24 0.0.0.0 0 32768 ?
*> 192.168.21.0 0.0.0.0 0 32768 ?
192.168.50.2/32 192.168.100.103 0 0 65111 ? <--- DNS Forwarder IP being learned by the physical network is the the DNS Zone Source IP.
*> 192.168.100.102 0 0 65111 ?
192.168.50.3/32 192.168.100.103 0 0 65111 ? <--- DNS Forwarder IP being learned by the physical network is the the DNS Zone Source IP.
*> 192.168.100.102 0 0 65111 ?
192.168.70.0 192.168.100.103 0 0 65111 ?
*> 192.168.100.102 0 0 65111 ?
192.168.100.0 192.168.100.103 0 0 65111 ?
192.168.100.102 0 0 65111 ?
*> 0.0.0.0 0 32768 ?
*> 192.168.150.0 0.0.0.0 0 32768 ?
vRouter_DC01#
Testing DNS with nslookup:
We will start by running a few queries from our DNS client, in this case using nslookup on a Photon OS Guest VM connected to the NSX-T Overlay.
root@photon-machine [ ~ ]# nslookup > server 192.168.50.1 Default server: 192.168.50.1 Address: 192.168.50.1#53 > www.vmware.com Server: 192.168.50.1 Address: 192.168.50.1#53 Non-authoritative answer: www.vmware.com canonical name = www-vip-int.vmware.com. Name: www-vip-int.vmware.com Address: 10.113.78.20 > nsxtmgr.core.hypervizor.com Server: 192.168.50.1 Address: 192.168.50.1#53 Name: nsxtmgr.core.hypervizor.com Address: 192.168.110.26
Verifying DNS Forwarding using the NSX-T Web UI:
A special thanks goes out to Harikrishnan T, at https://vxplanet.com/ for helping me find the following DNS Forwarding statistics in the NSX-T UI.
It’s possible to get a high-level overview of the DNS Forwarder operation.
Verifying DNS Forwarding using the NSX-T Edge CLI:
It's possible to get a detailed view of DNS Forwarder operation from the NSX-T Edge CLI.
nsxtedge02> get dns-forwarder status
ERR_MSG:
HA_STATUS: ACTIVE
STATUS: up
UUID: 4be21b95-d850-4c8d-baaa-1964dc907e38
nsxtedge02> get dns-forwarder config
CACHE_SIZE: 1024
CONDITIONAL_ZONE:
DOMAIN_NAME:
core.hypervizor.com
SOURCE_IP:
IPV4: 192.168.50.3
UPSTREAM_SERVER:
IPV4: 192.168.110.10
DEFAULT_ZONE:
SOURCE_IP:
IPV4: 192.168.50.2
UPSTREAM_SERVER:
IPV4: 192.168.110.10
ENABLED: True
ID:
4be21b95-d850-4c8d-baaa-1964dc907e38
LISTENER_IP:
IPV4: 192.168.50.1
LOG_LEVEL:
LB_LOG_LEVEL_INFO
LOGICAL_ROUTER_ID:
cbf4e534-3ad4-4cfb-83b2-79e03f7c80c0
MSG_TIMESTAMP:
2019-11-28 19:46:45.072000 (timestamp: 1574970405072)
SR_CLUSTER_ID:
00002000-0000-0000-0000-00000000000c
nsxtedge02> get dns-forwarder 4be21b95-d850-4c8d-baaa-1964dc907e38 stats
STATS:
CACHED_ENTRIES: 35
CONDITIONAL_FORWARDER_STATISTICS:
DOMAIN_NAMES:
core.hypervizor.com
UPSTREAM_STATISTICS:
QUERIES_FAILED: 0
QUERIES_SUCCEEDED: 4
UPSTREAM_SERVER: 192.168.110.10
CONFIGURED_CACHE_SIZE: 1024
DEFAULT_FORWARDER_STATISTICS:
DOMAIN_NAMES:
UPSTREAM_STATISTICS:
QUERIES_FAILED: 0
QUERIES_SUCCEEDED: 6
UPSTREAM_SERVER: 192.168.110.10
QUERIES_ANSWERED_LOCALLY: 1
QUERIES_FORWARDED: 33
RECEIVED_QUERIES_NUMBER: 34
TIME_STAMP: 2019-11-28 20:30:47.773000 (timestamp: 1574973047773)
USED_CACHE_SIZE: 4
UUID: 4be21b95-d850-4c8d-baaa-1964dc907e38
nsxtedge02> get dns-forwarder 4be21b95-d850-4c8d-baaa-1964dc907e38 cache
CACHE:
CACHE_FLAGS: 4-IPv4 6-IPv6 F-Forwarded R-Reverse I-Immortal X-No-Domain H-Host E-Expired A-Active
CACHE_FREED: 24
CACHE_LIVE_FREED: 0
CACHES:
Host Address Flags Expires
time4.google.com 216.239.35.12 4AF Thu Nov 28 20:36:07 2019
time2.google.com 216.239.35.4 4AF Thu Nov 28 20:32:52 2019
vcenter01.core.hypervizor.com 6AF N Thu Nov 28 21:02:17 2019
www.vmware.com www-vip-int.vmware.com CAF Thu Nov 28 20:52:33 2019
nsxtmgr.core.hypervizor.com 6AF N Thu Nov 28 21:05:55 2019
nsxtmgr.core.hypervizor.com 192.168.110.26 4AF Thu Nov 28 21:05:55 2019
QUERIES_ANSWERED_LOCALLY: 1
QUERIES_FORWARDED: 33
TIMESTAMP: 2019-11-28 20:30:56.703000 (timestamp: 1574973056703)
TOTAL_CACHE_ENTRIES: 8192
TOTAL_QUERY_NUMBER: 34
USED_CACHE_ENTRIES: 35
ERR_MSG:
UUID: 4be21b95-d850-4c8d-baaa-1964dc907e38
DNS Forwarding Troubleshooting:
This article covers configuring DNS forwarding in NSX-T. This will be followed up with a DNS Forwarding Troubleshooting article.
Thanks for the mention and for this useful blog Gary. One thing I couldn’t figure out during my exploration was on how to clear the cached DNS entries. I believe the TTL for cached records is 300s, but in between a DNS record was modified on the upstream DNS server, I believe we need to clear the forwarder cache or atleast the specific entry to retry a lookup and cache again.
Cheers
Hari
Hari,
Thank you, the related NSX-T Edge commands would be: cache cache
get dns-forwarder
reset dns-forwarder
From my lab, this clears the entire cache.
Keep up the great work on vxplanet.com!
Best Regards,
Gary
This is great. Thanks Gary. Once again thanks for this amazing article. Cheers