NSX

Configuring DNS Forwarding in NSX-T

Introduction:

DNS Forwarder is a Domain Name System (DNS) server on a network used to forward DNS queries for external DNS names to DNS servers outside of that network. Also, the forwarding of queries according to specific domain names is known as conditional forwarding. In this article, we will take a look at configuring DNS forwarding in NSX-T.

DNS Forwarders cache results from previous requests. When a DNS forwarder receives a DNS request, it first checks it’s local cache. If the result of the request is not cached, then the DNS Forwarder forwards the DNS query to a DNS server outside the network. Cached DNS records reduce the load on upstream nameservers, improving system performance.

In NSX-T DNS Forwarding is performed by dnsmasq, an open-source lightweight caching DNS server.

Perform DNS Forwarding configuration changes from two main sections in the NSX-T User Interface:

  • Networking is the recommended configuration method for NSX-T 2.4 onwards, as backed by the Policy API.
  • Advanced Networking & Security is the configuration method for NSX-T 2.3 and older, as backed by the Management Plane API.

In this case, we will be reviewing configuration steps in an NSX-T 2.5 Lab, using the Networking section, to future proof the configuration for subsequent NSX-T releases. This Policy API based setup will prepare for future lab enhancements in this series of articles.

Three-Step Configuring DNS Forwarding in NSX-T Summary:

Step 1: Create a DNS Zone

Step 2: Create a DNS Service

Step 3: Configure Tier Gateway Route Advertisement of All DNS Forwarder Routes

Step 4: Optional DNS Forwarder Configuration Changes

Lab Topology:

The DNS Forwarder is a logical construct, not connected to a segment, but is associated with a Tier-0 or Tier-1 Gateway.

Three-Step Configuration Details:

Step 1: Create a DNS Zone

Add a Default Zone under the Networking section, not under Advanced Networking & Security, to future proof the setup. The DNS Servers IP address, 192.168.110.10, is the external DNS server(s) to which the DNS Forwarder will forward DNS queries.

Configuring DNS Forwarding in NSX-T

Step 2: Create a DNS Service

Add a DNS Service, where:

  • The DNS Service IP is the address that DNS clients use to reference the DNS Forwarder.
  • The Default DNS Zone is the DNS Zone created in Step 1.
Configuring DNS Forwarding in NSX-T

Step 3: Configure Tier Gateway Route Advertisement of All DNS Forwarder Routes

The DNS Forwarder IP will need to be reachable from the external DNS server. Here the Tier-1 Gateway is configured to advertise All DNS Forwarder Routes.

To propagate the DNS Forwarder IP to the physical BGP Peer, the Tier-0 Gateway is configured to redistribute the advertised Tier-1 DNS Forwarder IP.

Step 4: Optional DNS Forwarder Configuration Changes:

You have the option of adding FQDN Zones if you have additional DNS namespaces that you would like to conditionally forward. My lab uses the core.hypervizor.com namespace, for which I have created a sample FQDN Zone. It’s not required, since it points to the same DNS Server as the Default DNS Zone, and has been added to demonstrate conditional forwarding.

Once created, FQDN Zones need to be associated with a DNS Service.

Notice that I’ve not been specifying Source IP in DNS Zones. This optional parameter gives you the ability to have further control over the source IP of the DNS Forwarder request. If you leave the Source IP blank, the forwarder request comes from the DNS Service IP, as specified in the DNS Service.

Configuring DNS Forwarding in NSX-T

Lab DNS Forwarder Configuration

Here is an overview of the resulting configuration using optional DNS Zones Source IPs. Note the FQDN Zone is not required, since it points to the same DNS Server as the Default DNS Zone, and has been added to demonstrate conditional forwarding.

Announcing the Forwarding Service route:

Without specifying Source IP in DNS Zones, the DNS Service IP is announced:

vRouter_DC01#show ip bgp
 BGP table version is 38, local router ID is 192.168.150.2
 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
               r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
               x best-external, a additional-path, c RIB-compressed,
 Origin codes: i - IGP, e - EGP, ? - incomplete
 RPKI validation codes: V valid, I invalid, N Not found
  Network          Next Hop            Metric LocPrf Weight Path  0.0.0.0          0.0.0.0                                0 i
 *>  10.155.14.0/24   0.0.0.0                  0         32768 ?
  *>  10.160.110.0/24  0.0.0.0                  0         32768 ?
  *>  192.168.21.0     0.0.0.0                  0         32768 ?
 192.168.50.1/32  192.168.100.103          0             0 65111 ?    <--- DNS Forwarder IP being learned by the physical network is the the DNS Service IP.
 *>                   192.168.100.102          0             0 65111 ?
 192.168.70.0     192.168.100.103          0             0 65111 ?
 *>                   192.168.100.102          0             0 65111 ?
 192.168.100.0    192.168.100.103          0             0 65111 ?
 192.168.100.102          0             0 65111 ?
 *>                   0.0.0.0                  0         32768 ?
 *>  192.168.150.0    0.0.0.0                  0         32768 ?
 vRouter_DC01# 

For comparison, the Source IP in DNS Zones has been specified:

When specifying the Source IP in DNS Zones, the Source IP is announced:

vRouter_DC01#show ip bgp
 BGP table version is 41, local router ID is 192.168.150.2
 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
               r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
               x best-external, a additional-path, c RIB-compressed,
 Origin codes: i - IGP, e - EGP, ? - incomplete
 RPKI validation codes: V valid, I invalid, N Not found
  Network          Next Hop            Metric LocPrf Weight Path  0.0.0.0          0.0.0.0                                0 i
 *>  10.155.14.0/24   0.0.0.0                  0         32768 ?
  *>  10.160.110.0/24  0.0.0.0                  0         32768 ?
  *>  192.168.21.0     0.0.0.0                  0         32768 ?
 192.168.50.2/32  192.168.100.103          0             0 65111 ?    <--- DNS Forwarder IP being learned by the physical network is the the DNS Zone Source IP.
 *>                   192.168.100.102          0             0 65111 ?
 192.168.50.3/32  192.168.100.103          0             0 65111 ?    <--- DNS Forwarder IP being learned by the physical network is the the DNS Zone Source IP.
 *>                   192.168.100.102          0             0 65111 ?
 192.168.70.0     192.168.100.103          0             0 65111 ?
 *>                   192.168.100.102          0             0 65111 ?
 192.168.100.0    192.168.100.103          0             0 65111 ?
 192.168.100.102          0             0 65111 ?
 *>                   0.0.0.0                  0         32768 ?
 *>  192.168.150.0    0.0.0.0                  0         32768 ?
 vRouter_DC01# 

Testing DNS with nslookup:

We will start by running a few queries from our DNS client, in this case using nslookup on a Photon OS Guest VM connected to the NSX-T Overlay.

root@photon-machine [ ~ ]# nslookup
   > server 192.168.50.1
   Default server: 192.168.50.1
   Address: 192.168.50.1#53

> www.vmware.com
   Server:         192.168.50.1
   Address:        192.168.50.1#53
 Non-authoritative answer:
 www.vmware.com  canonical name = www-vip-int.vmware.com.
 Name:   www-vip-int.vmware.com
 Address: 10.113.78.20

> nsxtmgr.core.hypervizor.com
   Server:         192.168.50.1
   Address:        192.168.50.1#53
 Name:   nsxtmgr.core.hypervizor.com
 Address: 192.168.110.26

Verifying DNS Forwarding using the NSX-T Web UI:

A special thanks goes out to Harikrishnan T, at https://vxplanet.com/ for helping me find the following DNS Forwarding statistics in the NSX-T UI.

It’s possible to get a high-level overview of the DNS Forwarder operation.

Verifying DNS Forwarding using the NSX-T Edge CLI:

It's possible to get a detailed view of DNS Forwarder operation from the NSX-T Edge CLI.

nsxtedge02> get dns-forwarder status
     ERR_MSG:
     HA_STATUS: ACTIVE
     STATUS: up
     UUID: 4be21b95-d850-4c8d-baaa-1964dc907e38

 nsxtedge02> get dns-forwarder config
CACHE_SIZE: 1024 
CONDITIONAL_ZONE:     
DOMAIN_NAME:
         core.hypervizor.com     
SOURCE_IP:
         IPV4: 192.168.50.3     
UPSTREAM_SERVER:
         IPV4: 192.168.110.10 
DEFAULT_ZONE:
     SOURCE_IP:
         IPV4: 192.168.50.2
     UPSTREAM_SERVER:
         IPV4: 192.168.110.10 
ENABLED: True 
ID:
 4be21b95-d850-4c8d-baaa-1964dc907e38 
LISTENER_IP:
     IPV4: 192.168.50.1 
LOG_LEVEL:
 LB_LOG_LEVEL_INFO 
LOGICAL_ROUTER_ID:
 cbf4e534-3ad4-4cfb-83b2-79e03f7c80c0 
MSG_TIMESTAMP:
 2019-11-28 19:46:45.072000 (timestamp: 1574970405072) 
SR_CLUSTER_ID:
 00002000-0000-0000-0000-00000000000c

nsxtedge02> get dns-forwarder 4be21b95-d850-4c8d-baaa-1964dc907e38 stats
     STATS:
         CACHED_ENTRIES: 35
         CONDITIONAL_FORWARDER_STATISTICS:
         DOMAIN_NAMES:
             core.hypervizor.com
         UPSTREAM_STATISTICS:
             QUERIES_FAILED: 0
             QUERIES_SUCCEEDED: 4
             UPSTREAM_SERVER: 192.168.110.10
     CONFIGURED_CACHE_SIZE: 1024
     DEFAULT_FORWARDER_STATISTICS:
         DOMAIN_NAMES:
         UPSTREAM_STATISTICS:
             QUERIES_FAILED: 0
             QUERIES_SUCCEEDED: 6
             UPSTREAM_SERVER: 192.168.110.10
     QUERIES_ANSWERED_LOCALLY: 1
     QUERIES_FORWARDED: 33
     RECEIVED_QUERIES_NUMBER: 34
     TIME_STAMP: 2019-11-28 20:30:47.773000 (timestamp: 1574973047773)
     USED_CACHE_SIZE: 4
 UUID: 4be21b95-d850-4c8d-baaa-1964dc907e38

 nsxtedge02> get dns-forwarder 4be21b95-d850-4c8d-baaa-1964dc907e38 cache
     CACHE:
         CACHE_FLAGS: 4-IPv4 6-IPv6 F-Forwarded R-Reverse I-Immortal X-No-Domain H-Host E-Expired A-Active
         CACHE_FREED: 24
         CACHE_LIVE_FREED: 0
         CACHES:
             Host                           Address                                  Flags        Expires
             time4.google.com               216.239.35.12                            4AF         Thu Nov 28 20:36:07 2019
             time2.google.com               216.239.35.4                             4AF         Thu Nov 28 20:32:52 2019
             vcenter01.core.hypervizor.com                                           6AF   N     Thu Nov 28 21:02:17 2019
             www.vmware.com                 www-vip-int.vmware.com                   CAF         Thu Nov 28 20:52:33 2019
             nsxtmgr.core.hypervizor.com                                             6AF   N     Thu Nov 28 21:05:55 2019
             nsxtmgr.core.hypervizor.com    192.168.110.26                           4AF         Thu Nov 28 21:05:55 2019
         QUERIES_ANSWERED_LOCALLY: 1
         QUERIES_FORWARDED: 33
         TIMESTAMP: 2019-11-28 20:30:56.703000 (timestamp: 1574973056703)
         TOTAL_CACHE_ENTRIES: 8192
         TOTAL_QUERY_NUMBER: 34
         USED_CACHE_ENTRIES: 35
     ERR_MSG:
     UUID: 4be21b95-d850-4c8d-baaa-1964dc907e38

DNS Forwarding Troubleshooting:

This article covers configuring DNS forwarding in NSX-T. This will be followed up with a DNS Forwarding Troubleshooting article.

3 thoughts on “Configuring DNS Forwarding in NSX-T

  1. Thanks for the mention and for this useful blog Gary. One thing I couldn’t figure out during my exploration was on how to clear the cached DNS entries. I believe the TTL for cached records is 300s, but in between a DNS record was modified on the upstream DNS server, I believe we need to clear the forwarder cache or atleast the specific entry to retry a lookup and cache again.

    Cheers
    Hari

    1. Hari,

      Thank you, the related NSX-T Edge commands would be:
      get dns-forwarder cache
      reset dns-forwarder
      cache

      From my lab, this clears the entire cache.

      Keep up the great work on vxplanet.com!

      Best Regards,
      Gary

Comments are closed.

Begin typing your search term above and press enter to search. Press ESC to cancel.