Creating discovered namespaces - BlueCat Edge - Service Point v4.x.x

BlueCat Edge User Guide

Locale
English
Product name
BlueCat Edge
Version
Service Point v4.x.x

Create a discovered namespace to define how to resolve DNS queries from the domains that were discovered by the discovery instance and populated into the discovery domain list.

  1. In the top navigation bar, click and select Namespaces.
  2. To add a new discovered namespace, click New > Discovered to create a new discovered namespace.
  3. Enter the name and description.
  4. Select Set TTL for DNS records to override the TTL of the DNS response. In the Maximum TTL field, enter the TTL of the response in seconds. The value must be between 0 and 2147483647 inclusively.
  5. Select Set TTL for negative responses to serve expired DNS responses from the cache based on the defined TTL. In the Negative Cache TTL field, enter the TTL of the expired DNS response in seconds. The value must be between 0 and 2147483647 inclusively.
  6. Select EDNS Client Subnet to configure the EDNS Client Subnet (ECS) option. The ECS option allows the discovered namespace to forward the subnet information in DNS queries to downstream servers for geographical evaluation. In the IPv4 Source Prefix field, enter a number between 0-32 of the IPv4 prefix of the subnet. In the IPv6 Source Prefix field, enter a number between 0-128 of the IPv6 prefix of the subnet.

    If you select Override, the discovered namespace applies the specified IPv4 or IPv6 prefix as the ECS value, overriding any existing ECS value of incoming DNS queries. On the response, the inbound ECS value will be restored.

    If Override is not selected, the existing ECS value is forwarded in queries and responses if the value is present on the incoming query. For queries that do not contain an ECS value, one will be added using the specified IPv4 Source Prefix or IPv6 Source Prefix. On the response, the inbound ECS value will be restored.

    If you do not configure the EDNS Client Subnet fields, the ECS value is removed from incoming DNS queries before they are forwarded, but is restored on the response.

  7. The Serve Expired Queries from cache option allows you to get answers from cache expired responses when responses would be SERVFAIL, or answers cannot be retrieved and generate SERVFAIL for various reasons, such as timeout. Select one of the following options:
    • Do not serve expired queries from cache
    • Serve expired queries from cache for a period of 1 hour from time of expiry (Default)
    • Serve expired queries from cache for a period of 24 hours from time of expiry
  8. If you are creating a Discovered namespace, under Discovery configurations, select one or more discovery configurations to resolve DNS queries from.
    Note: Selecting one or more discovery configurations automatically populates the Domain lists with the associated discovery domains.
  9. For Response Codes, enter one or more DNS query response codes. The DNS query response code can be one of the following:
    • NOERROR
    • FORMERR
    • SERVFAIL
    • NXDOMAIN
    • NOTIMP
    • REFUSED
    • YXDOMAIN
    • YXRRSET
    • NXRRSET
    • NOTAUTH
    • NOTZONE
    • DSOTYPENI
    • BADVERS
    • BADSIG
    • BADKEY
    • BADTIME
    • BADMODE
    • BADNAME
    • BADALG
    • BADTRUNC
    • BADCOOKIE

    If any of the configured DNS query responses are returned to this discovered namespace, the next discovered namespace within a site will attempt to resolve the DNS queries. By default, NXDOMAIN is configured.

    Note: This only applies to sites configured with more than one discovered namespace.
  10. Add domain lists (optional):
    • Under Match List, enter the domain list(s) you want this forwarder to be used for. If there is no match list, then only the discovered domain lists will be applied.
    • Under Exception List, add any domain list(s) that contain exceptions, if applicable.
    In total, you can add up to 20 domain lists, each with a maximum of 100,000 domains. Also, there is a 100 MB limit to the combined size of all domain lists associated with all of the discovered namespaces.
    • If match lists are added, the discovered namespace applies to queries matching the domains in the list.
    • If a query is in both the match list and the exception list, the exception applies.
    • If no match lists are added, the discovered namespace applies to all queries other than those in exception lists.
  11. Add IP lists (optional):
    • Under Additional match List, enter the additional IP list(s) that you want this forwarder to be used for. If there is no match list, then this discovered namespace will be used for all queries matching the Discovered match list.
    • Under Exception List, add any IP list(s) that contain exceptions, if applicable.
  12. Add search domains (optional):
    • Add the Network and DNS suffix. When a client query comes in from the defined network, the defined DNS suffix is appended.
  13. Add fallback forwarders (optional):

    Under Fallback forwarders, type one or more fallback remote DNS server IPv4 or IPv6 addresses. Optionally, you can define a custom port number or forwarders that listen on ports other than the standard DNS port. For example, 1.2.3.4:123 for IPv4 addresses or [2001:db8:1111:2222:3333:4444:5555:6666:7777]:123 or IPv6 addresses.

    Attention:
    • If you do not define a port, the BlueCat Edge Service Point forwards all queries on destination port 53.
    • If you modify the forwarders of an existing discovered namespace, the cached answer to a query might differ from what the newly configured forwarder would return. BlueCat recommends clearing the cache of the site once a forwarder has been modified to ensure that the DNS resolver service uses the answer from the updated forwarder. For more information on clearing the cache of a site, refer to Clearing the cache of DNS resolver service.
    As you enter addresses, they appear below the Forwarders field. You can enter multiple addresses separated by commas. To remove an address, click the blue X beside it.
    Note:
    • Fallback forwarders are used to recursively resolve any DNS records that link to non-discovered zones such as CNAME chains or MX records.
    • You must only use IPv4 or IPv6 destinations supported by the service point network connection. For example, if you configure the service point using only an IPv4 address, the forwarders must only be IPv4 addresses.
    • If you configure multiple forwarders within a discovered namespace, queries are load balanced based on the following criteria:
      • The server with the least number of queries 'in the air' is selected.
      • In the event of a tie, the server with the lowest measured latency is selected. The lowest measured latency is calculated over an average on the last 128 queries answered by that server.
  14. Click Save.
  15. To delete a discovered namespace, select it and click Delete. If the discovered namespace is active and associated with one or more sites, you can't delete the discovered namespace unless you deactivate it.

Once you have created the discovered namespace, attach the discovered namespace to a site. You can then deploy DNS resolver service from the selected site to apply the configurations and forward DNS queries from the discovered domains to the required DNS servers.

For more information on creating a site and attaching a discovered namespace to a site, refer to Creating a site.

For more information on deploying DNS resolver service, refer to DNS resolver services.