A namespace is a group of one or more DNS forwarders, and can optionally include match and exception domain lists. Each site in BlueCat Edge will have at least one and up to three associated namespaces.
When BlueCat Edge is initially set up, there is one default namespace with 8.8.8.8 set as the forwarder, with no domain lists added. You can create as many namespaces as you like, with a default maximum of three namespaces that can be set. If you require more than three namespaces to be set in your environment, contact BlueCat Customer Care for assistance.
Each namespace is configured with forwarder DNS addresses, and optionally, match list(s)
and exception list(s). When you change the DNS forwarders for a namespace, all of the
sites that are currently set to use that namespace (without overrides) are
updated.
Note: By default, Service Points load balance queries to the forwarders
defined within a namespace based on a health check status and load.
BlueCat Edge enables you to create three different types of namespaces:
- User defined—a user defined namespace where you can define how to resolve DNS queries from specified domains. For more information, refer to Creating user defined namespaces.
- Discovered—a namespace to be populated by a discovery instance when the Edge Resolver feature is enabled. For more information, refer to Creating discovered namespaces.
- Recursive—a namespace that can be used to perform external recursive functions. For more information, refer to Creating recursive namespaces.
Namespaces and sites
When you create a new site, it inherits the namespaces currently set as defaults. You can
further customize a site’s namespace configuration and select existing namespaces
(default or non-default namespaces).
Note:
- The order in which you add a namespace to a site determines its relative order to the other namespaces attached to the site. Every new namespace attached to a site is added last in the site's namespace configuration.
- You can attach up to three namespaces onto a site and each site must have at least one namespace.
- You can enter overrides that replace the forwarders of any namespace.
- To ensure optimal latency in sites using more than three namespaces, BlueCat recommends using Domain Lists to configure appropriate routing criteria.
All of the service points associated with a site receive the namespace configuration as
part of a scheduled cycle, and use the namespaces in the order that they are attached to
that site. Resolution follows these rules:
- When more than one namespace is configured for a site, BlueCat Edge attempts resolution against all matching namespaces
in the order they're defined, until a response other than NXDOMAIN is
returned.
- When any response other than NXDOMAIN, including SERVFAIL, is returned, no further namespaces are evaluated.
- If the resolution returns NXDOMAIN, continue with the next namespace.
- If all of the namespaces are evaluated and none return a non-NXDOMAIN response, the last namespace's NXDOMAIN is returned.
- If the query cycles through all of the selected Namespaces and no match is found because the query doesn't match the domain list on any namespace, or is included in an exception list, then a synthetic NXDOMAIN response is returned.
Attention: Some Namespace features might not be applied as expected on
service points within Sites that are running an older service point version. BlueCat
recommends running the latest service point version to ensure that all Namespace
features function as expected.
Namespaces and policies
BlueCat Edge evaluates policies first, then namespaces. Consider the
following example:
- A policy is set up to redirect all queries from a range of source IPs to a redirect target of google.com.
- None of the configured namespaces include google.com on any match list, or all of the namespaces DO include google.com on an exception list.
- One of the clients in the IP range affected by the redirect policy makes a query, which is redirected to google.com.
- Namespaces are evaluated, checking whether google.com can be resolved, but it's not on any match list, or it's on an exception list.
- An NXDOMAIN response is returned to the client, with a policy action of Block.