A namespace is a group of one or more DNS forwarders, and can optionally include match and exception domain lists. Each site in DNS Edge will have at least one and up to three associated namespaces.
When DNS Edge is initially set up, there is one default namespace with 18.104.22.168 set as the forwarder, with no domain lists added. You can create as many namespaces as you like, with a default maximum of three namespaces that can be set. If you require more than three namespaces to be set in your environment, contact BlueCat Customer Care for assistance.
Creating a namespace and changing the DNS forwarders
- In the top navigation bar, click and select Namespaces.
- To add a new namespace, click or select an existing namespace and click Edit.
- Add or edit the name and description.
- Select Cisco Umbrella integration to configure the namespace
to use the Cisco Umbrella integration. If you select this option, you can also
select Encrypt queries using DNS over HTTPS which ensures
queries that are routed to Cisco Umbrella are encrypted.Attention:
- Selecting Cisco Umbrella integration displays a message indicating that the two applicable Cisco Umbrella IP addresses have been added to the Forwarders field.
- Selecting Encrypt queries using DNS over HTTPS disables the Forwarder field and adds the URL that is used for encrypting the queries that are routed to Cisco Umbrella.
- Select Set maximum TTL to override the TTL of the response. In the Maximum TTL field, enter the TTL of the response in seconds. The value must be between 0 and 2147483647 inclusively.
- Select EDNS Client Subnet to configure the EDNS Client Subnet
option. The EDNS Client Subnet option allows the namespace to forward the subnet
information in DNS queries to downstream servers for geographical evaluation. In the
IPv4 Source Prefix field, enter a number between 0-24 of
the IPv4 prefix of the subnet. In the IPv6 Source Prefix
field, enter a number between 0-56 of the IPv6 prefix of the subnet.
If you select Override, the namespace applies the specified IPv4 or IPv6 prefix as the ECS value, overriding any existing ECS value of incoming DNS queries. On the response, the inbound ECS value will be restored.
If Override is not selected, the existing ECS value is forwarded in queries and responses if the value is present on the incoming query. For queries that do not contain an ECS value, one will be added using the specified IPv4 Source Prefix or IPv6 Source Prefix. On the response, the inbound ECS value will be restored.
If you do not configure the EDNS Client Subnet fields, the ECS value is removed from incoming DNS queries before they are forwarded, but is restored on the response.
- The Serve Expired Queries from cache option allows you to
resolve expired DNS queries from cache when the DNS server is unavailable. Select
one of the following options:
- Do not serve expired queries from cache
- Serve expired queries from cache for a period of 1 hour from time of expiry (Default)
- Serve expired queries from cache for a period of 24 hours from time of expiry
- For Response Codes, enter one or more DNS query response
codes. The DNS query response code can be one of the following: FORMERR,
NOERROR, NOTAUTH, NOTIMP, NOTZONE, NXDOMAIN,
NXRRSET, REFUSED, RESERVED11, RESERVED12,
RESERVED13, RESERVED14, RESERVED15, SERVFAIL,
YXDOMAIN, or YXRRSET.
If any of the configured DNS query responses are returned to this namespace, the next namespace within a site will attempt to resolve the DNS queries. By default, NXDOMAIN is configured.Note: This only applies to sites configured with more than one namespace.
- For Forwarders, type one or more remote DNS server IP
addresses. As you enter addresses, they appear below the Forwarders field. You can
enter multiple addresses separated by commas. To remove an address, click the blue
X beside it.Note:
- If you configure multiple forwarders within a namespace, queries are
load balanced based on the following criteria:
- The server with the least number of queries 'in the air' is selected.
- In the event of a tie, the server with the lowest configured 'order' is selected.
- In the event of an additional tie, the server with the lowest measured latency is selected. The lowest measured latency is calculated over an average on the last 128 queries answered by that server.
- DNS Edge performs a health check on all configured forwarders in a namespace. If a server is unreachable, it is skipped and the next forwarder is used.
- If you configure multiple forwarders within a namespace, queries are load balanced based on the following criteria:
- Add domain lists (optional):
In total, you can add up to 20 domain lists, each with a maximum of 100,000 domains. Also, there is a 100 MB limit to the combined size of all domain lists associated with all of the namespaces.
- Under Match List, enter the domain list(s) you want this forwarder to be used for. If there is no match list, then this namespace will be used for all queries, except any exceptions.
- Under Exception List, add any domain list(s) that contain exceptions, if applicable.
- If match lists are added, the namespace applies to queries matching the domains in the list.
- If a query is in both the match list and the exception list, the exception applies.
- If no match lists are added, the namespace applies to all queries other than those in exception lists.
- Add IP lists (optional):
- Under Match List, enter the IP list(s) you want this forwarder to be used for. If there is no match list, then this namespace will be used for all queries, except any exceptions.
- Under Exception List, add any IP list(s) that contain exceptions, if applicable.
- Click Save.
- To set namespaces as active default forwarders, click . You can have up to three active default namespaces.
- To delete a namespace, select it and click Delete. If the namespace is active and associated with one or more sites, you can't delete the namespace unless you deactivate it.
Setting and ordering the default namespaces
- At least one default namespace must be assigned to a site.
- You can have a maximum of three default namespaces.
- The order of default namespaces set in the Namespaces page is the order inherited by a newly created site.
- Changes to default namespaces will only affect newly created sites.
- In the top navigation bar, click and select Namespaces.
- Click .
- Type the name of the namespace to be added as a default.
- Once you have all desired namespaces added, you can reorder the namespaces using drag and drop.
- Click SET DEFAULTS.
Namespaces and sites
- The order in which you add a namespace to a site determines its relative order to the other namespaces attached to the site. Every new namespace attached to a site is added last in the site's namespace configuration.
- You can attach up to three namespaces onto a site and each site must have at least one namespace.
- You can enter overrides that replace the forwarders of any namespace.
- To ensure optimal latency in sites using more than three namespaces, BlueCat recommends using Domain Lists to configure appropriate routing criteria.
- When more than one namespace is configured for a site, DNS Edge attempts resolution against all matching namespaces
in the order they're defined, until a response other than NXDOMAIN is
- When any response other than NXDOMAIN, including SRVFAIL, is returned, no further namespaces are evaluated.
- If the resolution returns NXDOMAIN, continue with the next namespace.
- If all of the namespaces are evaluated and none return a non-NXDOMAIN response, the last namespace's NXDOMAIN is returned.
- If the query cycles through all of the selected Namespaces and no match is found because the query doesn't match the domain list on any namespace, or is included in an exception list, then a synthetic NXDOMAIN response is returned.
Namespaces and policies
- A policy is set up to redirect all queries from a range of source IPs to a redirect target of google.com.
- None of the configured namespaces include google.com on any match list, or all of the namespaces DO include google.com on an exception list.
- One of the clients in the IP range affected by the redirect policy makes a query, which is redirected to google.com.
- Namespaces are evaluated, checking whether google.com can be resolved, but it's not on any match list, or it's on an exception list.
- An NXDOMAIN response is returned to the client, with a policy action of Block.