Namespaces and forwarders - BlueCat DNS Edge

DNS Edge Deployment Guide

prodname
BlueCat DNS Edge

A namespace is a group of one or more DNS forwarders, and can optionally include match and exception domain lists. Each site in DNS Edge will have at least one and up to three associated namespaces.

When DNS Edge is initially set up, there is one default namespace with 8.8.8.8 set as the forwarder, with no domain lists added. You can create as many namespaces as you like, with a maximum of three namespaces set as defaults. Each namespace is configured with forwarder DNS addresses, and optionally, match list(s) and exception list(s). When you change the DNS forwarders for a namespace, all of the sites that are currently set to use that namespace (without overrides) are updated.
Note: Service points will now, by default, load balance queries to the forwarders defined within a namespace based on a health check status and load.

Creating a namespace and changing the DNS forwarders

  1. In the top navigation bar, click and select Namespaces.
  2. To add a new namespace, click or select an existing namespace and click Edit.
  3. Add or edit the name and description.
  4. Select Cisco Umbrella integration to configure the namespace to use the Cisco Umbrella integration.
    Attention: Selecting this option disables the Short TTL override. A message also appears indicating that the two applicable Cisco Umbrella IP addresses have been added to the Forwarders field.
  5. Select Short TTL to override the TTL of the response with a maximum value of 60 seconds (optional). This doesn't override the TTL of the response if it's less than 60 seconds.
  6. For Forwarders, type one or more remote DNS server IP addresses.
    • As you enter addresses, they appear below the Forwarders field. You can enter multiple addresses separated by commas.
    • To remove an address, click the blue X beside it.
  7. Add domain lists (optional):
    • Under Match List, enter the domain list(s) you want this forwarder to be used for. If there is no match list, then this namespace will be used for all queries, except any exceptions.
    • Under Exception List, add any domain list(s) that contain exceptions, if applicable.
    In total, you can add up to 20 domain lists, each with a maximum of 100,000 domains. Also, there is a 100 MB limit to the combined size of all domain lists associated with all of the namespaces.
    • If match lists are added, the namespace applies to queries matching the domains in the list.
    • If a query is in both the match list and the exception list, the exception applies.
    • If no match lists are added, the namespace applies to all queries other than those in exception lists.
  8. Click Save.
  9. To set namespaces as active default forwarders, click . You can have up to three active default namespaces.
  10. To delete a namespace, select it and click Delete. If the namespace is active and associated with one or more sites, you can't delete the namespace unless you deactivate it.

Setting and ordering the default namespaces

When you create a new site, it inherits the namespaces currently set as defaults. You can set and order the default namespaces in the Set Default Namespaces dialog.
Note:
  • At least one default namespace must be assigned to a site.
  • You can have a maximum of three default namespaces.
  • The order of default namespaces set in the Namespaces page is the order inherited by a newly created site.
  • Changes to default namespaces will only affect newly created sites.
To set and order the default namespaces:
  1. In the top navigation bar, click and select Namespaces.
  2. Click .

  3. Type the name of the namespace to be added as a default.
  4. Once you have all desired namespaces added, you can reorder the namespaces using drag and drop.
  5. Click SET DEFAULTS.

Namespaces and sites

When you create a new site, it inherits the namespaces currently set as defaults. You can further customize a site’s namespace configuration and select existing namespaces (default or non-default namespaces).
Note:
  • The order in which you add a namespace to a site determines its relative order to the other namespaces attached to the site. Every new namespace attached to a site is added last in the site's namespace configuration.
  • You can attach up to three namespaces onto a site and each site must have at least one namespace.
  • You can enter overrides that replace the forwarders of any namespace.
All of the service points associated with a site receive the namespace configuration as part of a scheduled cycle, and use the namespaces in the order that they are attached to that site. Resolution follows these rules:
  • When more than one namespace is configured for a site, DNS Edge attempts resolution against all matching namespaces in the order they're defined, until a response other than NXDOMAIN is returned.
    • When any response other than NXDOMAIN, including SRVFAIL, is returned, no further namespaces are evaluated.
    • If the resolution returns NXDOMAIN, continue with the next namespace.
  • If all of the namespaces are evaluated and none return a non-NXDOMAIN response, the last namespace's NXDOMAIN is returned.
  • If the query cycles through all of the selected Namespaces and no match is found because the query doesn't match the domain list on any namespace, or is included in an exception list, then a synthetic NXDOMAIN response is returned.
Attention: Some Namespace features might not be applied as expected on service points within Sites that are running an older service point version. BlueCat recommends running the latest service point version to ensure that all Namespace features function as expected.

Namespaces and policies

DNS Edge evaluates policies first, then namespaces. Consider the following example:
  1. A policy is set up to redirect all queries from a range of source IPs to a redirect target of google.com.
  2. None of the configured namespaces include google.com on any match list, or all of the namespaces DO include google.com on an exception list.
  3. One of the clients in the IP range affected by the redirect policy makes a query, which is redirected to google.com.
  4. Namespaces are evaluated, checking whether google.com can be resolved, but it's not on any match list, or it's on an exception list.
  5. An NXDOMAIN response is returned to the client, with a policy action of Block.