GSS data structures and RPZ zones - Adaptive Applications - BlueCat Gateway - 21.1

Global Server Selector Administration Guide

prodname
BlueCat Gateway
version_custom
21.1
If there is no response policy configured, when the DNS server received a query for an A record, it returns the exact record set queried. The following displays example output:
; <<>> DiG 9.10.3-P4-Ubuntu <<>> @192.168.3.85 application01.example.com.
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6380
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;application01.example.com.	IN	A

;; ANSWER SECTION:
application01.example.com. 10	IN	A	172.20.3.51

;; AUTHORITY SECTION:
example.com.		86400	IN	NS	dns-primary-1.example.com.

;; ADDITIONAL SECTION:
dns-primary-1.example.com. 86400	IN	A	192.168.3.85

;; Query time: 0 msec
;; SERVER: 192.168.3.85#53(192.168.3.85)
;; WHEN: Fri Jun 26 09:18:47 UTC 2020
;; MSG SIZE  rcvd: 113
When an application is configured in GSS, the search order is written to DNS as SRV records in the gss.bluecat zone. In each SRV record, the name of the record identifies the application and the client region. The priority represents the priority of an answer region and the target of the record is an A record set that represents available answers. In the SRV record, the target name has a prefix "unlinked" that prevents linking in Address Manager. The prefix should be removed to find the target record as displayed in the following example:
; <<>> DiG 9.10.3-P4-Ubuntu <<>> @192.168.3.86 singapore.host.application01.example.com.gss.bluecat. srv
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13617
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 1, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;singapore.host.application01.example.com.gss.bluecat. IN SRV

;; ANSWER SECTION:
singapore.host.application01.example.com.gss.bluecat. 10 IN SRV 1 0 0 unlinked.singapore.active.application01.example.com.gss.bluecat.
singapore.host.application01.example.com.gss.bluecat. 10 IN SRV 3 0 0 unlinked.london.active.application01.example.com.gss.bluecat.
singapore.host.application01.example.com.gss.bluecat. 10 IN SRV 2 0 0 unlinked.tokyo.active.application01.example.com.gss.bluecat.

;; AUTHORITY SECTION:
gss.bluecat.		86400	IN	NS	dns-primary-1.example.com.

;; ADDITIONAL SECTION:
dns-primary-1.example.com. 86400	IN	A	192.168.3.85

;; Query time: 0 msec
;; SERVER: 192.168.3.86#53(192.168.3.86)
;; WHEN: Fri Jun 26 09:07:43 UTC 2020
;; MSG SIZE  rcvd: 381
In this example, removing the prefix on the highest priority target makes Singapore the target answer region. GSS uses the active answer in Singapore for this client region when an answer is available. The following displays example output:
; <<>> DiG 9.10.3-P4-Ubuntu <<>> @192.168.3.86 singapore.active.application01.example.com.gss.bluecat.
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9468
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;singapore.active.application01.example.com.gss.bluecat. IN A

;; ANSWER SECTION:
singapore.active.application01.example.com.gss.bluecat. 10 IN A 192.168.4.51

;; AUTHORITY SECTION:
gss.bluecat.		86400	IN	NS	dns-primary-1.example.com.

;; ADDITIONAL SECTION:
dns-primary-1.example.com. 86400	IN	A	192.168.3.85

;; Query time: 0 msec
;; SERVER: 192.168.3.86#53(192.168.3.86)
;; WHEN: Fri Jun 26 09:10:28 UTC 2020
;; MSG SIZE  rcvd: 154
The answer is then added to the RPZ zone for clients in Singapore as displayed in the following example:
; <<>> DiG 9.10.3-P4-Ubuntu <<>> @192.168.3.86 application01.example.com.singapore.rpz.gss.bluecat.
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 65189
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;application01.example.com.singapore.rpz.gss.bluecat. IN A

;; ANSWER SECTION:
application01.example.com.singapore.rpz.gss.bluecat. 10 IN A 192.168.4.51

;; AUTHORITY SECTION:
singapore.rpz.gss.bluecat. 86400 IN	NS	dns-primary-1.example.com.

;; ADDITIONAL SECTION:
dns-primary-1.example.com. 86400	IN	A	192.168.3.85

;; Query time: 0 msec
;; SERVER: 192.168.3.86#53(192.168.3.86)
;; WHEN: Fri Jun 26 09:16:24 UTC 2020
;; MSG SIZE  rcvd: 151
In the example, the Singapore DNS server has this zone configured as a RPZ zone. Although the IP address of application01.example.com is 172.20.3.51, when querying the Singapore DNS server, it returns the answer from the Singapore RPZ zone. The authority section in the following reply identifies the RPZ zone that provided the response:
; <<>> DiG 9.10.3-P4-Ubuntu <<>> @192.168.3.87 application01.example.com.
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37497
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;application01.example.com.	IN	A

;; ANSWER SECTION:
application01.example.com. 10	IN	A	192.168.4.51

;; AUTHORITY SECTION:
singapore.rpz.gss.bluecat. 86400 IN	NS	dns-primary-1.example.com.

;; ADDITIONAL SECTION:
dns-primary-1.example.com. 86400	IN	A	192.168.3.85

;; Query time: 1 msec
;; SERVER: 192.168.3.87#53(192.168.3.87)
;; WHEN: Fri Jun 26 09:22:39 UTC 2020
;; MSG SIZE  rcvd: 139