2532 - Configuring DNS recursion in NIOS
Scenario
Your team decided to provide recursive services on the Infoblox Grid, and have selected 2 members to provide this service. After an architectural design session, your team decided it’s best to allow these 2 members to query the Internet root servers directly. Please make the appropriate configurations on the Grid.
What if I do not want the recursive members to query root servers directly?
The default behavior in NIOS when you enable recursion, like many other DNS implementations, is to query the Internet root servers. You can modify this behavior by specifying a set of Forwarders.
Estimate Completion Time
10 to 20 minutes
Credentials
Description | Username | Password | URL or IP |
|---|---|---|---|
Grid Manager UI | admin | infoblox |
Requirements
Administrative access to the Grid
Course References
2009: Configuring NIOS DNS Services
2023: Configuring NIOS DNS Zones
Lab Initiation
Access jump-desktop
Once the lab is deployed, you can access the virtual machines required to complete this lab activity. To initiate the lab, click on the jump-desktop tile and login to the Linux UI:
Username: training
Password: infoblox
Initiate lab
To initiate the lab, double-click the Launch Lab icon on the Desktop.
Launch Lab
Choose the lab number from the list and click OK.
After clicking OK, you will see a pop-up message with a brief description of the lab task. If the description looks correct, click Yes to continue lab initiation.
Lab initiation will take a couple of minutes to finish.
Once complete, you will see another pop-up message with the login credentials and the URL for the Grid Manager’s User Interface. Note that the credentials may differ from those from prior labs.
Tasks
Task 1: Verifying the current lookup behavior
Use lookup tools to verify the current name resolution behavior. Query both ibns1 and ibns2 for an external domain, such as www.example.com.
Task 2: Configuring allow recursion on members
Configure DNS members ibns1 and ibns2 to allow recursive queries from any subnet.
Task 3: Verifying the lookup behavior
Run the same lookup command(s) from Task 1. Compare outputs to verify recursive queries are now allowed.
Solutions
Why configure this at the member level? You might be wondering why we are repeating the same set of steps twice, once on each member. Why can’t we just do this once at the Grid level? We could, but that will apply this setting to every member on the Grid. That is rarely the case when configuring something like allowing DNS recursion. This is usually configured on a per-member basis. Our instructions assume this common use-case.
Task 1 Solution: Verifying the current lookup behavior
Before configuring recursion on Grid members, you should verify the current lookup behavior. Lookup command-line tools such as dig are ideal for testing DNS resolution behaviors. By looking up an external domain, that is, a domain that is not configured as authoritative on the Grid, we can test the current recursive lookup behavior. For the following instructions, we are repeating many of the same operations twice.
Login to jump-desktop, run the command
dig @10.100.0.105 www.example.com.This verifies the behavior for ibns1.Still on jump-desktop, run the command
dig @10.200.0.105 www.example.com.This verifies the behavior for ibns2. Below is an example output of executing this command. Notice the REFUSED code on line 7. This is a clear indication that currently this member is refusing or not accepting recursive queries.
$ dig @10.200.0.105 www.example.com.
; <<>> DiG 9.18.12-0ubuntu0.22.04.1-Ubuntu <<>> @10.200.0.105 www.example.com.
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 27364
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1220
; COOKIE: 888e2ee4f4281fdee7f0be7564b83649901d42acb5a86910 (good)
;; QUESTION SECTION:
;www.example.com. IN A
;; Query time: 3 msec
;; SERVER: 10.200.0.105#53(10.200.0.105) (UDP)
;; WHEN: Wed Jul 19 19:15:21 UTC 2023
;; MSG SIZE rcvd: 72Task 2 Solution: Configuring allow recursion on members
Now that we have verified the behaviors, we may configure the DNS members ibns1 and ibns2 to allow recursive queries from any subnet.
In the GM web interface, navigate to Data Management → DNS → Members.
Check the box next to the member (ibns1.techblue.net or ibns2.techblue.net) and click Edit.
The Member DNS Properties dialog appears. Click on the Queries tab.
Scroll down to the section Allow recursion. This is grayed out by default.
Click the Override button to make a change. The button will change to Inherit after you click it, and the area can now be edited.
Check the Allow recursion checkbox.
Leave Allow Recursive Queries from at Any
Click Save & Close
Do not restart service yet, repeat the same steps on the second member.
After you have updated both ibns1 and ibns2, restart Grid services following the system banner across the top of the screen.
Task 3: Verifying the lookup behavior
After restarting services on the Grid, you should run the same lookup commands from Task 1. The same commands now should yield different results. We should look at the example from querying ibns1 below. Notice the status code on line 7 is now NOERROR, and we have the answer on line 17.
$ dig @10.100.0.105 www.example.com.
; <<>> DiG 9.18.12-0ubuntu0.22.04.1-Ubuntu <<>> @10.100.0.105 www.example.com.
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9990
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1220
; COOKIE: ac54fe73314316b3c6021c2f64b84189ce3dcc70a51e6c8a (good)
;; QUESTION SECTION:
;www.example.com. IN A
;; ANSWER SECTION:
www.example.com. 86400 IN A 93.184.216.34
;; Query time: 247 msec
;; SERVER: 10.100.0.105#53(10.100.0.105) (UDP)
;; WHEN: Wed Jul 19 20:03:21 UTC 2023
;; MSG SIZE rcvd: 88