2552 - Configuring DNS default forwarders in NIOS with fallback to root
Scenario
The NIOS Grid you are responsible for has two members performing recursive lookups. Currently, they are configured to query the DNS root servers directly. Due to architectural changes, your team has decided to forward all recursive queries to 2 external IP addresses provided by your DNS service provider. Please make the necessary configurations in the NIOS Grid.
Estimate Completion Time
10 to 20 minutes
Credentials
Description | Username | Password | URL or IP |
---|---|---|---|
Grid Manager UI | admin | infoblox |
Requirements
Administrative access to the Grid
Course References
2009: Configuring NIOS DNS Services
2023: Configuring NIOS DNS Zones
Lab Initiation
Access jump-desktop
Once the lab is deployed, you can access the virtual machines required to complete this lab activity. To initiate the lab, click on the jump-desktop tile and login to the Linux UI:
Username: training
Password: infoblox
Initiate lab
To initiate the lab, double-click the Launch Lab icon on the Desktop.
Choose the lab number from the list and click OK.
After clicking OK, you will see a pop-up message with a brief description of the lab task. If the description looks correct, click Yes to continue lab initiation.
Lab initiation will take a couple of minutes to finish.
Once complete, you will see another pop-up message with the login credentials and the URL for the Grid Manager’s User Interface. Note that the credentials may differ from those from prior labs.
Tasks
Task 1: Adding default forwarders for DNS members
The IP addresses from your DNS providers are 8.8.8.8 and 9.9.9.9. Please add these as the Forwarders for your members ibns1 and ibns2.
Solutions
Why configure this at the member level? You might be wondering why we are repeating the same set of steps twice, once on each member. Why can’t we just do this once at the Grid level? We could, but that will apply this setting to every member on the Grid. That is rarely the case when configuring something like enabling DNS forwarding. This is usually configured on a per-member basis. Our instructions assume this common use-case.
Task 1 Solution: Adding default forwarders for DNS members
Follow the steps below to add default forwarders for ibns1 and ibns2 to forward all recursive queries to the IP address 8.8.8.8 and 9.9.9.9.
Navigate to Data Management → DNS → Members
Check the box next to the member (such as ibns1.techblue.net or ibns2.techblue.net) and click Edit
This displays the Member DNS Properties dialog window. Click on the Forwarders tab.
Click the Override button.
Click + to add a row. In the empty Address field, enter the address 8.8.8.8.
Click + to add another row. In the empty Address field, enter the address 9.9.9.9.
Leave the checkbox next to Use Forwarders Only unchecked. (See notes below).
Click Save & Close
Do not restart service yet, repeat the same steps on the second member.
After you have updated both ibns1 and ibns2, restart Grid services following the system banner across the top of the screen.
Use Forwarders Only. This checkbox controls the behavior of the NIOS member whether or not to fall back to using the DNS root servers for name resolution. When this box is checked, NIOS will only use the forwarder(s) defined in the section above. When this box is unchecked, NIOS will prefer the forwarder(s) defined above and fall back to using the root servers if needed. In this scenario, since we are forwarding to external or public IP addresses, this implies the NIOS members already have Internet access. Thus, it makes sense to assume that if the forwarders (8.8.8.8 and 9.9.9.9 in this case) become unreachable, the NIOS members (ibns1 and ibns2) has the ability to fall back to querying the root servers directly.
Ultimately, the decision whether or not to check this box is up to you. There is no right or wrong answer, it’s how you want your DNS resolution to behave. If you want all queries to only go through the forwarder (8.8.8.8 and 9.9.9.9 in this case), then you can check the box. With the box checked, should 8.8.8.8 and 9.9.9.9 become unreachable, your DNS members (ibns1 and ibns2) will stop resolving domain names that require recursion (i.e. domain names that are outside of the Grid).