2573 - Enabling and Configuring DNS Service

Scenario

DNS services need to be enabled on two BloxOne Hosts before we begin to configure DNS Zones and Records for our techblue.net deployment.  We need to also set up an Access Control List, and consider our DNS Configuration with a DNS Config Profile. We initially want to allow for recursion for the client queries.

Estimated Completion Time

• 15 to 20 minutes

Prerequisites

• Administrative access to the CSP

• Lab 2801: Deploying BloxOne Hosts

Course References

• 2159: BloxOne DDI Configuring DNS Services

Tasks

1. Creating a DNS service instance on two BloxOne Hosts

2. Configuring DNS hostnames for each service instance

3. Creating a Named ACL

4. Creating a DNS Config Profile with recursion enabled

5. Applying the DNS Config Profile to the service instances

6. Validating recursive DNS on a client

Task 1: Creating a DNS service instance on two BloxOne Hosts

We do not have any DNS Service Instances ready to use yet. We can use our two online BloxOne Hosts as DNS nameservers for our clients. Create two DNS Service Instances for each of our BloxOne Hosts oph1.techblue.net and oph2.techblue.net. Name the Service Instances Techblue DNS service 1 and Techblue DNS service 2.

Task 2: Configuring DNS hostnames for each service instance

Our new DNS service instances need resolvable names. Use oph1.techblue.net and oph2.techblue.net for the respective service instances.

Task 3: Creating a Named ACL

We want to limit which clients in our network can perform queries through our DNS service instances, only allowing local subnets to query for domain names recursively. We can use a Named ACL for this. Create a Named ACL named Local Subnets and allow only the networks and from this table:

Table 2573-1

Task 4: Creating a DNS Config Profile with recursion enabled

We will need to be able to control and customize how our DNS service instances behave. We can use a DNS Config Profile for this, and save it so we can use it on future DNS servers. We'll start out with a few basic settings:

• Name the DNS Config Profile Techblue NYC Branch.

• We want to allow queries from any address or network but we want to only allow recursive queries from our local subnets using the Named ACL we created, Local Subnets.

Task 5: Applying the DNS Config Profile to the service instances

We now have a DNS Config Profile the way we want it. We need to apply it to the DNS service instances we created earlier.

Task 6: Validating recursive DNS on a client

We should test that our DNS services are operating and following our design. We can use our testing-linux VM and the command-line tool dig to verify that a client on our local subnets in the Techblue NYC Branch can do a recursive DNS lookup. Set the IP address as a fixed address with the command sudo set-network-static-bloxone to allow a route to the DNS server.

Solutions

Task 1: Creating a DNS service instance on two BloxOne Hosts

1. Open your CSP browser window and navigate to Manage → Infrastructure → Services

2. Click on Create Service and choose DNS from the drop-down

3. Enter a Name: Techblue DNS service 1

4. Click on Select Host and locate the Host with the IP address 10.100.0.110 (this should be oph1.techblue.net)

5. Select the BloxOne Host and click on the Select button on the right

6. Click Next and confirm this is the right IP Address of the BloxOne Host

7. Click Finish and then Save & Close

8. Repeat steps 1 through 7 using the name Techblue DNS service 2 for the BloxOne Host with IP address 10.200.0.110
   

The Service Status will change from Stopped (while it is starting) to Online. If the service remains stopped, attempt to restart it by selecting checkbox for the service and choosing Restart from the Service Actions drop-down menu.

Task 2: Configuring DNS hostnames for each service instance

1. Using your CSP browser window, navigate to Manage → DNS

2. Select the DNS Servers tab

3. Place a check next to your oph1 service Techblue DNS service 1 and click the Edit DNS Server button

4. Enter a DNS Name: oph1.techblue.net

5. Click Save & Close

6. Repeat all of the above steps for your Techblue DNS service 2 using DNS Name oph2.techblue.net

Task 3: Creating a Named ACL

1. Navigate to Manage → DNS then select the Access Control Lists tab

2. Click on the Create Named ACL button

3. Set a Name of Local Subnets

4. In the List section:

   1. Click Add and set a Type of IPv4 Network, Value 172.31.0.0/16 and Permission Allow

   2. Click Add and set a Type of IPv4 Network, Value 10.100.0.0/24 and Permission Allow

   3. Click Add and set a Type of IPv4 Network, Value 10.200.0.0/24 and Permission Allow

5. Click Save & Close

Task 4: Creating a DNS Config Profile with recursion enabled

1. Navigate to Manage → DNS then select the DNS Config Profiles tab and click on the Create DNS Config Profile button

2. Give the DNS Config Profile a name: Techblue NYC Branch

3. Expand the Queries section and under Allow Queries From, click Add. Select a Type of Any Address/Network and the permission Allow (click the Override toggle to change the default settings)

4. Expand the Recursion section, Check Allow Recursion (click the Override toggle to change the default settings)

5. Under the Allow Recursive Queries From section, click Add. Select a Type of Named ACL and a value of Local Subnets (click the Override toggle to change the default settings)

6. Click Save & Close

Task 5: Applying the DNS Config Profile to the service instances

1. Click on the menu icon next to the profile we just created (TechBlue NYC Branch) and select Edit

2. Under SERVICE INSTANCES, click Add then select Techblue DNS service 1 from the menu and click Select

3. Click Add again and select Techblue DNS service 2 from the menu and click Select

4. Click on Save & Close Allow several minutes for DNS services to come up on the hosts. You can verify their status under Manage → Infrastructure → Services.

Task 6: Validating recursive DNS on a client

We will use the test client Virtual Machine in our lab, named testing-linux, and the DNS lookup tool dig to test that recursion is working with our DNS service instances.

1. On the testing-linux desktop, open a Terminal window

2. Set the IP address as a fixed address with the command sudo set-network-static-bloxone to allow a route to the DNS server.

3. Run the following dig command against oph1.techblue.net:
   dig @10.100.0.110 training.infoblox.com

   
   This is asking the DNS server at 10.100.0.110 (oph1.techblue.net) to recursively look up any A records for training.infoblox.com , which lies outside of our network. You should see a response similar to this:

   training@testing-linux:~ $ dig @10.100.0.110 training.infoblox.com
; <<>> DiG 9.18.1-1ubuntu1.2-Ubuntu <<>> @10.100.0.110 training.infoblox.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; >>HEADER<< opcode: QUERY, status: NOERROR, id: 32563
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 61c43e021c8d667b01000000635abb06398fa8c1b458faa0 (good)
;; QUESTION SECTION:
;training.infoblox.com. IN A
;; ANSWER SECTION:
training.infoblox.com. 3600 IN A 151.101.2.253
training.infoblox.com. 3600 IN A 151.101.194.253
training.infoblox.com. 3600 IN A 151.101.130.253
training.infoblox.com. 3600 IN A 151.101.66.253
;; Query time: 3047 msec
;; SERVER: 10.100.0.110#53(10.100.0.110) (UDP)
;; WHEN: Thu Oct 27 17:08:22 UTC 2022
;; MSG SIZE rcvd: 142
   
   

4. Note the Query flags and the Answers Section. We can see from the query flags rd and ra that in this query we asked for recursion (Recursion Desired) and the DNS server responded that it allows recursion (Recursion Available).
   

5. Repeat the same command this time against oph2.techblue.net:
   

   dig @10.200.0.110 training.infoblox.com