Creating a DNS Secondary Zone in Universal DDI (2576)

Scenario

You support client systems that need reliable access to the external domain ddip.org, which is owned by a training provider outside your organization. To improve local survivability, you decided to host a read-only secondary copy of the zone on your Universal DDI DNS servers so clients can continue resolving names even when connectivity to the external provider is disrupted. Your goal is to create the required DNS Server Group, configure the secondary zone ddip.org in the Infoblox Portal, and verify from a client that the transferred zone data is available locally.

Estimated Completion Time

• 20 to 30 minutes

Prerequisites

• Administrative access to the Infoblox Portal

• Permission to perform zone transfer from external primary DNS server

• Lab 2801: Deploying NIOS-X Servers

• Lab 2570: Configuring DHCP Services in Universal DDI

• Lab 2571: Creating DHCP Networks in Universal DDI

• Lab 2573: Configuring DNS Services in Universal DDI

• Lab 2574: Creating a DNS Primary Zone in Universal DDI

Learning Content

• DNS Service Configuration Overview

Tasks

1. Create DNS Server Group

2. Create Secondary Zone

3. Validate Zone Data

Task 1: Create DNS Server Group

Create an Authoritative DNS Server Group that includes the external primary server mimosa.techblue.io and the TSIG key provided for zone transfers. The key is stored in a file named tsig_xfer_sha256.txt on the Shared Drive of the jump-desktop VM. They have also provided the IP address of their external primary name server: mimosa.techblue.io(45.120.106.133). Configure the group so your two DNS service instances can receive the transferred zone data.

Task 2: Create a Secondary Zone

Use the DNS Server Group from Task 1 to create the secondary zone ddip.org in the default DNS view.

Task 3: Validate Zone Data

Use testing-linux to confirm that the zone transfer completed successfully and that clients can resolve records from the secondary zone.

Solutions

Task 1 Solution: Create DNS Server Group

Start by defining the external zone-transfer source and the authentication settings it requires. The DNS Server Group brings together the external primary server, the TSIG key, and your local DNS service instances so you can reuse that relationship when you create the secondary zone.

1. Log in to your lab’s jump-desktop.

2. Use the Education Infoblox Portal credentials to sign in to the Infoblox Portal.

3. Navigate to Network → DNS.

4. Click the DNS Server Groups tab.

5. Click Create and select Authoritative DNS Server Group.

   

6. In the Name field, enter external-ns-group.

7. Under External Primary Servers, click Add and select External Primary.

8. Enter mimosa.techblue.io as the server name and 45.120.106.133 as the address.

9. Select Use TSIG and choose New TSIG Key.

   

10. On jump-desktop, open Geany and load the file /mnt/shared/tsig_xfer_sha256.txt.

11. In the New TSIG Key section, enter the key name shown in the file, select the matching algorithm, and paste the secret exactly as provided.

12. Click Add.

    

13. Under NIOS-X BloxOne Secondary DNS Servers, move both DNS service instances to the selected list of secondary DNS servers.

    

14. Click Save & Close.

Task 2 Solution: Create a Secondary Zone

After the DNS Server Group is ready, create the secondary zone that will pull data from the external primary source. Using the server group here avoids re-entering the transfer source and TSIG details and ensures the zone is mapped to the correct authoritative relationship.

1. Navigate to Network → DNS.

2. Select the Zones tab.

3. Click the DNS view default.

4. Click Create and select Secondary Zone.

   

5. In the Name field, enter ddip.org.

6. Expand the DNS Server Groups section.

7. From the available list, select external-ns-group and move it to the selected column.

   

8. Click Save & Close.

Task 3 Solution: Validate Zone Data

Finish by verifying with a client that the transferred zone data is available on your local DNS server. Querying a known record confirms that the secondary zone has transferred successfully and that the server is answering authoritatively for the copied data.

1. On testing-linux, open a terminal window.

2. Run sudo set-network-static-bloxone so the client has a route to the DNS server. If prompted for a password, use infoblox.

3. Run dig @10.100.0.110 lms.ddip.org. A.

   

4. Review the response and confirm that it returns aa and NOERROR.

5. Confirm that this means server 10.100.0.110 has a local copy of the authoritative zone data for ddip.org.