Hi All,
Can we configure more than one Primary DNS Servers and Alternate DNS servers from ProxySG S400-30
Ex:
Primary DNS : 10.10.10.10,10.10.10.11,10.10.10.12
AlternateSecondary DNS : 10.10.10.13,10.10.10.15,10.10.10.17
Regards,
Ramu.
This article describes how to enable a NetScaler appliance to use the Domain Name System (DNS) for resolving the hostnames to its respective IP addresses.
You will require an SSH utility to access the command line interface of the NetScaler appliance.
By default, the NetScaler appliance cannot resolve the hostnames to its respective IP addresses. You must complete the following tasks to enable the name resolution on the NetScaler appliance:
When you enable the NetScaler appliance to use DNS for resolving the hostnames to its respective IP addresses, consider the following points:
You must perform the DNS lookup from the command line interface of the NetScaler appliance. If you perform the DNS lookups from the shell prompt of the FreeBSD operating system, the lookups fail because the entry in the /etc/resolver.conf file points to the 127.0.0.2 IP address.
The following commands are not available in the command line interface of the appliance:
The NetScaler needs to be able to ping the DNS server on its SNIP/MIP otherwise it shows as down. This is important when NetScaler is behind a firewall.
Domains hosted on all Citrix ADC MPX/SDX/VPX appliances in ADNS mode or proxy mode will continue to be accessible after DNS Flag Day without any performance impact.
Citrix ADC can be deployed in multiple modes for DNS traffic and the following table captures the impact in each mode.
| Deployment Mode | Test Result |
| DNS proxy mode with caching enabled | No impact on domain availability and performance. Overall minor impact is identified due to our approach of EDNS options handling |
| DNS proxy mode with caching disabled | |
| GSLB mode (zone same as GSLB domain) | |
| ADNS mode with authoritative zone | |
| Load Balancing virtual server with authoritative zone | |
| Resolver mode with authoritative zone | |
| Content Switching with authoritative zone | |
| DNS proxy mode with caching enabled with EDNS Client Subnet enabled on backend server | |
| DNS proxy mode with caching disabled with EDNS Client Subnet enabled on backend server | |
| GSLB with DNSSEC | |
| GSLB with EDNS Client Subnet enabled | |
| DNSSEC enabled ADNS |
If you test your application domain in https://dnsflagday.net/ portal, you could get the following result – “Minor problems detected!” (see Appendix A). This is because of our approach of EDNS options handling. It is assured that there will be no impact on domain availability and performance post DNS Flag Day.
Citrix ADC supports EDNS0 on all supported versions – 10.5, 11.0, 11.1, 12.0 and 12.1 – and you shall get the same result i.e. “Minor problems detected!” on all versions, if configured correctly.
We will release a build in future with all required EDNS standards and comply completely.If you are getting a result other than “All Ok!” or “Minor problems detected!” see next section on Citrix recommendation.
See Appendix B to find how to configure these entities on Citrix ADC.
If these steps do not give you a “Minor problems detected!” result, kindly contact Citrix Support.
Some examples of failure cases are given below:
Example 1: Test result: “Fatal error detected!”
Cause: This happens when test tool gets timeout on TCP queries.
Solution: Ensure that DNS_TCP type virtual server (in case of DNS proxy deployment) and ADNS_TCP service (in case of ADNS deployment) are up and running on Citrix ADC.
Example 2: Test result: “Serious problem detected!”
Cause: This is seen in cases when there is some network connectivity issue with the DNS server. Also, the result can change to “Minor problem detected!” intermittently.
Solution: Ensure there is no network connectivity issue with the server and recommended steps above are followed.
Testing domain on https://dnsflagday.net/ can give the following results:
CLI: add dns soarec <domain name> -originserver <> -contact <>
GUI: Citrix ADC GUI -> Configuration -> Traffic Management -> DNS -> Records -> SOA Records
CLI: add dns nsrec <domain name> <NS record>
GUI: Citrix ADC GUI -> Configuration -> Traffic Management -> DNS -> Records -> Name Server Records
CLI: add lb vserver <vserver name> DNS_TCP <IP> 53
GUI: Citrix ADC GUI -> Configuration -> Traffic Management -> Load Balancing -> Virtual Servers
CLI: add service <service name> <IP> ADNS_TCP 53
GUI: Citrix ADC GUI -> Configuration -> Traffic Management -> Load Balancing -> Services
Hi smeura,
There are some applications that don’t work well with with SmartConnect because of the IP change. I don’t have enough information about your environment to give you advice here, but you could open up a ticket with Isilon for a deeper dive.
There is some information here https://support.emc.com/docu58740 regarding SmartConnect and DMZ but I can’t say whether or not it is applicable to your situation.
SmartConnect usage in isolated network environments
SmartConnect is, effectively, a limited implementation of a custom DNS server: it answers only for the SmartConnect zone names or aliases configured on it. To use SmartConnect in an isolated network environment where no DNS infrastructure is available (such as a DMZ), configure your client systems to use the SmartConnect service IP address as the primary DNS server. Configuring your client systems this way helps to ensure that:
• Requests to connect to Isilon clusters with SmartConnect zone names will succeed.
• The isolated network benefits from SmartConnect features, such as load-balancing and rerouting traffic to prevent unavailable nodes, will work as expected in a normal, non-isolated deployment.
when try to resolve the local domain hostname, will returns a failure and the DNS server shows the 172.1.x.x.rather than 172.16.7.1
——————————————————-
dig ad.test.local
……
;; Query time: 1 msec
;; SERVER: 172.1.0.2#53(172.1.x.x)
;; WHEN: Sat Mar 25 03:05:44 2017
;; MSG SIZE rcvd: 48;; Query time: 1 msec
——————————————————-
but if we assign the 172.16.7.1 or the 127.0.0.2(local default DNS,pointing to the added DNS server) to resolve it, it returns a normal result.
——————————————————-
dig ad.test.local @172.16.7.1
……
;; Query time: 1 msec
;; SERVER: 127.0.0.2#53(127.0.0.2)
;; WHEN: Sat Mar 25 03:05:44 2017
;; MSG SIZE rcvd: 48;; Query time: 1 msec
——————————————————-
when we check the /etc/resolv.conf , we found that there are 2 DNS server, 172.1.x.x prior to 127.0.0.2,
this is a by design for ADC VPX running on AWS.
Note:- /etc/resolv.conf is on the shell prompt , you can reach shell prompt by typing in shell at ADC prompt(>)
Check and modify if relevant ,XMS configured DNS server(s) IP-addr
Example of XMS DNS server(s) configured IP_Addr:
xmcli (tech)> show-dns-servers
Primary: 10.64.224.1
Secondary: 10.64.224.2
Example of reconfiguring the XMS DNS server(s) IP_Addr
xmcli (tech)> show-dns-servers
Primary: 10.64.224.1
Secondary: 10.64.224.2
xmcli (tech)> modify-dns-servers secondary=””
xmcli (tech)> show-dns-servers
Primary: 10.64.224.1
Secondary: None
Note: You need to have a primary DNS server configured before adding or removing secondary DNS server
xmcli (admin)> show-dns-servers
Primary: none
Secondary: none
xmcli (tech)> modify-dns-servers secondary=”10.64.224.1″
The new secondary DNS server will be: “10.64.224.1”
Are you sure? (Yes/NO):yes
***XMX Completion Code: must_first_specify_primary_dns
In current DNS handling, NetScaler Gateway plugin sends a “GET/DNS” request for DNS (or WINS) lookup. When NetScaler receives such a request, it creates an actual DNS packet and sends it to the DNS server configured on NetScaler.
When NetScaler receives the response from the DNS server, it sends a resolved IP to NetScaler Gateway plugin and plugin in turn will send this to the requested application. Therefore, whenever there is a DNS lookup, because of the preceding design you will receive only one IP.
NetScaler provides two nsapimgr knobs (mentioned in additional resources section) for controlling this behavior. If you configure these knobs on NetScaler, NetScaler Gateway plugin sends DNS query packets transparently to configured DNS server and DNS response is also received transparently.
Hi together,
we use 2 ProxySG VA in a DMZ Environment were explicit DNS Servers ( only for DMZ Servers ) are used.
After a Domain Join the DNS Server replied the SRV Kerberos Entries from the LAN Environment.
The Domain Names of the DMZ and the LAN are the same.
Is it possible to join a Domain with a special RODC Name ??
DNS Answers give us only the Adresses of the DOC System
Regards
Thorsten
Regardless of if you use a Domino or an Exchange environment the following can be used to test the issue.
Once SourceOne Web Services component is installed it creates a web site/application named “ExDominoShortcut”. This site is used during the install process for validation that Web Services is present. Validate that the following URL can be reached:
http://<SERVERNAME>/ExDominoShortcut/Notes.aspx?getver=1
Where <SERVERNAME> is the Web Services server where Dell EMC SourceOne Search is to be installed. When this site is opened it should return a page which displays a version number or multiple version numbers, for example:
Version=6.7.0
Version=6.6.1
Although after trying the above and you have no access to the site location (http://<SERVERNAME>/ExDominoShortcut/Notes.aspx?getver=1) . Instead you will receive a Network Error like shown below:
“Network Error (dns_server_failure)
Your request could not be processed because an error occurred contacting the DNS server.
The DNS server may be temporarily unavailable, or there could be a network problem.”
The Web Server can be pinged by Server Name.
Additional testing reveals that if the ‘Server Name’ is replaced by ‘localhost’ or ‘ServerName.domain’ you can access the site location …/ExDominoShortcut/Notes.aspx?getver=1
The issue is related with DNS name resolution.
I send messages to domain ford.com, nutricia.com, mazdaeur.com, uta.com etc.
Each domain reply back “Remote Server at cluster8a.eu.messagelabs.com (85.158.139.103) returned ‘550 4.4.7 QUEUE.Expired; message expired'” or ” Remote Server at cluster8a.eu.messagelabs.com (85.158.139.103) returned ‘441 4.4.1 Error encountered while communicating with primary target IP address: “421 4.4.2 Connection dropped due to ConnectionReset.” Attempted failover to alternate host, but that did not succeed. Either there are no alternate hosts, or delivery failed to all alternate hosts. The last endpoint attempted was 85.158.139.103:25’
When I try list MX record for e.g ford.com DNS returns
cluster4a.us.messagelabs.com internet address = 216.82.251.230
cluster4.us.messagelabs.com internet address = 67.219.247.49
cluster4.us.messagelabs.com internet address = 67.219.246.97
cluster4.us.messagelabs.com internet address = 67.219.251.49
cluster4.us.messagelabs.com internet address = 67.219.250.193
cluster4.us.messagelabs.com internet address = 67.219.250.97
cluster4.us.messagelabs.com internet address = 67.219.246.193
I have 10 mailserver in one subnet 80.188.242.x Any address is not on blacklist http://ipremoval.sms.symantec.com/lookup/
If I try to connect via telnet on port 25 to messagelabs.com from subnet 80.188.242.x I get answer “connection abort” or something similar.
SMTPDiag from one of the servers
Searching for Exchange external DNS settings.
Computer name is MFX.
VSI 1 has the following external DNS servers:
There are no external DNS servers configured.
Checking SOA for ford.com.
Checking external DNS servers.
Checking internal DNS servers.
SOA serial number match: Passed.
Checking local domain records.
Checking MX records using TCP: mf.cz.
Checking MX records using UDP: mf.cz.
Both TCP and UDP queries succeeded. Local DNS test passed.
Checking remote domain records.
Checking MX records using TCP: ford.com.
Checking MX records using UDP: ford.com.
Both TCP and UDP queries succeeded. Remote DNS test passed.
Checking MX servers listed for info@ford.com.
Connecting to cluster4.us.messagelabs.com [67.219.251.49] on port 25.
Error: Expected “250”. Server rejected the recipient address.
Failed to submit mail to cluster4.us.messagelabs.com.
Connecting to cluster4.us.messagelabs.com [67.219.250.97] on port 25.
Error: Expected “250”. Server rejected the recipient address.
Failed to submit mail to cluster4.us.messagelabs.com.
Connecting to cluster4.us.messagelabs.com [67.219.250.193] on port 25.
Error: Expected “250”. Server rejected the recipient address.
Failed to submit mail to cluster4.us.messagelabs.com.
Connecting to cluster4.us.messagelabs.com [67.219.247.49] on port 25.
Error: Expected “250”. Server rejected the recipient address.
Failed to submit mail to cluster4.us.messagelabs.com.
Connecting to cluster4.us.messagelabs.com [67.219.246.97] on port 25.
Error: Expected “250”. Server rejected the recipient address.
Failed to submit mail to cluster4.us.messagelabs.com.
Connecting to cluster4.us.messagelabs.com [67.219.246.193] on port 25.
Error: Expected “250”. Server rejected the recipient address.
Failed to submit mail to cluster4.us.messagelabs.com.
Connecting to cluster4a.us.messagelabs.com [216.82.251.230] on port 25.
Error: Expected “250”. Server rejected the recipient address.
Failed to submit mail to cluster4a.us.messagelabs.com.