How to Enable NetScaler Appliance to Use DNS for Resolving the Hostnames to IP Addresses

This article describes how to enable a NetScaler appliance to use the Domain Name System (DNS) for resolving the hostnames to its respective IP addresses.

You will require an SSH utility to access the command line interface of the NetScaler appliance.

By default, the NetScaler appliance cannot resolve the hostnames to its respective IP addresses. You must complete the following tasks to enable the name resolution on the NetScaler appliance:

  • Define name servers
  • Define a DNS suffix

When you enable the NetScaler appliance to use DNS for resolving the hostnames to its respective IP addresses, consider the following points:

  • You must perform the DNS lookup from the command line interface of the NetScaler appliance. If you perform the DNS lookups from the shell prompt of the FreeBSD operating system, the lookups fail because the entry in the /etc/resolver.conf file points to the 127.0.0.2 IP address.

  • The following commands are not available in the command line interface of the appliance:

    • host
    • dig
    • getent/MIP
    • nslookup
  • The NetScaler needs to be able to ping the DNS server on its SNIP/MIP otherwise it shows as down. This is important when NetScaler is behind a firewall.

Related:

  • No Related Posts

Citrix Response on DNS Flag Day

February 1st 2019 is DNS Flag Day from when multiple public DNS providers and DNS software vendors will not support bad or vulnerable DNS implementations. On or around this date, major open source resolver vendors will release updates that implement stricter EDNS handling. These resolvers will not connect to non-compliant DNS servers.

Is Citrix ADC impacted?

Domains hosted on all Citrix ADC MPX/SDX/VPX appliances in ADNS mode or proxy mode will continue to be accessible after DNS Flag Day without any performance impact.

Citrix ADC can be deployed in multiple modes for DNS traffic and the following table captures the impact in each mode.

Deployment Mode Test Result
DNS proxy mode with caching enabled No impact on domain availability and performance. Overall minor impact is identified due to our approach of EDNS options handling
DNS proxy mode with caching disabled
GSLB mode (zone same as GSLB domain)
ADNS mode with authoritative zone
Load Balancing virtual server with authoritative zone
Resolver mode with authoritative zone
Content Switching with authoritative zone
DNS proxy mode with caching enabled with EDNS Client Subnet enabled on backend server
DNS proxy mode with caching disabled with EDNS Client Subnet enabled on backend server
GSLB with DNSSEC
GSLB with EDNS Client Subnet enabled
DNSSEC enabled ADNS

If you test your application domain in https://dnsflagday.net/ portal, you could get the following result – “Minor problems detected!” (see Appendix A). This is because of our approach of EDNS options handling. It is assured that there will be no impact on domain availability and performance post DNS Flag Day.

Citrix ADC supports EDNS0 on all supported versions – 10.5, 11.0, 11.1, 12.0 and 12.1 – and you shall get the same result i.e. “Minor problems detected!” on all versions, if configured correctly.

We will release a build in future with all required EDNS standards and comply completely.

If you are getting a result other than “All Ok!” or “Minor problems detected!” see next section on Citrix recommendation.

What is Citrix Recommendation?

  • Configure SOA and NS records for the zones you are authoritative for.
  • If Citrix ADC is deployed in proxy mode, configure DNS_TCP type virtual server also. Ensure that this virtual server is up and running.
  • If Citrix ADC is deployed in ADNS mode, configure ADNS_TCP type service also. Ensure that this service is up and running.

See Appendix B to find how to configure these entities on Citrix ADC.

If these steps do not give you a “Minor problems detected!” result, kindly contact Citrix Support.

Example Failure Cases

Some examples of failure cases are given below:

Example 1: Test result: “Fatal error detected!”

Cause: This happens when test tool gets timeout on TCP queries.

Solution: Ensure that DNS_TCP type virtual server (in case of DNS proxy deployment) and ADNS_TCP service (in case of ADNS deployment) are up and running on Citrix ADC.

Example 2: Test result: “Serious problem detected!”

Cause: This is seen in cases when there is some network connectivity issue with the DNS server. Also, the result can change to “Minor problem detected!” intermittently.

Solution: Ensure there is no network connectivity issue with the server and recommended steps above are followed.

Appendix A

Testing domain on https://dnsflagday.net/ can give the following results:

User-added image

Appendix B

Configuring SOA record

CLI: add dns soarec <domain name> -originserver <> -contact <>

GUI: Citrix ADC GUI -> Configuration -> Traffic Management -> DNS -> Records -> SOA Records

Configuring NS record

CLI: add dns nsrec <domain name> <NS record>

GUI: Citrix ADC GUI -> Configuration -> Traffic Management -> DNS -> Records -> Name Server Records

Configuring DNS_TCP type virtual server

CLI: add lb vserver <vserver name> DNS_TCP <IP> 53

GUI: Citrix ADC GUI -> Configuration -> Traffic Management -> Load Balancing -> Virtual Servers

Configuring ADNS_TCP type service

CLI: add service <service name> <IP> ADNS_TCP 53

GUI: Citrix ADC GUI -> Configuration -> Traffic Management -> Load Balancing -> Services

Related:

  • No Related Posts

Re: DMZ connect to a node not to the SC

Hi smeura,

There are some applications that don’t work well with with SmartConnect because of the IP change. I don’t have enough information about your environment to give you advice here, but you could open up a ticket with Isilon for a deeper dive.

There is some information here https://support.emc.com/docu58740 regarding SmartConnect and DMZ but I can’t say whether or not it is applicable to your situation.

SmartConnect usage in isolated network environments

SmartConnect is, effectively, a limited implementation of a custom DNS server: it answers only for the SmartConnect zone names or aliases configured on it. To use SmartConnect in an isolated network environment where no DNS infrastructure is available (such as a DMZ), configure your client systems to use the SmartConnect service IP address as the primary DNS server. Configuring your client systems this way helps to ensure that:

• Requests to connect to Isilon clusters with SmartConnect zone names will succeed.

• The isolated network benefits from SmartConnect features, such as load-balancing and rerouting traffic to prevent unavailable nodes, will work as expected in a normal, non-isolated deployment.

Related:

  • No Related Posts

ADC VPX AWS has a default DNS server that interferes the added DNS server to resolved hostname

The topology is as below, the right one is added to ADC whose effective state shows “up” , the left one is the default DNS server, which is unable to check from show dns nameServer in CLI or Traffic Management–DNS–nameServer in GUI.

when try to resolve the local domain hostname, will returns a failure and the DNS server shows the 172.1.x.x.rather than 172.16.7.1

——————————————————-

dig ad.test.local

……

;; Query time: 1 msec

;; SERVER: 172.1.0.2#53(172.1.x.x)

;; WHEN: Sat Mar 25 03:05:44 2017

;; MSG SIZE rcvd: 48;; Query time: 1 msec

​——————————————————-

but if we assign the 172.16.7.1 or the 127.0.0.2(local default DNS,pointing to the added DNS server) to resolve it, it returns a normal result.

——————————————————-

dig ad.test.local @172.16.7.1

……

;; Query time: 1 msec

;; SERVER: 127.0.0.2#53(127.0.0.2)

;; WHEN: Sat Mar 25 03:05:44 2017

;; MSG SIZE rcvd: 48;; Query time: 1 msec

​——————————————————-

when we check the /etc/resolv.conf , we found that there are 2 DNS server, 172.1.x.x prior to 127.0.0.2,

this is a by design for ADC VPX running on AWS.

Note:- /etc/resolv.conf is on the shell prompt , you can reach shell prompt by typing in shell at ADC prompt(>)

Related:

  • No Related Posts

XtremIO: Unable to access the X2 WebGUI because incorrect Customer Domain Name System (DNS) addresses are configured on the XMS(Dell EMC Correctable).

Check and modify if relevant ,XMS configured DNS server(s) IP-addr

Example of XMS DNS server(s) configured IP_Addr:

xmcli (tech)> show-dns-servers

Primary: 10.64.224.1

Secondary: 10.64.224.2

Example of reconfiguring the XMS DNS server(s) IP_Addr

xmcli (tech)> show-dns-servers

Primary: 10.64.224.1

Secondary: 10.64.224.2

xmcli (tech)> modify-dns-servers secondary=””

xmcli (tech)> show-dns-servers

Primary: 10.64.224.1

Secondary: None

Note: You need to have a primary DNS server configured before adding or removing secondary DNS server

xmcli (admin)> show-dns-servers

Primary: none

Secondary: none

xmcli (tech)> modify-dns-servers secondary=”10.64.224.1″

The new secondary DNS server will be: “10.64.224.1”

Are you sure? (Yes/NO):yes

***XMX Completion Code: must_first_specify_primary_dns

Related:

  • No Related Posts

DNS Query Responds with Only One IP to Client PC When Connected Through NetScaler Gateway Full VPN

In current DNS handling, NetScaler Gateway plugin sends a “GET/DNS” request for DNS (or WINS) lookup. When NetScaler receives such a request, it creates an actual DNS packet and sends it to the DNS server configured on NetScaler.

When NetScaler receives the response from the DNS server, it sends a resolved IP to NetScaler Gateway plugin and plugin in turn will send this to the requested application. Therefore, whenever there is a DNS lookup, because of the preceding design you will receive only one IP.

NetScaler provides two nsapimgr knobs (mentioned in additional resources section) for controlling this behavior. If you configure these knobs on NetScaler, NetScaler Gateway plugin sends DNS query packets transparently to configured DNS server and DNS response is also received transparently.

Related:

  • No Related Posts

Kerberos via IWA Direct

I need a solution

Hi together,

we use 2 ProxySG VA in a DMZ Environment were explicit DNS Servers ( only for DMZ Servers ) are used.
After a Domain Join the DNS Server replied the SRV Kerberos Entries from the LAN Environment.
The Domain Names of the DMZ and the LAN are the same.
Is it possible to join a Domain with a special RODC Name ??

DNS Answers give us only the Adresses of the DOC System

Regards

Thorsten

0

Related:

SourceOne Email Management – SourceOne Search component fails to install. Web Services server could not be reached.

Regardless of if you use a Domino or an Exchange environment the following can be used to test the issue.

Once SourceOne Web Services component is installed it creates a web site/application named “ExDominoShortcut”. This site is used during the install process for validation that Web Services is present. Validate that the following URL can be reached:

http://<SERVERNAME>/ExDominoShortcut/Notes.aspx?getver=1

Where <SERVERNAME> is the Web Services server where Dell EMC SourceOne Search is to be installed. When this site is opened it should return a page which displays a version number or multiple version numbers, for example:

Version=6.7.0

Version=6.6.1

Although after trying the above and you have no access to the site location (http://<SERVERNAME>/ExDominoShortcut/Notes.aspx?getver=1) . Instead you will receive a Network Error like shown below:

“Network Error (dns_server_failure)

Your request could not be processed because an error occurred contacting the DNS server.

The DNS server may be temporarily unavailable, or there could be a network problem.”

dns_error

The Web Server can be pinged by Server Name.

Additional testing reveals that if the ‘Server Name’ is replaced by ‘localhost’ or ‘ServerName.domain’ you can access the site location /ExDominoShortcut/Notes.aspx?getver=1

The issue is related with DNS name resolution.

Related:

  • No Related Posts

I can not send email to domain protected messagelabs.com

I need a solution

I send messages to domain ford.com, nutricia.com, mazdaeur.com, uta.com etc.

Each domain reply back “Remote Server at cluster8a.eu.messagelabs.com (85.158.139.103) returned ‘550 4.4.7 QUEUE.Expired; message expired'” or ” Remote Server at cluster8a.eu.messagelabs.com (85.158.139.103) returned ‘441 4.4.1 Error encountered while communicating with primary target IP address: “421 4.4.2 Connection dropped due to ConnectionReset.” Attempted failover to alternate host, but that did not succeed. Either there are no alternate hosts, or delivery failed to all alternate hosts. The last endpoint attempted was 85.158.139.103:25’

When I try list MX record for e.g ford.com DNS returns 

cluster4a.us.messagelabs.com    internet address = 216.82.251.230
cluster4.us.messagelabs.com     internet address = 67.219.247.49
cluster4.us.messagelabs.com     internet address = 67.219.246.97
cluster4.us.messagelabs.com     internet address = 67.219.251.49
cluster4.us.messagelabs.com     internet address = 67.219.250.193
cluster4.us.messagelabs.com     internet address = 67.219.250.97
cluster4.us.messagelabs.com     internet address = 67.219.246.193

I have 10 mailserver in one subnet 80.188.242.x  Any address is not on blacklist http://ipremoval.sms.symantec.com/lookup/

If I try to connect via telnet on port 25 to messagelabs.com from subnet 80.188.242.x I get answer “connection abort” or something similar.

SMTPDiag from one of the servers

Searching for Exchange external DNS settings.
Computer name is MFX.
VSI 1 has the following external DNS servers:
There are no external DNS servers configured.

Checking SOA for ford.com.
Checking external DNS servers.
Checking internal DNS servers.
SOA serial number match: Passed.

Checking local domain records.
Checking MX records using TCP: mf.cz.
Checking MX records using UDP: mf.cz.
Both TCP and UDP queries succeeded. Local DNS test passed.

Checking remote domain records.
Checking MX records using TCP: ford.com.
Checking MX records using UDP: ford.com.
Both TCP and UDP queries succeeded. Remote DNS test passed.

Checking MX servers listed for info@ford.com.
Connecting to cluster4.us.messagelabs.com [67.219.251.49] on port 25.
Error: Expected “250”. Server rejected the recipient address.
Failed to submit mail to cluster4.us.messagelabs.com.
Connecting to cluster4.us.messagelabs.com [67.219.250.97] on port 25.
Error: Expected “250”. Server rejected the recipient address.
Failed to submit mail to cluster4.us.messagelabs.com.
Connecting to cluster4.us.messagelabs.com [67.219.250.193] on port 25.
Error: Expected “250”. Server rejected the recipient address.
Failed to submit mail to cluster4.us.messagelabs.com.
Connecting to cluster4.us.messagelabs.com [67.219.247.49] on port 25.
Error: Expected “250”. Server rejected the recipient address.
Failed to submit mail to cluster4.us.messagelabs.com.
Connecting to cluster4.us.messagelabs.com [67.219.246.97] on port 25.
Error: Expected “250”. Server rejected the recipient address.
Failed to submit mail to cluster4.us.messagelabs.com.
Connecting to cluster4.us.messagelabs.com [67.219.246.193] on port 25.
Error: Expected “250”. Server rejected the recipient address.
Failed to submit mail to cluster4.us.messagelabs.com.
Connecting to cluster4a.us.messagelabs.com [216.82.251.230] on port 25.
Error: Expected “250”. Server rejected the recipient address.
Failed to submit mail to cluster4a.us.messagelabs.com.

0

Related: