Can we configure more than one Primary DNS Servers from Proxy SG

I need a solution

Hi All,

Can we configure more than one Primary DNS Servers and Alternate DNS servers from ProxySG S400-30

Ex:

Primary DNS : 10.10.10.10,10.10.10.11,10.10.10.12

AlternateSecondary DNS : 10.10.10.13,10.10.10.15,10.10.10.17

Regards,

Ramu.

0

Related:

Citrix Response on DNS Flag Day

February 1st 2019 is DNS Flag Day from when multiple public DNS providers and DNS software vendors will not support bad or vulnerable DNS implementations. On or around this date, major open source resolver vendors will release updates that implement stricter EDNS handling. These resolvers will not connect to non-compliant DNS servers.

Is Citrix ADC impacted?

Domains hosted on all Citrix ADC MPX/SDX/VPX appliances in ADNS mode or proxy mode will continue to be accessible after DNS Flag Day without any performance impact.

Citrix ADC can be deployed in multiple modes for DNS traffic and the following table captures the impact in each mode.

Deployment Mode Test Result
DNS proxy mode with caching enabled No impact on domain availability and performance. Overall minor impact is identified due to our approach of EDNS options handling
DNS proxy mode with caching disabled
GSLB mode (zone same as GSLB domain)
ADNS mode with authoritative zone
Load Balancing virtual server with authoritative zone
Resolver mode with authoritative zone
Content Switching with authoritative zone
DNS proxy mode with caching enabled with EDNS Client Subnet enabled on backend server
DNS proxy mode with caching disabled with EDNS Client Subnet enabled on backend server
GSLB with DNSSEC
GSLB with EDNS Client Subnet enabled
DNSSEC enabled ADNS

If you test your application domain in https://dnsflagday.net/ portal, you could get the following result – “Minor problems detected!” (see Appendix A). This is because of our approach of EDNS options handling. It is assured that there will be no impact on domain availability and performance post DNS Flag Day.

Citrix ADC supports EDNS0 on all supported versions – 10.5, 11.0, 11.1, 12.0 and 12.1 – and you shall get the same result i.e. “Minor problems detected!” on all versions, if configured correctly.

We will release a build in future with all required EDNS standards and comply completely.

If you are getting a result other than “All Ok!” or “Minor problems detected!” see next section on Citrix recommendation.

What is Citrix Recommendation?

  • Configure SOA and NS records for the zones you are authoritative for.
  • If Citrix ADC is deployed in proxy mode, configure DNS_TCP type virtual server also. Ensure that this virtual server is up and running.
  • If Citrix ADC is deployed in ADNS mode, configure ADNS_TCP type service also. Ensure that this service is up and running.

See Appendix B to find how to configure these entities on Citrix ADC.

If these steps do not give you a “Minor problems detected!” result, kindly contact Citrix Support.

Example Failure Cases

Some examples of failure cases are given below:

Example 1: Test result: “Fatal error detected!”

Cause: This happens when test tool gets timeout on TCP queries.

Solution: Ensure that DNS_TCP type virtual server (in case of DNS proxy deployment) and ADNS_TCP service (in case of ADNS deployment) are up and running on Citrix ADC.

Example 2: Test result: “Serious problem detected!”

Cause: This is seen in cases when there is some network connectivity issue with the DNS server. Also, the result can change to “Minor problem detected!” intermittently.

Solution: Ensure there is no network connectivity issue with the server and recommended steps above are followed.

Appendix A

Testing domain on https://dnsflagday.net/ can give the following results:

User-added image

Appendix B

Configuring SOA record

CLI: add dns soarec <domain name> -originserver <> -contact <>

GUI: Citrix ADC GUI -> Configuration -> Traffic Management -> DNS -> Records -> SOA Records

Configuring NS record

CLI: add dns nsrec <domain name> <NS record>

GUI: Citrix ADC GUI -> Configuration -> Traffic Management -> DNS -> Records -> Name Server Records

Configuring DNS_TCP type virtual server

CLI: add lb vserver <vserver name> DNS_TCP <IP> 53

GUI: Citrix ADC GUI -> Configuration -> Traffic Management -> Load Balancing -> Virtual Servers

Configuring ADNS_TCP type service

CLI: add service <service name> <IP> ADNS_TCP 53

GUI: Citrix ADC GUI -> Configuration -> Traffic Management -> Load Balancing -> Services

Related:

XtremIO: Unable to access the X2 WebGUI because incorrect Customer Domain Name System (DNS) addresses are configured on the XMS(Dell EMC Correctable).

Check and modify if relevant ,XMS configured DNS server(s) IP-addr

Example of XMS DNS server(s) configured IP_Addr:

xmcli (tech)> show-dns-servers

Primary: 10.64.224.1

Secondary: 10.64.224.2

Example of reconfiguring the XMS DNS server(s) IP_Addr

xmcli (tech)> show-dns-servers

Primary: 10.64.224.1

Secondary: 10.64.224.2

xmcli (tech)> modify-dns-servers secondary=””

xmcli (tech)> show-dns-servers

Primary: 10.64.224.1

Secondary: None

Note: You need to have a primary DNS server configured before adding or removing secondary DNS server

xmcli (admin)> show-dns-servers

Primary: none

Secondary: none

xmcli (tech)> modify-dns-servers secondary=”10.64.224.1″

The new secondary DNS server will be: “10.64.224.1”

Are you sure? (Yes/NO):yes

***XMX Completion Code: must_first_specify_primary_dns

Related:

VNX: NFS issue due to DNS resolution

Article Number: 483305 Article Version: 3 Article Type: Break Fix



VNX1 Series,VNX2 Series

Loss of access to NFS export when a host is added or removed to the host access list for that export.

All hosts were using either RedHat of CentOS.

When there is a huge list of hosts in the access list for an export, and those hosts are entered using Fully Qualified Domain Name (FQDN) instead of the IP address, it is possible that some DNS resolution timeouts appear, causing loss of access to the export to all the hosts in the list.

This loss of access can has being reported to last between 5-10 minutes in a export list with 167 hosts where there were 3 hosts that had no DNS resolution.

The issue started when customer deleted from DNS configuration some hosts that were retired.

It will be recommended to use a test Filesystem prior to apply this solution to production Filesystem

Check DNS resolution for each host in the export list. This can be achieved using “server_ping” command or more practical using “ping” from the Control Station if the Data Movers and Control Station have the same DNS server configured.

Remove from the export access list the hosts that failed to resolve DNS. Check adding or removing a host to the list, whether the access is lost.

Related:

Dell EMC Unity: DNS settings lost during NDU

Article Number: 488027 Article Version: 7 Article Type: Break Fix



Unity 300,Unity 300F,Unity 400,Unity 400F,Unity 500,Unity 500F,Unity 600,Unity 600F,Unity All Flash,Unity Family,Unity Hybrid,UnityVSA,UnityVSA (Virtual Storage Appliance),UnityVSA Professional Edition,UnityVSA VVols Edition,Unity Hybrid flash

After code upgrade the statically configured DNS settings were removed for the management network, contents of file /etc/resolv.conf become erased. User will not receive email about successful completion of upgrade. All services that require DNS name resolution (NTP, SMTP, etc. etc.) will not work properly until DNS settings are re-entered by hand. Other than that, the user will not be able to connect to Unisphere GUI or UEM CLI using the system domain name.

Please note that the NAS server DNS settings are not affected by this issue.

This is currently impacting upgrades involving the below code revisions

  • 4.0.1.8194551 SP1

Code upgrade to product 4.0.1.8194551 erases DNS settings, if the latter were entered manually (Settings -> Management -> DNS Servers: Manage Domain Name Servers -> Configure DNS server address manually). After upgrade the contents of file /etc/resolv.conf are not restored. It will stop the DNS name resolving and delete the domain name information from the system. In turn, it may affect networking services, including NTP and SMTP, and remove the system domain name from the management connection SSL certificate.


Due to a persistence of settings issue that may occur post upgrade to Unity OE (Operating Environment) 4.0.1.8194551, EMC decided to remove this Unity and UnityVSA release from support.emc.com

A revised OE release is available 4.0.1.8404134 Unity SP1.2

Customers who were planning to upgrade to 4.0.1.8194551 are suggested to wait to upgrade to the upcoming release.

For customers already running 4.0.1.8194551, please review that your DNS server preferences are set correctly under Unisphere > Settings > Management > DNS Server, and update as required.

Please contact EMC support if you have any questions – go to EMC Online Support at: https://Support.EMC.com. After logging in, locate ‘Create a service request’.

4.0.1.8404134 SP1.2 has been released which resolve the issue

    Current workaround is to recreate the DNS settings in the management setup

    GUI:

    1. Navigate to the Settings Menu in the upper right
    2. Click on the Management section then DNS Server
    3. For manually configured DNS click Add and re-add the original DNS servers.
    4. Click “Apply” button at the bottom of the dialog.
    5. Navigate to: System –> Service –>Service Tasks
    6. Select “Restart Management Software”, then press “Execute”
    7. Refresh the browser window. You may need to wait for a few minutes to allow management software to start.
    8. If asked, confirm the security exception for this connection.

    dns_missing

    UEMCLI:

    1. Connect to the system by IP address.
    2. For each DNS address, enter the following command:

    uemcli /net/dns/config set -nameServer <value>

    1. Then restart the management software by the command shown below. Note that it should be executed from the service administrator account:

    uemcli –u service –p <service password> /service/system restart

    1. If the security certificate got changed, accept the new certificate as usual.

    After the last step you should be able to connect to the system by name again.

    Upgrade:

    The latest release of SP1 contains the fix for this issue 4.0.1.84.04134

Related:

Netscaler GSLB is answering queries for Vserver that are Down.


When the GSLB vserver is down, with all the corresponding gslb services in the down state, the DNS query response can have the IP addresses of the down GSLB services. This is by design/expected behavior.

However, you can configure the GSLB virtual server to send an empty down response (enable EDR on GSLB Vserver). When this option is set, a DNS response from a GSLB virtual server that is in a DOWN state does not contain IP address records, and this prevents clients from attempting to connect to GSLB sites that are down.


https://docs.citrix.com/en-us/netscaler/10-1/ns-tmg-wrapper-10-con/netscaler-gslb-gen-wrapper-10-con/ns-gslb-protct-setup-against-fail-con.html

Configuring a GSLB Virtual Server to Respond with an Empty Address Record When DOWN

A DNS response can contain either the IP address of the requested domain or an answer stating that the IP address for the domain is not known by the DNS server, in which case the query is forwarded to another name server. These are the only possible responses to a DNS query.

When a GSLB virtual server is disabled or in a DOWN state, the response to a DNS query for the GSLB domain bound to that virtual server contains the IP addresses of all the services bound to the virtual server. However, you can configure the GSLB virtual server to in this case send an empty down response (EDR). When this option is set, a DNS response from a GSLB virtual server that is in a DOWN state does not contain IP address records, but the response code is successful. This prevents clients from attempting to connect to GSLB sites that are down.

Note: You must configure this setting for each virtual server to which you want it to apply.

To configure a GSLB virtual server for empty down responses by using the command line interface

At the command prompt, type:

set gslb vserver<name> -EDR (ENABLED | DISABLED)

Example

> set gslb vserver vserver-GSLB-1 -EDR ENABLED Done 

To set a GSLB virtual server for empty down responses by using the configuration utility

  1. Navigate to Traffic Management > GSLB > Virtual Servers.
  2. In the GSLB Virtual Servers pane, select the GSLB virtual server for which you want to configure a backup virtual server (for example, vserver-GSLB-1).
  3. Click Open.
  4. On the Advanced tab, under When this VServer is “Down,” select the Do not send any service’s IP address in response (EDR) check box.
  5. Click OK.

Related:

How to Configure a DNS View for Global Server Load Balancing on a NetScaler Appliance

This article contains information about configuring a DNS view for Global Server Load Balancing on a NetScaler appliance.

Background

Based on the parameters that identify the client requests, you can use DNS views to control IP address returned in a DNS query. For example, you can use DNS views to control the client requests based in the source of the request. If the request is from a client within the LAN, then return a specific IP address. However, if the request is from a client from another network, then return another IP address.

You can configure DNS views to support only Global Server Load Balancing records. DNS views also support DNS proxy and ADNS deployments.

You must configure DNS policies on the NetScaler appliance to verify if a DNS view is applied. Consider the following points when configuring a DNS policy:

  • DNS policies are verified every time a client connection is made.

  • DNS policy should verify the condition applied to the connection. For example, if the client IP is in range 10.10.0.0/24, then apply a DNS view.

  • DNS policy must be bound globally.

  • You can apply priorities to the DNS policies. This influences the order of policy processing.

  • If a policy applies a view, then the statement returns the configured value.

Related:

How to configure Microsoft DNS Server Analytical log to roll over

We’ve got Microsoft DNS Server Analytical logging configured on our internal DNS servers, but this particular log fills up and stops logging over time. It doesn’t not have the typical Windows event log options to roll over when full. I need to advice our DNS admins how to work around this issue. Has anyone worked through this issue and created an operational model that works?

Related:

Event ID 2 — DNS Server Service Status

Event ID 2 — DNS Server Service Status

Updated: November 13, 2007

Applies To: Windows Server 2008

The DNS Server service responds to requests from DNS client computers for name resolution services. Domain Name System (DNS) is a protocol that enables a computer to obtain the numeric IP address of another computer by submitting the target computer’s name to a DNS server. Problems with the DNS Server service can cause network performance to degrade or even prevent network computers from being able to locate each other.

Event Details

Product: Windows Operating System
ID: 2
Source: Microsoft-Windows-DNS-Server-Service
Version: 6.0
Symbolic Name: DNS_EVENT_STARTUP_OK
Message: The DNS server has started.

Resolve

This is a normal condition. No further action is required.

Related Management Information

DNS Server Service Status

DNS Infrastructure

Related: