When there’s a roadblock on the interstate, instead of waiting for it to clear, you can try to find an alternate route and bypass the barrier. Similarly, a client domain name system (DNS) resolver also requires a different path if either a DNS server cannot be reached or a DNS record is not returned or is unavailable in cache.
This post provides a few examples of how to validate successful DNS recursion to the parent (authoritative) DNS servers with a built-in tool on a Citrix ADC. DNS is a crucial component required when designing a Global Server Load Balancing (GSLB) solution. You may wonder why the ‘nslookup’ tool run from Windows won’t suffice. The ‘nslookup’ tool is adequate for DNS lookups as it mimics a client DNS resolver, but ‘nslookup’ won’t run on an ADC.
A virtual web server running on a Citrix ADC is capable of providing service functionality between geographically dispersed sites. This is supported with Citrix GSLB and the Citrix Authoritative DNS (ADNS) service. For a refresher on how GSLB works on the Citrix ADC, check out this theory-based reference article.
An easy way to verify DNS recursion on the ADC is through the “dig” tool. Dig is an acronym for domain information groper, and the tool has been used on UNIX-based systems for decades. A majority of public-facing DNS servers run on BIND, and dig is a preferred tool to capture complete responses to DNS queries. We’ll use dig as a DNS resolver to lookup DNS records from the parent domain. Without dig, an administrator won’t have insight on what DNS records the ADC is able to retrieve from its authoritative DNS servers, which are used in conjunction with GSLB.
My home lab GSLB environment uses a delegated subdomain from the parent domain ‘dmz.bitsandgiggles.lab’ with two active-active GSLB sites. A parent domain DNS server resides in the same site as the ADC. Below is a diagram that illustrates the DNS topology used for GSLB on the ADC. We’ll use some of the information from the diagram below as a basis for a few examples for dig syntax that follows.
Example Dig Commands
Action: Query all DNS name servers in the parent domain
Command: ‘dig @10.10.2.8 dmz.bitsandgiggles.lab NS Syntax: ‘dig @{IP Address of parent domain DNS server} {FQDN of destination address} NS’ Note: Issue all dig commands from ‘shell’. Variables are defined within brackets and apostrophes are not required.
Command Output:
QUESTION SECTION:
dmz.bitsandgiggles.lab. IN NS
ANSWER SECTION:
dmz.bitsandgiggles.lab. 3600 IN NS msdns-02.dmz.bitsandgiggles.lab.
dmz.bitsandgiggles.lab. 3600 IN NS msdns-01.dmz.bitsandgiggles.lab.
ADDITIONAL SECTION:
msdns-02.dmz.bitsandgiggles.lab. 3600 IN A 10.10.3.8
msdns-01.dmz.bitsandgiggles.lab. 3600 IN A 10.10.2.8
Query time: 0 msec
SERVER: 10.10.2.8#53(10.10.2.8)
Output Explanation: Command is executed from ‘ctxns-01’ directed to the DNS server specified in site one. The result column lists two DNS servers that have the capability to provide name resolution from either site.
Action: Query the A record for the GSLB domain bound to the GSLB virtual server(s).
Command: ‘dig @10.10.2.8 ctxgw-01.dmz.bitsandgiggles.lab A’ Syntax: ‘dig @{IP Address of parent domain DNS server} {FQDN of GSLB domain} NS’
Command Output:
QUESTION SECTION:
ctxgw-01.dmz.bitsandgiggles.lab. IN A
ANSWER SECTION:
ctxgw-01.dmz.bitsandgiggles.lab. 3600 IN CNAME ctxgw-01.nsgslb.dmz.bitsandgiggles.lab.
ctxgw-01.nsgslb.dmz.bitsandgiggles.lab. 4 IN A 10.10.2.206
Query time: 1 msec
SERVER: 10.10.2.8#53(10.10.2.8)
Output Explanation: This query is run from ‘ctxns-01’ and is directed to the DNS name server in site one.
Action: Perform a recursive lookup for the virtual IP address assigned to the GSLB service.
Command: dig -x 10.10.3.206
Syntax: ‘dig -x {IP Address of virtual IP assigned to GSLB service}’
Command Output:
QUESTION SECTION:
206.3.10.10.in-addr.arpa. IN PTR
ANSWER SECTION:
206.3.10.10.in-addr.arpa. 3600 IN PTR ctxgw-01.nsgslb.dmz.bitsandgiggles.lab.
Query time: 0 msec
SERVER: 127.0.0.2#53(127.0.0.2)
Output Explanation: This query is run from ‘ctxns-02’ and retrieves the PTR record hosted on the ADC in site two. The PTR address records assigned to the GSLB domain URL are added to the ADC in each site. Note: Recursive DNS lookups are disabled as a DNS setting on the ADC.
Sometimes good intentions miss the mark when you’re attempting to plan for disaster recovery on Citrix ADC with GSLB. Multisite GSLB with disaster recovery capabilities should account for the Citrix ADNS service operating from each GSLB site. The virtual IP addresses associated with the ADNS service need to be listed as NS, A, and PTR DNS records from the authoritative parent domain.
Depending on your GSLB configuration, the dig command directed to the GSLB domain bound to your GSLB virtual server(s) will reveal which virtual IP responds to client DNS lookup requests. A dig syntax reference site is listed here.
Are you designing for active-active or active-passive GSLB? Curious how the Empty Down Response (EDR) or the Multiple IP Response (MIR) settings will impact your GSLB virtual servers in a mock failover situation? Disable the ADNS service in a GSLB site and then run a dig lookup to the parent domain name servers.
If your DNS queries to the GSLB domain still receive a reply from the alternate GSLB site, responses from DNS queries using the dig tool will provide added clarity as you work through a GSLB design or if you’re troubleshooting unexpected GSLB behavior.
Citrix Tech Bytes – Created by Citrix Experts, made for Citrix Technologists! Learn from passionate Citrix Experts and gain technical insights into the latest Citrix Technologies.
Click here for more Tech Bytes and subscribe.
Want specific Tech Bytes? Let us know! tech-content-feedback@citrix.com.