DNS Resolution on Service Engine

Overview

Avi Vantage supports DNS resolution on the Controller by default. In cases where the Controller does not have reachability to the DNS resolver and the configuration objects need FQDN resolution, the DNS resolution on SE enables FQDN resolution via Service Engine.

Notes:

  • Starting with Avi Vantage version 20.1.5, this feature is introduced. This feature supports FQDN resolution of pool member objects only via Service Engine.

  • It is currently supported on VMware and No access clouds.

To enable the DNS Resolution on Service Engine, dns_resolution_on_se should be set in cloud configuration.

The Service Engine needs DNS resolver configuration for resolving the FQDNs from the Service Engine. For this a DNSResolver object needs to be configured in the cloud configuration. Only one DNSResolver object is supported per cloud.

By default, the refresh of the records is based on TTL.

Configuring DNS Resolution on SE

The following is the CLI command for enabling the DNS resolution on SE:


 [admin:Avi-Controller]: > configure cloud Default-Cloud
 [admin:Avi-Controller]: cloud > dns_resolution_on_se
 [admin:Avi-Controller]: cloud > save
 

The following is the CLI command for configuring the DNS resolver in cloud:


[admin:Avi-Controller]: > configure cloud Default-Cloud
[admin:Avi-Controller]: cloud> dns_resolvers
[admin:Avi-Controller]: cloud:dns_resolvers> resolver_name  resolver1
[admin:Avi-Controller]: cloud:dns_resolvers> nameserver_ips 100.64.88.201
[admin:Avi-Controller]: cloud:dns_resolvers> nameserver_ips 100.64.89.202
[admin:Avi-Controller]: cloud:dns_resolvers> save
[admin:Avi-Controller]: cloud> save

The following are the configurable attributes in the DNS Resolver:

  • resolver_name — Name of the resolver

  • nameserver_ips — The IPv4 addresses of DNS servers to be used for resolution

  • fixed_ttl — If configured, this value is used for refreshing the DNS entries. This will override both received_ttl and min_ttl. The entries are refreshed only on fixed_ttleven when received_ttl is less than fixed_ttl.

  • min_ttl — If configured, this TTL overrides the TTL from responses if TTL is less than min_ttl.effectively and if TTL is equal to max(received_ttl, min_ttl)

  • use_mgmt — If this is enabled, DNS resolution is performed via management network.

The output is as follows:


[admin:demo-cntrlr]: > show serviceengine demo-se2 resolverdb
+----------------------+-------------------------------------------+
| Field                | Value                                     |
+----------------------+-------------------------------------------+
| se_ref               | demo-se2                                  |
| dns_resolution_on_se | True                                      |
| fqdns[1]             |                                           |
|   fqdn               | ntest17.foo.avi.com                       |
|   obj_uuids[1]       | pool-da9e76ad-9bf3-4a8b-9dce-13bf7d36b96d |
|   ips[1]             | 1.1.1.17                                  |
|   ttl                | 300                                       |
|   last_resolved_time | Mon Apr 12 06:54:12 2021                  |
|                      |                                           |
|   last_updated_time  | Mon Apr 12 05:03:35 2021                  |
|                      |                                           |
| fqdns[2]             |                                           |
|   fqdn               | ntest15.foo.avi.com                       |
|   obj_uuids[1]       | pool-f4e9743c-0585-4d67-897e-38328702813c |
|   ttl                | 0                                         |
|   last_resolved_time | Mon Apr 12 06:53:53 2021                  |
|                      |                                           |
|   last_updated_time  | Thu Jan  1 00:00:00 1970                  |
|                      |                                           |
|   err_response       | ERROR                                     |
| resolvers[1]         |                                           |
|   resolver_name      | resolver6                                 |
|   nameserver_ips[1]  | 100.64.88.201                             |
|   nameserver_ips[2]  | 100.64.92.40                              |
|   total_fqdns        | 2                                         |
| resolvers[2]         |                                           |
|   resolver_name      | Default-ResolvConf                        |
|   total_fqdns        | 0                                         |
+----------------------+-------------------------------------------+
  • If the resolution needs to be done via Service Engine but the DNS resolvers are updated via DHCP then you can enable only dns_resolution_on_se code and need not configure dns_resolver code in the cloud.
  • If a dns_resolver object is configured then it will always be used for FQDN resolution.

Limitations

The following are the limitations of DNS resolution on Service Engine:

  • Only IPv4 transport is supported for FQDN resolution.

  • DNS resolution is done over UDP only.

  • Only A records are queried.

  • Only pool members FQDN resolution is supported.

Configuring DNS Nameservers on Service Engine for Client Log Streaming and for External Health Monitor

If DNS resolver in cloud is configured as per aforementioned Configuring DNS Resolution on SE section, /etc/systemd/resolved.conf for management network and /etc/netns/{namespace-name}/resolv.conf for all VRF on SE virtual machine are written.

Domain names configured in external_server under Analytics Profile, client_log_streaming_config to Stream Avi Vantage Client Logs and domain names present in the Script Code for External Health Monitor will be resolved via the configured nameservers.

Document Revision History

Date Change Summary
April 15, 2021 Published DNS Resolution on Service Engine Guide
December 20, 2021 Edited 'Configuring DNS Nameservers on Service Engine for Client Log Streaming and for External Health Monitor' section for 21.1.3