DNS Resolution on Service Engine
Overview
Avi Vantage supports DNS resolution on the Controller by default. In cases where the Controller does not have reachability to the DNS resolver and the configuration objects need FQDN resolution, the DNS resolution on SE enables FQDN resolution via Service Engine.
Notes:
-
Starting with NSX Advanced Load Balancer version 22.1.3, the DNS resolution on Service Engines could be done with IPv6 DNS resolver IP addresses.
-
Starting with NSX Advanced Load Balancer version 20.1.5, this feature is introduced. This feature supports FQDN resolution of pool member objects only via Service Engine.
-
It is currently supported on VMware and No access clouds.
To enable the DNS Resolution on Service Engine, dns_resolution_on_se should be set in cloud configuration.
The Service Engine needs DNS resolver configuration for resolving the FQDNs from the Service Engine. For this a DNSResolver object needs to be configured in the cloud configuration. Only one DNSResolver object is supported per cloud.
By default, the refresh of the records is based on TTL.
Configuring DNS Resolution on SE
The following is the CLI command for enabling the DNS resolution on SE:
[admin:Avi-Controller]: > configure cloud Default-Cloud
[admin:Avi-Controller]: cloud > dns_resolution_on_se
[admin:Avi-Controller]: cloud > save
The following is the CLI command for configuring the DNS resolver in cloud:
[admin:Avi-Controller]: > configure cloud Default-Cloud
[admin:Avi-Controller]: cloud> dns_resolvers
[admin:Avi-Controller]: cloud:dns_resolvers> resolver_name resolver1
[admin:Avi-Controller]: cloud:dns_resolvers> nameserver_ips 100.64.88.201
[admin:Avi-Controller]: cloud:dns_resolvers> nameserver_ips 100.64.89.202
[admin:Avi-Controller]: cloud:dns_resolvers> save
[admin:Avi-Controller]: cloud> save
The following are the configurable attributes in the DNS Resolver:
-
resolver_name— Name of the resolver -
nameserver_ips— The IPv4 addresses of DNS servers to be used for resolution -
fixed_ttl— If configured, this value is used for refreshing the DNS entries. This will override bothreceived_ttlandmin_ttl. The entries are refreshed only onfixed_ttlevenwhenreceived_ttlis less thanfixed_ttl. -
min_ttl— If configured, this TTL overrides the TTL from responses if TTL is less thanmin_ttl.effectivelyand if TTL is equal tomax(received_ttl,min_ttl) -
use_mgmt— If this is enabled, DNS resolution is performed via management network.
The output is as follows:
[admin:demo-cntrlr]: > show serviceengine demo-se2 resolverdb
+----------------------+-------------------------------------------+
| Field | Value |
+----------------------+-------------------------------------------+
| se_ref | demo-se2 |
| dns_resolution_on_se | True |
| fqdns[1] | |
| fqdn | ntest17.foo.avi.com |
| obj_uuids[1] | pool-da9e76ad-9bf3-4a8b-9dce-13bf7d36b96d |
| ips[1] | 1.1.1.17 |
| ttl | 300 |
| last_resolved_time | Mon Apr 12 06:54:12 2021 |
| | |
| last_updated_time | Mon Apr 12 05:03:35 2021 |
| | |
| fqdns[2] | |
| fqdn | ntest15.foo.avi.com |
| obj_uuids[1] | pool-f4e9743c-0585-4d67-897e-38328702813c |
| ttl | 0 |
| last_resolved_time | Mon Apr 12 06:53:53 2021 |
| | |
| last_updated_time | Thu Jan 1 00:00:00 1970 |
| | |
| err_response | ERROR |
| resolvers[1] | |
| resolver_name | resolver6 |
| nameserver_ips[1] | 100.64.88.201 |
| nameserver_ips[2] | 100.64.92.40 |
| total_fqdns | 2 |
| resolvers[2] | |
| resolver_name | Default-ResolvConf |
| total_fqdns | 0 |
+----------------------+-------------------------------------------+
- If the resolution needs to be done via Service Engine but the DNS resolvers are updated via DHCP then you can enable only
dns_resolution_on_secode and need not configuredns_resolvercode in the cloud. - If a
dns_resolverobject is configured then it will always be used for FQDN resolution.
IPv6 configuration for DNS resolution on Service Engine over IPv6
Starting with NSX Advanced Load Balancer version 22.1.3, IPv6 nameserver IPs could be provided in DNS resolvers. This would ensure DNS resolution over IPv6 for a given cloud. A sample configuration for adding IPv6 nameserver for DNS resolution on Service Engine over IPv6 is shown below:
admin:10-79-175-173]: > configure cloud test-cloud-vj
[admin:10-79-175-173]: cloud> dns_resolution_on_se
Overwriting the previously entered value for dns_resolution_on_se
[admin:10-79-175-173]: cloud> dns_resolvers
New object being created
[admin:10-79-175-173]: cloud:dns_resolvers> resolver_name ipv4resolver
[admin:10-79-175-173]: cloud:dns_resolvers> nameserver_ips 100.64.88.201
[admin:10-79-175-173]: cloud:dns_resolvers> where
Tenant: admin
Cloud: test-cloud-vj
+-------------------+---------------+
| Field | Value |
+-------------------+---------------+
| resolver_name | ipv4resolver |
| nameserver_ips[1] | 100.64.88.201 |
+-------------------+---------------+
[admin:10-79-175-173]: cloud:dns_resolvers> save
[admin:10-79-175-173]: cloud> dns_resolvers
New object being created
[admin:10-79-175-173]: cloud:dns_resolvers> resolver_name ipv6resolver
[admin:10-79-175-173]: cloud:dns_resolvers> nameserver_ips 2402:740:0:42a:250:56ff:fe81:6f11,2402:740:0:429:250:56ff:fe81:45b
[admin:10-79-175-173]: cloud:dns_resolvers> where
Tenant: admin
Cloud: test-cloud-vj
+-------------------+--------------------------------------------------------------------+
| Field | Value |
+-------------------+--------------------------------------------------------------------+
| resolver_name | ipv6resolver |
| nameserver_ips[1] | 2402:740:0:42a:250:56ff:fe81:6f11,2402:740:0:429:250:56ff:fe81:45b |
+-------------------+--------------------------------------------------------------------+
[admin:10-79-175-173]: cloud:dns_resolvers> save
[admin:10-79-175-173]: cloud> save
Note: Comma-separated IPv6 nameservers can be added in case of more than one IP addresses.
Limitations
The following are the limitations of DNS resolution on Service Engine:
-
Prior to NSX Advanced Load Balancer version 22.1.3, only IPv4 transport was supported for FQDN resolution. Starting with NSX Advanced Load Balancer version 22.1.3, IPv6 is supported for FQDN resolution.
-
DNS resolution is done over UDP only.
-
Only A records are queried.
Configuring DNS Nameservers on Service Engine for Client Log Streaming and for External Health Monitor
If DNS resolver in cloud is configured as per aforementioned Configuring DNS Resolution on SE section, /etc/systemd/resolved.conf for management network and /etc/netns/{namespace-name}/resolv.conf for all VRF on SE virtual machine are written.
Domain names configured in external_server under Analytics Profile, client_log_streaming_config to Stream Avi Vantage Client Logs and domain names present in the Script Code for External Health Monitor will be resolved via the configured nameservers.
Document Revision History
| Date | Change Summary |
|---|---|
| April 15, 2021 | Published DNS Resolution on Service Engine Guide |