ADC

Configure the Citrix ADC appliance as a DNS proxy server

As a DNS proxy server, the ADC appliance can function as a proxy for either a single DNS server or a group of DNS servers. The flow of requests and responses is illustrated in the following sample topology diagram.

Figure 1. Citrix ADC as DNS proxy

NetScaler as DNS proxy

By default, the Citrix ADC appliance caches responses from DNS name servers. When the appliance receives a DNS query, it checks for the queried domain in its cache. If the address for the queried domain is present in its cache, the Citrix ADC returns the corresponding address to the client. Otherwise, it forwards the query to a DNS name server that checks for the availability of the address and returns it to the Citrix ADC. The Citrix ADC then returns the address to the client.

For requests for a domain that has been cached earlier, the Citrix ADC serves the Address record of the domain from the cache without querying the configured DNS server.

The appliance discards a record stored in its cache when the time-to-live (TTL) value of the record reaches the configured value. A client that requests an expired record has to wait until the Citrix ADC retrieves the record from the server and updates its cache. To avoid this delay, the Citrix ADC proactively updates the cache by retrieving the record from the server before the record expires.

The following table lists sample names and the values of the entities that need to be configured on the Citrix ADC.

Table 1. Example of DNS Proxy Entity Configuration |Entity type|Name|IP address|Type|Port| |— |— |— |— |— | |LB virtual server|Vserver-DNS-1|10.102.29.40|DNS|53| |Services|Service-DNS-1|10.102.29.50|DNS|53| |Services|Service-DNS-2|10.102.29.51|DNS|53|

The following diagram shows the entities of a DNS Proxy and the values of the parameters to be configured on the Citrix ADC.

Figure 2. DNS Proxy Entity Model

DNS Proxy Entity Model

Note

To configure DNS proxy, you need to know how to configure load balancing services and virtual servers.

Create a load balancing virtual server

To configure a DNS Proxy on the Citrix ADC, configure a load balancing virtual server of type DNS. To configure a DNS virtual server to load balance a set of DNS servers that support recursive queries, you must set the Recursion Available option. With this option, the RA bit is set to ON in the DNS replies from the DNS virtual server.

For instructions on creating a load balancing virtual server, see “Load Balancing”.

Create DNS services

After creating a load balancing virtual server of type DNS, you must create DNS services. You can add, modify, enable, disable, and remove a DNS service. For instructions on creating a DNS service, see “Load Balancing”.

Bind a load balancing virtual server to DNS services

To complete the DNS Proxy configuration, you must bind the DNS services to the load balancing virtual server. For instructions on binding a service to a load balancing virtual server, see “Load Balancing”.

Configure the DNS proxy setup to use TCP

Some clients use the User Datagram Protocol (UDP) for DNS communications. However, UDP specifies a maximum packet size of 512 bytes. When payload lengths exceed 512 bytes, the client must use the Transmission Control Protocol (TCP). When a client sends the Citrix ADC appliance a DNS query, the appliance forwards the query to one of the name servers. If the response is too large for a UDP packet, the name server sets the truncation bit in its response to the Citrix ADC. The truncation bit indicates that the response is too large for UDP and that the client must send the query over a TCP connection. The Citrix ADC relays the response to the client with the truncation bit intact and waits for the client to initiate a TCP connection with the IP address of the DNS load balancing virtual server, on port 53. The client sends the request over a TCP connection. The Citrix ADC appliance then forwards the request to the name server and relays the response to the client.

To configure the Citrix ADC to use the TCP protocol for DNS, you must configure a load balancing virtual server and services, both of type DNS_TCP. You can configure monitors of type DNS_TCP to check the state of the services. For instructions on creating DNS_TCP virtual servers, services, and monitors, see “Load Balancing.”

For updating the records proactively, the Citrix ADC uses a TCP connection to the server to retrieve the records.

Important To configure the Citrix ADC to use UDP for DNS and use TCP only when the payload length of UDP exceeds 512 bytes, you need to configure DNS and DNS_TCP services. The IP address of the DNS_TCP service must be same as that of the DNS service.

Configure time-to-live values for DNS entries

The TTL is the same for all DNS records with the same domain name and record type. If the TTL value is changed for one of the records, the new value is reflected in all records of the same domain name and type. The default TTL value is 3600 seconds. The minimum is 0, and the maximum is 604800. If a DNS entry has a TTL value less than the minimum or greater than the maximum, it is saved as the minimum or maximum TTL value, respectively.

Specify the minimum and/or maximum TTL by using the CLI

At the Citrix ADC command prompt, type the following commands to specify the minimum and maximum TTL and verify the configuration:

-  set dns parameter [-minTTL <secs>] [-maxTTL <secs>]
-  show dns parameter  
<!--NeedCopy-->

Example:

> set dns parameter -minTTL 1200 -maxTTL 1800
 Done
> show dns parameter
        DNS parameters:
        DNS retries: 5
        Minimum TTL: 1200               Maximum TTL: 1800
            .
            .
            .
 Done
>
<!--NeedCopy-->

Specify the minimum and/or maximum TTL by using the GUI

  1. Navigate to Traffic Management > DNS.
  2. In the details pane, under Settings, click Change DNS settings.
  3. In the Configure DNS Parameters dialog box, in TTL, in the Minimum and Maximum text boxes, type the minimum and maximum time to live (in seconds), respectively, and then click OK.

Note: When the TTL expires, the record is deleted from the cache. The Citrix ADC proactively contacts the servers and obtains the DNS record just before the DNS record expires.

Flush DNS records

You can delete all DNS records present in the cache. For example, you might want to flush DNS records when a server is restarted after modifications are made.

Delete all proxy records by using the CLI

At the Citrix ADC command prompt, type:

flush dns proxyRecords

Delete all proxy records by using the GUI

  1. Navigate to Traffic Management > DNS > Records.
  2. In the details pane, click Flush Proxy Records.

Add DNS resource records

You can add DNS records to a domain for which the Citrix ADC appliance is configured as a DNS proxy server. For information about adding DNS records, see Configuring DNS Resource Records.

Remove a load balancing DNS virtual server

For information about removing a load balancing virtual server, see Load Balancing.

Limit the number of concurrent DNS requests on a client connection

You can limit the number of concurrent DNS requests on a single client connection, which is identified by the <clientip:port>-<vserver ip:port> tuple. Concurrent DNS requests are those requests that the Citrix ADC appliance has forwarded to the name servers and for which the appliance is awaiting responses. Limiting the number of concurrent requests on a client connection enables you to protect the name servers when a hostile client attempts a Distributed Denial of Service (DDoS) attack by sending a flood of DNS requests. When the limit for a client connection is reached, subsequent DNS requests on the connection are dropped till the outstanding request count goes below the limit. This limit does not apply to the requests that the NetScCitrix ADCaler appliance serves out of its cache.

The default value for this parameter is 255. This default value is sufficient in most scenarios. If the name servers serve a large number of concurrent DNS requests under normal operating conditions, you can specify either a large value or a value of zero (0). A value of 0 disables this feature and specifies that there is no limit to the number of DNS requests that are allowed on a single client connection. This is a global parameter and applies to all the DNS virtual servers that are configured on the Citrix ADC appliance.

Specify the maximum number of concurrent DNS requests allowed on a single client connection by using the CLI

At the command prompt, type the following commands to specify the maximum number of concurrent DNS requests allowed on a single client connection and verify the configuration:

-  set dns parameter -maxPipeline <positive_integer>  
-  show dns parameter  
<!--NeedCopy-->

Example:

> set dns parameter -maxPipeline 1000
 Done
> show dns parameter
        DNS parameters:
        DNS retries: 5
        .
        .
        .
        Max DNS Pipeline Requests: 1000
 Done
<!--NeedCopy-->

Specify the maximum number of concurrent DNS requests allowed on a single client connection by using the GUI

  1. Navigate to Traffic Management > DNS.
  2. In the details pane, click Change DNS settings.
  3. In the Configure DNS Parameters dialog box, specify a value for Max DNS Pipeline Requests.
  4. Click OK.