Citrix ADC 13.0

Configure negative caching of DNS records

The Citrix ADC appliance supports caching of negative responses for a domain. A negative response indicates that information about a requested domain does not exist, or that the server cannot provide an answer for the query. The storage of this information is called negative caching. Negative caching helps speed up responses to queries about a domain.

Note:

Negative caching is supported only when the backend server is configured as an authoritative DNS (ADNS) server for the queried domain.

A negative response can be one of the following:

  • NXDOMAIN error message — The authoritative DNS servers respond with the NXDOMAIN error message when the queried domain name does not have any records configured on the server. This implies that the queried domain is an invalid or a non-existent domain name.
  • NODATA error message — If the domain name in the query is valid but records of the given type are not available, the appliance sends a NODATA error message.

When negative caching is enabled, the appliance caches the negative response from the DNS server and serves the future requests from the cache only. This helps speed up responses to queries and also to reduce the backend DNS traffic. Negative caching can be used in all deployments, that is, when a Citrix ADC appliance is serving as a proxy, as an end resolver, or as a forwarder.

You can enable or disable negative caching using a DNS profile, for more information see, DNS profiles. By default, negative caching is enabled in the default DNS profile (default-dns-profile) that are bound by default to a DNS virtual server or in the newly created DNS profile.

Enable or disable negative caching by using the CLI

At the command prompt, type the following commands to enable or disable negative caching and verify the configuration:

-  add dns profile <dnsProfileName> [-cacheRecords ( ENABLED | DISABLED )] [-cacheNegativeResponses (ENABLED | DISABLED )]
-  show dns profile [<dnsProfileName>]

Example of a default DNS profile:

> sh dns profile default-dns-profile
    1)   default-dns-profile
        Query logging : DISABLED        Answer section logging : DISABLED
        Extended logging : DISABLED     Error logging : DISABLED
        Cache Records : ENABLED     Cache Negative Responses: ENABLED
Done

Example of a newly created DNS profile:

> add dnsprofile dns_profile1 -cacheRecords ENABLED -cacheNegativeResponses ENABLED
Done
> show dns profile dns_profile1
    1)   dns_profile1
        Query logging : DISABLED        Answer section logging : DISABLED
        Extended logging : DISABLED     Error logging : DISABLED
        Cache Records : ENABLED     Cache Negative Responses: ENABLED
Done

Specify service or virtual server level DNS parameters by using the CLI

At the command prompt, perform the following:

  1. Configure the DNS profile.

    add dns profile <dnsProfileName> [-cacheRecords ( ENABLED | DISABLED )] [-cacheNegativeResponses (ENABLED | DISABLED )]

  2. Bind the DNS profile to the service or virtual server.

    To bind the DNS profile to the service:

    set service <name> [-dnsProfileName <string>]

Example:

>set service service1 -dnsProfileName dns_profile1
Done

To bind the DNS profile to the virtual server:

set lb vserver <name> [-dnsProfileName <string>]

Example:

>set lb vserver lbvserver1 -dnsProfileName dns_profile1
Done

Specify service or virtual server level DNS parameters by using the GUI

  1. Configure the HTTP profile.

    Navigate to System > Profiles> DNS Profile, and create the DNS profile.

  2. Bind the HTTP profile to the service or virtual server.

    Navigate to Traffic Management > Load Balancing> Services/Virtual Servers, and create the DNS profile, that must be bound to the service or the virtual server.

Rate limiting negative response served by the appliance

You can set a threshold for negative responses being served by the Citrix ADC appliance from the cache. When the threshold is set, the appliance serves the response from the cache until the threshold is reached. Once the threshold is reached, the appliance drops the requests instead of responding with an NXDOMAIN response.

Setting a rate limit for negative responses has the following advantages.

  • Save the resources on the Citrix ADC appliance.
  • Prevent any malicious queries for non-existent domain names.

Note: You can set a threshold for negative responses only for the domains for which the Citrix ADC appliance configured as an authoritative domain name server and not for cached records received from the authoritative backend name servers.

Rate limiting negative response served by the cache by using the CLI

At the command prompt, type

set dns parameter -NXDOMainRateLimitThreshold <positive-integer>

Example:

set dns parameter -NXDOMainRateLimitThreshold 1000

NXDOMainRateLimitThreshold: When this parameter is set to a positive integer value, responses are served from the cache until this threshold (in seconds) is reached. Once the threshold exceeds, the requests are dropped. The threshold configured is per packet engine.

Rate limiting negative response served by the cache by using the GUI

  1. Navigate to Traffic Management > DNS and click Change DNS Settings.
  2. In the Configure DNS parameters page, in the NXDOMAIN Rate Limit Threshold field, enter the threshold value until which the responses must be served from the cache.

Note: The value in the NXDOMAIN Threshold Crossed displays the number of times the requests are dropped after the threshold is reached.

Configure negative caching of DNS records