Product Documentation

Configuring the NetScaler as a DNS Proxy Server

May 26, 2015

As a DNS proxy server, the Citrix® NetScaler® appliance can function as a proxy for either a single DNS server or a group of DNS servers. The flow of requests and responses is illustrated in the following sample topology diagram.

Figure 1. NetScaler as DNS proxy


By default, the NetScaler appliance caches responses from DNS name servers. When the appliance receives a DNS query, it checks for the queried domain in its cache. If the address for the queried domain is present in its cache, the NetScaler returns the corresponding address to the client. Otherwise, it forwards the query to a DNS name server that checks for the availability of the address and returns it to the NetScaler. The NetScaler then returns the address to the client.

For requests for a domain that has been cached earlier, the NetScaler serves the Address record of the domain from the cache without querying the configured DNS server.

The NetScaler discards a record stored in its cache when the time-to-live (TTL) value of the record reaches the configured value. A client that requests an expired record has to wait until the NetScaler retrieves the record from the server and updates its cache. To avoid this delay, the NetScaler proactively updates the cache by retrieving the record from the server before the record expires.

The following table lists sample names and the values of the entities that need to be configured on the NetScaler.

Table 1. Example of DNS Proxy Entity Configuration

Entity type

Name

IP address

Type

Port

LB virtual server

Vserver-DNS-1

10.102.29.40

DNS

53

Services

Service-DNS-1

10.102.29.50

DNS

53

Service-DNS-2

10.102.29.51

DNS

53

The following diagram shows the entities of a DNS Proxy and the values of the parameters to be configured on the NetScaler.

Figure 2. DNS Proxy Entity Model


Note: To configure DNS proxy, you need to know how to configure load balancing services and virtual servers. For information about configuring load balancing services and virtual servers, see "Load Balancing", and then configure DNS proxy setup.

Creating a Load Balancing Virtual Server

Updated: 2014-12-29

To configure a DNS Proxy on the NetScaler ADC, configure a load balancing virtual server of type DNS. To configure a DNS virtual server to load balance a set of DNS servers that support recursive queries, you must set the Recursion Available option. With this option, the RA bit is set to ON in the DNS replies from the DNS virtual server.

For instructions on creating a load balancing virtual server, see "Load Balancing".

Creating DNS Services

Updated: 2013-08-26

After creating a load balancing virtual server of type DNS, you must create DNS services. You can add, modify, enable, disable, and remove a DNS service. For instructions on creating a DNS service, see "Load Balancing".

Binding a Load Balancing Virtual Server to DNS Services

Updated: 2013-09-13

To complete the DNS Proxy configuration, you must bind the DNS services to the load balancing virtual server. For instructions on binding a service to a load balancing virtual server, see "Load Balancing".

Configuring the DNS Proxy Setup to Use TCP

Updated: 2013-08-26

Some clients use the User Datagram Protocol (UDP) for DNS communications. However, UDP specifies a maximum packet size of 512 bytes. When payload lengths exceed 512 bytes, the client must use the Transmission Control Protocol (TCP). When a client sends the Citrix® NetScaler® appliance a DNS query, the appliance forwards the query to one of the name servers. If the response is too large for a UDP packet, the name server sets the truncation bit in its response to the NetScaler. The truncation bit indicates that the response is too large for UDP and that the client must send the query over a TCP connection. The NetScaler relays the response to the client with the truncation bit intact and waits for the client to initiate a TCP connection with the IP address of the DNS load balancing virtual server, on port 53. The client sends the request over a TCP connection. The NetScaler appliance then forwards the request to the name server and relays the response to the client.

To configure the NetScaler to use the TCP protocol for DNS, you must configure a load balancing virtual server and services, both of type DNS_TCP. You can configure monitors of type DNS_TCP to check the state of the services. For instructions on creating DNS_TCP virtual servers, services, and monitors, see "Load Balancing."

For updating the records proactively, the NetScaler uses a TCP connection to the server to retrieve the records.

Important: To configure the NetScaler to use UDP for DNS and use TCP only when the payload length of UDP exceeds 512 bytes, you need to configure DNS and DNS_TCP services. The IP address of the DNS_TCP service must be same as that of the DNS service.

Enabling Caching of DNS Records

Updated: 2013-08-27

To complete the process of configuring a DNS proxy on the NetScaler, you must enable caching of DNS records. You must also specify minimum and maximum time-to-live (TTL) values for the records that are cached. The TTL values are measured in seconds.

To enable caching of DNS records by using the command line interface

At the command prompt, type the following commands to enable caching of DNS records and verify the configuration:

  • set dns parameter -cacheRecords Yes
  • show dns parameter

Example

 
> set dns parameter -cacheRecords YES 
 Done 
> show dns parameter 
			. 
			. 
			. 
        Cache Records : YES 
			. 
			. 
			. 
 Done 
> 

To enable caching of DNS records by using the configuration utility

  1. Navigate to Traffic Management > DNS.
  2. In the details pane, under Settings, click Change DNS settings.
  3. In the Configure DNS Parameters dialog box, select the Enable records caching check box, and then click OK.

Configuring Time-to-Live Values for DNS Entries

The TTL is the same for all DNS records with the same domain name and record type. If the TTL value is changed for one of the records, the new value is reflected in all records of the same domain name and type. The default TTL value is 3600 seconds. The minimum is 0, and the maximum is 2147483647. If a DNS entry has a TTL value less than the minimum or greater than the maximum, it is saved as the minimum or maximum TTL value, respectively.

To specify the minimum and/or maximum TTL by using the command line interface

At the NetScaler command prompt, type the following commands to specify the minimum and maximum TTL and verify the configuration:

  • set dns parameter [-minTTL <secs>] [-maxTTL <secs>]
  • show dns parameter

Example

 
> set dns parameter -minTTL 1200 -maxTTL 1800 
 Done 
> show dns parameter 
        DNS parameters: 
        DNS retries: 5 
        Minimum TTL: 1200               Maximum TTL: 1800 
			. 
			. 
			. 
 Done 
> 

To specify the minimum and/or maximum TTL by using the configuration utility

  1. Navigate to Traffic Management > DNS.
  2. In the details pane, under Settings, click Change DNS settings.
  3. In the Configure DNS Parameters dialog box, in TTL, in the Minimum and Maximum text boxes, type the minimum and maximum time to live (in seconds), respectively, and then click OK.
Note: When the TTL expires, the record is deleted from the cache. The NetScaler proactively contacts the servers and obtains the DNS record just before the DNS record expires.

Flushing DNS Records

You can delete all DNS records present in the cache. For example, you might want to flush DNS records when a server is restarted after modifications are made.

To delete all proxy records by using the command line interface

At the NetScaler command prompt, type:

flush dns proxyRecords

To delete all proxy records by using the configuration utility

  1. Navigate to Traffic Management > DNS > Records > Address Records.
  2. In the details pane, click Flush Proxy Records.

Adding DNS Resource Records

Updated: 2013-08-26

You can add DNS records to a domain for which the Citrix® NetScaler® appliance is configured as a DNS proxy server. For information about adding DNS records, see Configuring DNS Resource Records.

Removing a Load Balancing DNS Virtual Server

Updated: 2013-08-27

For information about removing a load balancing virtual server, see Load Balancing.

Limiting the Number of Concurrent DNS Requests on a Client Connection

Updated: 2013-09-10

You can limit the number of concurrent DNS requests on a single client connection, which is identified by the <clientip:port>-<vserver ip:port> tuple. Concurrent DNS requests are those requests that the NetScaler appliance has forwarded to the name servers and for which the appliance is awaiting responses. Limiting the number of concurrent requests on a client connection enables you to protect the name servers when a hostile client attempts a Distributed Denial of Service (DDoS) attack by sending a flood of DNS requests. When the limit for a client connection is reached, subsequent DNS requests on the connection are dropped till the outstanding request count goes below the limit. This limit does not apply to the requests that the NetScaler appliance serves out of its cache.

The default value for this parameter is 255. This default value is sufficient in most scenarios. If the name servers serve a large number of concurrent DNS requests under normal operating conditions, you can specify either a large value or a value of zero (0). A value of 0 disables this feature and specifies that there is no limit to the number of DNS requests that are allowed on a single client connection. This is a global parameter and applies to all the DNS virtual servers that are configured on the NetScaler appliance.

To specify the maximum number of concurrent DNS requests allowed on a single client connection by using the command line interface

At the command prompt, type the following commands to specify the maximum number of concurrent DNS requests allowed on a single client connection and verify the configuration:

  • set dns parameter -maxPipeline <positive_integer>
  • show dns parameter

Example

 
> set dns parameter -maxPipeline 1000 
 Done 
> show dns parameter 
        DNS parameters: 
        DNS retries: 5 
        . 
        . 
        . 
        Max DNS Pipeline Requests: 1000 
 Done 
> 

To specify the maximum number of concurrent DNS requests allowed on a single client connection by using the configuration utility

  1. Navigate to Traffic Management > DNS.
  2. In the details pane, click Change DNS settings.
  3. In the Configure DNS Parameters dialog box, specify a value for Max DNS Pipeline Requests.
  4. Click OK.