Cisco DistributedDirector 2500 Series Install and Config Guide
Configuring DNS Caching Name Server Mode
Downloads: This chapterpdf (PDF - 140.0KB) | Feedback

Configuring DNS Caching Name Server Mode

Table Of Contents

Configuring DNS Caching Name Server Mode

Planning the Installation

Configuration Tasks

Configure the Director

Specify IP Address of the Default DNS Server and Define Virtual Host Names

Configure the Default Weight Metrics

Define an Access List to Enable Security for DRP

Configure a Regular Expression for Address Sorting

Set Up MD5 Authentication with Passwords as Another Security Measure

Configure DRP-Associations, Host-Specific Weights, Priorities, and Preferences in the Director

Add a Start of Authority Record in the Director

Associate Each Distributed Server with Its DRP Server Agent

Identify the Distributed Servers

Specify Information for Server Verification

Specify Host-Specific Weights or Metric Priorities

Set Up Server Preferences

Configure the Primary DNS Server

Test the Configuration

Sample Configuration

Sample Director Configuration

Sample DRP-Associations, Host-Specific Weights, Priorities, and Preferences on the Director

Sample Primary DNS Server Configuration


Configuring DNS Caching Name Server Mode


This chapter describes how to configure the Cisco DistributedDirector (the Director) and the primary domain DNS server for DNS caching name server mode.

Use DNS caching name server mode when you want the Director to act as the caching DNS name server for a specific subdomain.

To configure the Director for DNS caching name server mode, you need to set up the software on the following network equipment:

Cisco DistributedDirector 2500 Series

Primary domain DNS server

For each distributed server site, a Cisco router with the DRP server agent enabled


Note   The primary DNS server and the Director are configured differently for DNS caching name server and HTTP session redirector modes. The DRP server agents are enabled in the same manner for either mode. Configuring DRP server agents is described in the chapter "."


DNS caching name server mode works for all IP services. HTTP session redirector mode works only for HTTP services. You should choose the mode that best meets your networking requirements for a particular group of distributed servers. The Director supports multiple groups of distributed servers, and each group can operate in different configurations and modes.

DNS caching name server mode configuration is described in the following sections:

Planning the Installation

Configuration Tasks

Sample Configuration

For complete information about Director commands, see the chapter "."

Planning the Installation

Gather the following information:

IP address of the Director.

Subdomain name that you will assign to the group of distributed servers.

DNS name that you will use for the Director. (For example, if www.sleet.com is the subdomain name, you could use dd.sleet.com for the Director DNS name.)

Name and IP address of the primary DNS server for the domain above the Director subdomain, as well as secondary DNS servers for the domain. (For example, sleet.com could be the domain and www.sleet.com could be the subdomain.)

For each distributed server site, the IP address of a Cisco router, running Cisco IOS Release 11.2(4)F or later, configured as a DRP server agent.

Key chain password (a character string without spaces) that you will use for Message Digest algorithm 5 (MD5) authentication between the Director and the DRP server agents. Refer to Cisco IOS publications for more information on key chains.

For DNS caching name server mode, you need to determine if the primary DNS server and secondaries are running BIND version 4.9.3 or higher. If not, you need to upgrade them because of a time-to-live (TTL) problem in earlier BIND versions. In addition, these servers must be nonrecursive.

The Director can be placed anywhere in the corporate intranet. For ease of management, you should install the Director topologically close to the primary DNS server.

Configuration Tasks

The following sections describe how to configure the Director and the primary DNS server for DNS caching name server mode:

Configure the Director

Configure DRP-Associations, Host-Specific Weights, Priorities, and Preferences in the Director

Configure the Primary DNS Server

Test the Configuration

For advanced configuration options, refer to the chapter "."

Configure the Director

The Director can be placed anywhere in the corporate intranet. For ease of management, install the Director topologically close to the primary DNS server.

Perform the following steps to configure the Director for DNS caching name server mode. The tasks associated with each step are described in the subsections that follow this list:


Step 1 Specify IP Address of the Default DNS Server and Define Virtual Host Names

Step 2 Configure the Default Weight Metrics

Step 3 Define an Access List to Enable Security for DRP

Step 4 Configure a Regular Expression for Address Sorting

Step 5 Set Up MD5 Authentication with Passwords as Another Security Measure

Specify IP Address of the Default DNS Server and Define Virtual Host Names

Perform the following steps in global configuration mode to specify the IP address of the Director's default DNS server and to define the virtual host names to be used for distributed servers:

Task
Command

Step 1 Configure the Ethernet interface.

Refer to the chapter "."

Step 2 Specify the IP address of the default DNS server to which the Director should send requests (the primary domain's DNS primary server).

ip name-server DNS-server-IP-address

Step 3 Define the virtual host name(s) to be used for the set(s) of distributed servers.

ip director host name

Step 4 Define the IP addresses of the remote servers, and associate them with a virtual host name.

ip host [name] address1 [address2... address8]


Configure the Default Weight Metrics

To configure default weight metrics, perform the following task in global configuration mode:

Task
Command

Configure the default weight metrics.

ip director default-weights {[drp-int n] [drp-ext n] [drp-ser n] [random n] [admin n]}


Default weights are used for all host names sorted by the Director. Following are the valid metric options:

Random metric (random)

DRP-external metric (drp-ext)

DRP-internal metric (drp-int)

DRP-server metric (drp-ser)

Administrative metric (admin)

When the associated metric is referenced in the sorting decision, it is always multiplied by the appropriate metric weight. In this way, you can specify that some metrics weigh more heavily than others. You may determine the weights you want to use through experimentation. The weights do not need to add to 100.

To override default weights for a certain host, specify host-specific weights in the Director configuration. For more information, also refer to the section "Setting Metrics and the Server Connection Parameter" in the chapter "."

To view the default weights setting, use the show ip director default-weights command.

Define an Access List to Enable Security for DRP

Perform the following tasks in global configuration mode to define an access list to enable security for DRP:

Task
Command

Step 1 Define an access list that permits replies from each of the DRP server agents.

access-list access-list-number permit [DRP-Agent-IP-address]

Step 2 Deny all other requests.

access-list access-list-number deny any

Step 3 Enable the access list.

ip drp access-group access-list-number


Configure a Regular Expression for Address Sorting

Perform the following tasks in global configuration mode to configure a regular expression which the Director uses to match against host names. If the host name in the incoming DNS A (address) query matches the pattern specified in the Director access list, then the Director will be asked to sort the addresses. If not, all addresses will be returned in the response as normal.

Task
Command

Step 1 Specify the host names that the Director should sort.

ip director access-list access-list-number [permit | deny] expression

Step 2 Tell the Director to use the access list.

ip director access-group access-list-number


If ip director access-group is not configured, then all host names are considered "interesting" to the Director. All incoming DNS A queries will then be passed to the Director for address sorting before the creation of the A response.

Set Up MD5 Authentication with Passwords as Another Security Measure

Perform the following tasks in global configuration mode:

Task
Command

Step 1 Set up a key chain and password.

key chain name-of-chain

key number

key-string text

Step 2 Enable the DRP authentication key chain.

ip drp authentication key-chain name-of-chain


The key chain is an encrypted password that helps prevent DRP-based denial-of-service attacks, which can be a security threat. The key chain (a character string without spaces) must match the key chain of the DRP server agents with which that the Director communicates.

Configure DRP-Associations, Host-Specific Weights, Priorities, and Preferences in the Director

The tasks associated with these steps are described in the subsections that follow:


Step 1 Add a Start of Authority Record in the Director

Step 2 Associate Each Distributed Server with Its DRP Server Agent (if you intend to configure DRP metrics)

Step 3 Identify the Distributed Servers

Step 4 Specify Information for Server Verification

Step 5 Specify Host-Specific Weights or Metric Priorities

Step 6 Set Up Server Preferences

Add a Start of Authority Record in the Director


Note   Start of Authority (SOA) serial numbers are not specified. The Director automatically calculates the SOA serial number each time a resource record is returned. This serial number, obtained from the system clock, is a 32-bit representation of the number of seconds since January 1, 1900. Note that January 1, 1900 is also the start time for the Network Time Protocol (NTP), defined in RFC 1305, which is used by all major Internet sites to synchronize system clocks with atomic clocks worldwide.


Perform the following task to add a Start of Authority (SOA) record in the Director to define the Director as the authoritative server for the subdomain name associated with the distributed servers:

Task
Command

In the Director, add a Start of Authority (SOA) record that gives the Director authority for the subdomain.

ip dns primary domain soa primary contact [refresh [retry [expire [minimum]]]]


For example, the following record makes the private DNS server authoritative for the www.sleet.com subdomain:

ip dns primary www.sleet.com. soa dd.sleet.com sysadmin.sleet.com 21600 900 7776000 86400

The above command tells the Director that it is the primary DNS server authoritative for the www.sleet.com domain. It indicates that the DNS host name of the Director is dd.sleet.com, and the administrative contact for this zone is sysadmin@sleet.com.

The refresh-interval (the time interval that must elapse between each poll of the primary by the secondary name server) is 6 hours, a retry-interval (the time interval used between successive connection attempts by the secondary to reach the primary name server in case the first attempt failed) is 15 minutes, the expire-ttl (the time interval after which the secondary expires its data if it cannot reach the primary name server) is 90 days, and a minimum-ttl (the minimum time-to-live value, which specifies how long other servers should cache data from the name server) is 1 day.

The values shown are suggested default values. You can configure the Director with the shown default values by simply using the following command:

ip dns primary domain soa primary contact

In the example, you would use:

ip dns primary www.sleet.com soa dd.sleet.com sysadmin.sleet.com

Associate Each Distributed Server with Its DRP Server Agent

If you intend to configure any DRP metrics, associate each distributed server with its DRP server agent.

Perform the following task in global configuration mode:

Task
Command

Associate each distributed server with its DRP server agent.

ip director server {hostname | host-ip-address} drp-association {name | ip-address}


For example:

ip director server 11.0.0.2 drp-association 11.0.0.3

The Director will query its default DNS server for name-to-address bindings. If you use host/router names instead of IP addresses, you must make sure to configure the appropriate A records in the Director's default DNS server. You should use your primary domain server as the Director's default DNS server to ensure that all such name-to-address binding requests can be satisfied.

Identify the Distributed Servers

Perform the following task in global configuration mode to identify the IP address(es) of the distributed server(s) with a domain name:

Task
Command

Identify the distributed servers.

ip host name [tcp-port-number] address1 [address2...address8]


For example, to identify the distributed servers with IP addresses 10.0.0.2, 11.0.0.2, and 12.0.0.2 as members of the www.sleet.com domain, you would use the following command:

ip host www.sleet.com 10.0.0.2 11.0.0.2 12.0.0.2

Specify Information for Server Verification

Perform the following task in global configuration mode:

Task
Command

Specify information for server verification.

ip director host name connect port connection-interval


For example, you would use the following command to instruct the Director to create a TCP connection to port 80 on each distributed server associated with www.sleet.com every 15 minutes:

ip director host www.sleet.com connect 80 15

Servers that yield unsuccessful TCP connections are marked as unavailable. Subsequent successful TCP connections to the server will reinstate it as available. See "Specifying the Server Connection Parameter" in the chapter "Configuring Advanced Features" for more details.

Specify Host-Specific Weights or Metric Priorities

To specify host-specific weights or metric priorities, perform either or both of the following tasks in global configuration mode:

Task
Command

Specify host-specific weights.

ip director host name weights {[drp-int n] [drp-ext n] [drp-ser n] [random n] [admin n]}

Specify metric priorities.

ip director host name priority {[drp-int n] [drp-ext n] [drp-ser n] [random n] [admin n]}


An example for host-specific weights follows:

ip director host www.sleet.com weights drp-ext 80 random 10 admin 10

An example for metric priorities follows:

ip director host www.sleet.com priority drp-ext 1 admin 2 random 3

Because there is no default prioritization, all metrics with nonzero weights are considered at the same time and after all other prioritized metrics. Metric priorities must be explicitly configured.

See the section "Setting Metrics and the Server Connection Parameter" in the chapter "" for more information.

You might want to configure DRP-associations, host-specific weights, and priorities in the Director's default DNS server. This may be useful if you use scripting tools to generate and maintain your DNS configurations.

See the "" chapter for more information.

Set Up Server Preferences

To set a preference for a distributed server based on cost, perform the following task in global configuration mode.When sorting, the Director uses the server preference value as that server's administrative (admin) metric.

Task
Command

Assign a preference for a distributed server (host).

ip director server {hostname | host-ip-address} preference [cost]


For example, to set a preference in the Director for the distributed server www-west.sleet.com, you might use the following command:

ip director server www-west.sleet.com preference 50

or

ip director server 10.0.0.2 preference 50

This example makes the www-west.sleet.com host less preferred to others because it has a higher "cost" than the others (a cost of 50 in this case).

Configure the Primary DNS Server

Perform these steps to configure the primary DNS server for Director DNS caching name server mode:


Note   You must use BIND version 4.9.3 or higher and nonrecursive mode on the primary DNS server and all secondaries. The default DNS servers of clients must provide the recursion and query the Director directly.


Task
Resource Record

Step 1 In the DNS tables of the primary DNS server, add a DNS name server resource record that associates a subdomain with a Director DNS name.

subdomain-name. in ns Director-name

Step 2 Add an address resource record that associates the Director name with the Director IP address.

Director-name. in a Director-IP-address


For example, the following record specifies that dd.sleet.com is a name server for the www.sleet.com subdomain:

www.sleet.com. in ns dd.sleet.com

For example, the following record associates Director name dd.sleet.com with the Director IP address 10.0.0.1:

dd.sleet.com. in a 10.0.0.1

The primary DNS server will identify the Director as the authoritative name server for the specified subdomain. These records will automatically be flushed to the secondary name servers as a result of the DNS zone transfer mechanism.

Test the Configuration

You can test your setup by using a program such as host or nslookup to send a DNS A query to the Director. For example:

host www.sleet.com 10.0.0.1 

or

nslookup www.sleet.com 10.0.0.1

If you query the same host multiple times and you are using the random metric, and you have the Director's caching turned, you should receive different addresses.

To turn off Director caching when using the random metric, configure the following:

ip director default-weight random 1
no ip director cache

With the Director's cache turned off, you should receive different addresses.

Sample Configuration

This section shows a sample configuration for DNS caching name server mode, using the network arrangement in . In the following sections, configurations for the Director and primary DNS server are shown.

Figure 6-1 Sample Network Arrangement

Sample Director Configuration

After configuring the Ethernet interface, you might enter the following commands to configure the Director.

To specify the Director's default DNS server, use the following global configuration command:

ip name-server 10.0.0.10

This command makes the primary DNS server the default DNS server for the Director.

The following global configuration command configures the default weight metrics:

ip director default-weights drp-int 10 drp-ext 90

Default weights are used for all host names sorted by the Director. To override default weights for a certain host, you would specify host-specific weights.

When the associated metric is referenced in the sorting decision, it will always be multiplied by the appropriate metric weight. In this way, you can specify that some metrics should weigh heavier than others. You may determine the weights you want to use through experimentation. The weights given do not need to add up to 100.

Next, set up any desired security.

To set up an access list, you would enter these global configuration commands:

access-list 1 permit 10.0.0.3 
access-list 1 permit 11.0.0.3 
access-list 1 permit 12.0.0.3 
access-list 1 deny any

Enter the following global configuration command to enable the access list:

ip drp access-group 1

Specify the host names that the Director should sort with these global configuration commands:

ip director access-list 1 permit ^www.* 
ip director access-list 1 deny any

Enter the following global configuration command to tell the Director to use the access list:

ip director access-group 1

To set up MD5 authentication with passwords, you must first set up a key chain with a sequence of global configuration commands like the following:

key chain violet 
key 5 
key-string carnation

This sets up an authentication key chain, which is a character string without spaces, containing one key. Then make this the DRP authentication key chain with the following global configuration command:

ip drp authentication key-chain violet

Sample DRP-Associations, Host-Specific Weights, Priorities, and Preferences on the Director

You could use the following commands to configure these parameters on the Director:

ip dns primary www.sleet.com. soa dd.sleet.com sysadmin.sleet.com 21600 
900 7776000 86400 

ip director server 10.0.0.2 drp-association 10.0.0.3
ip director server 11.0.0.2 drp-association 11.0.0.3
ip director server 12.0.0.2 drp-association 12.0.0.3
ip host www.sleet.com 10.0.0.2 11.0.0.2 12.0.0.2

You have set up www.sleet.com as a subdomain and set up the Director IP address as the authoritative DNS caching name server for that subdomain. At the same time, you also set up A records giving the IP addresses of all of the mirrored distributed servers for this subdomain. You have specified the DRP server agent (router) which is associated with each distributed server. The commands shown are required when DRP metrics are used.

Even though the Director is only a caching DNS server, it is configured as the primary so that it is authoritative for the requested host name(s). Because it does not have full tables, the Director will forward DNS requests to its default DNS server, cache the results, issue DRP queries to the DRP server agents, gather DRP responses, sort the A records (if configured for sorting), and send the "best" IP address back to the client.


Note   The Director does not support DNS zone transfers.


You could either use IP addresses (as shown above) or use host names, as follows (see ):

ip director server www-1.sleet.com drp-association drp-1.sleet.com
ip director server www-2.sleet.com drp-association drp-2.sleet.com
ip director server www-3.sleet.com drp-association drp-3.sleet.com

The Director will query its default DNS server for name-to-address bindings. If you use host/router names instead of IP addresses, you must make sure to configure the appropriate A records in the Director's default DNS server. You should use your primary domain server as the Director's default DNS server to ensure that all such name-to-address binding requests can be satisfied.

To add host-specific weights, you would add more information to the Director. For example, you could configure host-specific weights like this:

ip director host www.sleet.com weights drp-ext 80 random 10 admin 10

The weights do not need to add up to 100. When the associated metric is referenced in the sorting decision, it will always be multiplied by the appropriate metric weight. In this way, you can specify that some metrics should be "heavier" than others.

To use metric priorities, you could use this configuration on the Director:

ip director host www.sleet.com priority drp-ext 1 admin 2

With this configuration, all clients would be assigned to the server that is closest to them according to BGP hop count distance. If two or more servers are at the same distance, the choice should be according to administrative preference.

You could set up an administrative preference with the following command:

ip director server www-west.sleet.com preference 50

This example makes the www-west.sleet.com host less preferred to others because it has a higher "cost" than the others (a cost of 50 in this case).

For more information, refer to the section "Setting Metrics and the Server Connection Parameter" in the chapter "."

Sample Primary DNS Server Configuration

For this example, there is a primary DNS server for the domain sleet.com, and you would like the Director to handle requests for the www.sleet.com subdomain only. You could set up your primary DNS server as follows:

www.sleet.com. in ns dd.sleet.com.
dd.sleet.com. in a 10.0.0.1

These records pass authority for the www.sleet.com host name (now treated as a subdomain name) to the dd.sleet.com name server (the Director).