In a typical hub/spoke deployment, its very common for the WAN interfaces to have some sort of dynamic interface such as DHCP, PPPoE, LTE, etc. The 128T router can dynamically learn the DNS server address for these interfaces and can load balance DNS requests across the learned servers. The dns-proxy feature aims to provide a simple way to proxy all DNS requests originating on the LAN side to the learned server address(es) on the WAN side without having to re-configure or update client endpoints. This allows the network to better adapt to failures on the WAN interfaces while minimizing loss of connectivity from client side applications as clients can utilize the LAN address of the 128T to resolve DNS requests.
The common workflow for using this feature is as follows:
- Configure a DNS server for the LAN network(s)
- Configure a DNS proxy service to match the advertisement
- Configure a service-route to indicate the WAN interface(s) to be used for proxying DNS requests
Advertise Interface Address as DNS Server
A key component for DNS proxy is the ability to configure a fixed address as the DNS address for the clients on the LAN. A typical choice is to use the LAN-facing 128T interface address as the DNS server address, though the feature is not limited to this choice. The selected address can either be statically configured on the clients or configured via DHCP server (either external or 128T acting as the DHCP server).
On a linux system representing a client, its
/etc/resolv.conf file would contain similar contents:
Configuring a DNS proxy service
dns-proxy application-type is used for creating a DNS proxy service. All other service attributes such as access-policies, service-policies, etc., are also applicable to this service. The
dns-proxy application-type indicates to the 128T router to perform a destination NAT on the traffic when the session is created for the service.
The example configuration captures all DNS traffic sent to address
10.10.10.1 interface as configured on the test client in the previous step.
How to proxy DNS requests originating from the linux host of the 128T router
_internal_ tenant has a special meaning on the 128T routers as it represents the traffic originating from the host OS of the router. When the service allows the
_internal_ tenant and a
service-route is created for this service, the target router linux environment is automatically configured for use with the DNS proxy. The
/etc/resolv.conf on the 128T is modified to point to a loopback address within the 128T router.
This allows all DNS queries (for example, as a result of dnf lookups, etc.) to be intercepted by 128T router and create sessions appropriately.
Additionally, this loopback address needs to be added to
/etc/resolv.conf file can also be configured to point to the LAN interface address to achieve the same results.
Configuring Service Route(s)
When the service route's next hop for the dns-proxy service points to a dynamic interface such as DHCP based interface, any learned DNS address(es) will be automatically used as destination nat target for sessions for that service. This is accomplished by populating the
target-address configuration internally upon address resolution. An example of the service-route configuration is as follows:
A few key points about the service-route for a dns-proxy service type:
Multiple learned DNS addresses
If the dynamic interface learns multiple IP addresses, the 128T router will apply a round-robin load-balancing strategy amongst these IP address. Here's how you can check the details on the learned DNS addresses.
The following example illustrates how the round-robin strategy gets applied for load-balancing the data across multiple learned addresses for two back-to-back queries.
As seen in the example above the
next-hop points to a DHCP interface and also specifies
22.214.171.124 as the target-address. When this configuration is present, the learned address are combined with the statically configured address(es). Based on the previous example, this means that there will be three DNS server targes (126.96.36.199, 172.20.0.100, 172.20.0.101). This configuration also allow the user to configure a failsafe DNS server address in case the DHCP server did not provide any valid DNS server addresses.