Follow

Configuring Private DNS for Highly Available Name Resolution

This solution can be used in lab scenario’s where DNS is not fully setup or available to resolve clusters, smartconnect zones used in SyncIQ policies or scripting engine automation for resolving hosts reliable without any dependency on external DNS servers.  This would be important if DNS servers are impacted by a DR event and name resolution impacted Eyeglass operations.

This is done with DNSmasq OS utility and editing the /etc/hosts file to put all critical DNS entries for DR resolution into the hosts file and then using external DNS for non-mission critical name resolution.  dnsmasq configuration options

Names to add the hosts file include:

  1. All FQDN’s smartconnect zones used for SyncIQ target cluster values to dedicate IP pool and smartconnect zones for SyncIQ between clusters (add all zones).

  2. cluster reverse lookup names example cluster IP address of 172.31.1.104

    1. hosts entry would be = 172.31.1.104     104.1.31.172.in-addr.arpa

    2. Note: each cluster should be added using this syntax as TLS negotiation issues reverse lookups as part of the security handshake process.  This entry will locally answer this query and avoid DNS lookups.  It can also be used when no DNS is NOT available to resolve the query and avoids DNS query timeouts typically 10s per query per DNS name server added to the appliance. Each API request to a cluster is a TLS request that incurs a reverse lookup for security purposes.   This is ONLY an issue if BOTH DNS servers added to Eyeglass are unreachable for ANY query i.e. IP routing issue to BOTH listed DNS servers fails, they will timeout.

  3. Hosts that are configured for Script Engine mount automation scripting, should have entries in the /etc/host file to ensure name resolution does not block failover of the host mounts.  If any script uses SSH or other API calls to remote hosts, they should be added to the local /etc/hosts file.

 

Prerequisites:

 

  1. dnsmasq package added (see below)

Configuration Steps:

  1. SSH to Eyeglass as admin, sudo -s (or use Webshell on Eyeglass menu)

  2. zypper install dnsmasq (answer yes)

  3. run yast and edit network settings for the NIC card to change DNS server to 127.0.0.1 (if a second DNS server listed remove it)

  4. using vi edit (/etc/resolv.conf) (want a better editor? “ zypper install pico”) then use pico filename

    1. add after the first name server, any name server that can be used as backup for other non - critical DR name resolution.   Note: for online upgrades and OS security patches, a public name server resolution path must exist to resolve internet names.

    2. /etc/resolv.conf

    3. nameserver 127.0.0.1 (mut be first)

    4. nameserver 192.168.1.250 (can be any corporate DNS) fall back if local /etc/hosts does not have a match

  5. using pico edit /etc/hosts to add entries as required that are outlined above as examples

  6. After changing values dnsmasq must be restarted

    1. systemctl restart dnsmasq

    2. Note: dnsmasq can cache queries from external DNS servers both positive responses and negative i..e name not found for faster name resolution.   In addition, providing local name resolution management, with external lookups,  values are cached in RAM allowing for known values to be referenced many times without needing to query external name servers.  This is useful for OS security repositories, Eyeglass repositories

  7. Optional:  To test dnsmasq is working as expected do the following steps before moving into production use with dnsmasq.

    1. Dec  5 16:45:09 dnsmasq[2572]: query[A] SIQ-DR.ad1.test from 127.0.0.1

    2. Dec  5 16:45:09 dnsmasq[2572]: cached SIQ-DR.ad1.test is NXDOMAIN

    1. dev:/etc # nslookup 172.31.1.105

    2. Server: 127.0.0.1

    3. Address: 127.0.0.1#53

    4. 105.1.31.172.in-addr.arpa name = 104.1.31.172.in-addr.arpa.

    1. Dec  5 16:47:12 dnsmasq[2572]: query[PTR] 105.1.31.172.in-addr.arpa from 127.0.0.1

    2. Dec  5 16:47:12 dnsmasq[2572]: /etc/hosts 172.31.1.105 is 104.1.31.172.in-addr.arpa

    1. pico /etc/dnsmasq.conf

    2. find “log-queries”

    3. remove # comment

    4. Then add this line below it

    5. “log-facility=/var/log/dnsmasq.log” (don’t use quotes, only to show the full line)

    6. save the file

    7. restart dnsmasq with “systemctl restart dnsmasq”

    8. Note: This step assumes you have edited your host's file as per above before you test.

    9. tail -f /var/log/dnsmasq.log

    10. In another terminal session query a value that is in the /etc/hosts file with nslookup.  Example output below on a reverse lookup response,  If you don’t see the response coming from/etc/hosts then the syntax is not correct.  Correct it and restart and retest.

    11. NOTE: if you query and do not get a positive response from /etc/hosts OR external DNS, you have just cached a negative response on the host.  This looks like:

    12. A good query looks like this

    13. AND dnsmasq file looks like this:

 

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

Comments

Powered by Zendesk