GSS response

Unanswered Question
Aug 26th, 2008

Hi Iftekhar,


Found the follwing traffic flow in one of your responses to a qurey for integrating DNS with GSS.

!!!!!!!!!!!!!!!!!


Typical flow is as follows


1. Client will hit their DNS servers (configured on their machines as primary/backup dns server).


2. "Client's DNS server" will query "DNS server authoritative for abc.com" for www.abc.com.


3. "DNS server authoritative for abc.com" will ask "client's DNS server" to query "GSS - Authoritative for <A HREF="javascript:newWin('http://www.abc.com"')">www.abc.com"</A>


4. "Client's DNS server" will query GSS for www.abc.com.


5. GSS will send the ip add of www.abc.com (which should be configured on ACE as VIP).


6. "Client's DNS server" will handover this VIP to client


7. Client will hit the VIP configured on ACE (for application www.abc.com).



Syed iftekhar Ahmed


!!!!!!!!!!!!!!!!


My doubt is about steps 3 and 4.


In our scenario, we had done delegation of a subdomin to the GSS. Hence the DNS has two NS entries for the same subdomain.


and when a reuest comes from the Client to the DNS, the DNS does not reply back with the GSS ip address. IT inturn does a recursive lookup with the GSS, The GSSS returns the IP of the server to the DNS which inturn forwrds to the client. hence the client never sees the GSS.

WE had done a staggibg activity to test the effectiveness of this, and it was working fine.


Do you see any drawbacks in this recursive mode of operation when compared to your iterative mode.


please advice.


rgds


Sanju

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Syed Iftekhar Ahmed Tue, 08/26/2008 - 08:51

Sanju


If you carefully read the steps then you will see that I am saying the same thing.

In step 4 it's "client's DNS server" that is querying the GSS (Not the client) and in step 6 "client's DNS server" is providing the A-record (answer) to the the client. Hence client itself will never hit/Query the GSS directly.


DNS request is recursive from client's perspective only,i.e. when client hits its local DNS server its a recursive query.(Hence Local DNS server will respond back with the final answer).


Local DNS Server of the client then use iterative requests on behalf of client.


It looks as if you are mixing up the iterative & Recursive concept. Please see the following link.


http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/cnet/cncc_dns_eqhi.mspx?mfr=true

to clear your confusion.



HTH

Syed Iftekhar Ahmed

sanjumathen Tue, 08/26/2008 - 21:51

Hi Syed,


Sorry i didnt make myself clear there,


WHat is mean is will the client DNS query the GSS.


In our scenario the Client DNS is answered by the authoritative DNS itslef for the domain and not by GSS.


Client ---> CL DNS ---> Auth DNS ---> GSS ---> Web Server


The request goes to the Auth DNS which forwards it to the GSS, the GSS returns the A record to the Auth DNS ,and the resposnse goes from the auth DNS to the client. iS this a valide behavour?


please advice


Syed Iftekhar Ahmed Tue, 08/26/2008 - 22:11

The "DNS server authoritative for for Domain" should have a NS record pointing towards the GSS.


For example if DNS server is authoritative for "abc.com" and you make GSS authritative for "www.abc.com" then primary DNS server should have folloiwng records


www.abc.com. IN NS gss01.abc.com. <-- NS record for http://www.abc.com via GSS01

www.abc.com. IN NS gss02.abc.com. <-- NS record for http://www.abc.com via GSS02


gss01.abc.com. IN A 1.1.1.1 <-- A record for GSS01

gss02.abc.com. IN A 2.2.2.2 <-- A record for GSS02


When "Client DNS Server" request A-record for "www.abc.com" then since primary DNS server has an NS record for www.abc.com, it should only hand over the NS record to "client's DNS Server". So the client's DNS server should contact the GSS to get the final answer.


Proximity/Sticky logic wont make any sense if "DNS server authoritative" for domain is the only GSS client.


Syed Iftekhar Ahmed

sanjumathen Tue, 08/26/2008 - 23:10

Hi Syed,


In our scenario the Auth DNS is authoritative for abc.com. There is no change in that. the cusotmer wants only s subdomain like xyz.abc.com to be delegated to the GSS.Hence we have created a delegationa and assigend GSS as the NS for xyz.abc.com,


Hence any request for xyz is sent to GSS and the DNS still remains the autoritative for any other requests to abc.com


So what the client DNS sees isthe auth DNS and not the GSS.


rgds

Sanju



Syed Iftekhar Ahmed Tue, 08/26/2008 - 23:38

If GSS is responding to DNS request for the subdomain and Primary DNS server is serving records for the parent domain then its the correct behaviour.


Syed Iftekhar Ahmed

sanjumathen Tue, 08/26/2008 - 23:43

thanks a lot Syed...Was afraid whether it is correct or wherther it is required to operate in iterative mode..cheers mate

Actions

This Discussion