Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

GSS response

Hi Iftekhar,

Found the follwing traffic flow in one of your responses to a qurey for integrating DNS with GSS.


Typical flow is as follows

1. Client will hit their DNS servers (configured on their machines as primary/backup dns server).

2. "Client's DNS server" will query "DNS server authoritative for" for

3. "DNS server authoritative for" will ask "client's DNS server" to query "GSS - Authoritative for <A HREF="javascript:newWin('"')">"</A>

4. "Client's DNS server" will query GSS for

5. GSS will send the ip add of (which should be configured on ACE as VIP).

6. "Client's DNS server" will handover this VIP to client

7. Client will hit the VIP configured on ACE (for application

Syed iftekhar Ahmed


My doubt is about steps 3 and 4.

In our scenario, we had done delegation of a subdomin to the GSS. Hence the DNS has two NS entries for the same subdomain.

and when a reuest comes from the Client to the DNS, the DNS does not reply back with the GSS ip address. IT inturn does a recursive lookup with the GSS, The GSSS returns the IP of the server to the DNS which inturn forwrds to the client. hence the client never sees the GSS.

WE had done a staggibg activity to test the effectiveness of this, and it was working fine.

Do you see any drawbacks in this recursive mode of operation when compared to your iterative mode.

please advice.




Re: GSS response


If you carefully read the steps then you will see that I am saying the same thing.

In step 4 it's "client's DNS server" that is querying the GSS (Not the client) and in step 6 "client's DNS server" is providing the A-record (answer) to the the client. Hence client itself will never hit/Query the GSS directly.

DNS request is recursive from client's perspective only,i.e. when client hits its local DNS server its a recursive query.(Hence Local DNS server will respond back with the final answer).

Local DNS Server of the client then use iterative requests on behalf of client.

It looks as if you are mixing up the iterative & Recursive concept. Please see the following link.

to clear your confusion.


Syed Iftekhar Ahmed

Community Member

Re: GSS response

Hi Syed,

Sorry i didnt make myself clear there,

WHat is mean is will the client DNS query the GSS.

In our scenario the Client DNS is answered by the authoritative DNS itslef for the domain and not by GSS.

Client ---> CL DNS ---> Auth DNS ---> GSS ---> Web Server

The request goes to the Auth DNS which forwards it to the GSS, the GSS returns the A record to the Auth DNS ,and the resposnse goes from the auth DNS to the client. iS this a valide behavour?

please advice

Re: GSS response

The "DNS server authoritative for for Domain" should have a NS record pointing towards the GSS.

For example if DNS server is authoritative for "" and you make GSS authritative for "" then primary DNS server should have folloiwng records IN NS <-- NS record for via GSS01 IN NS <-- NS record for via GSS02 IN A <-- A record for GSS01 IN A <-- A record for GSS02

When "Client DNS Server" request A-record for "" then since primary DNS server has an NS record for, it should only hand over the NS record to "client's DNS Server". So the client's DNS server should contact the GSS to get the final answer.

Proximity/Sticky logic wont make any sense if "DNS server authoritative" for domain is the only GSS client.

Syed Iftekhar Ahmed

Community Member

Re: GSS response

Hi Syed,

In our scenario the Auth DNS is authoritative for There is no change in that. the cusotmer wants only s subdomain like to be delegated to the GSS.Hence we have created a delegationa and assigend GSS as the NS for,

Hence any request for xyz is sent to GSS and the DNS still remains the autoritative for any other requests to

So what the client DNS sees isthe auth DNS and not the GSS.



Re: GSS response

If GSS is responding to DNS request for the subdomain and Primary DNS server is serving records for the parent domain then its the correct behaviour.

Syed Iftekhar Ahmed

Community Member

Re: GSS response

thanks a lot Syed...Was afraid whether it is correct or wherther it is required to operate in iterative mode..cheers mate

CreatePlease to create content