About DNS
The ACI fabric DNS service is contained in the fabric managed object. The fabric global default DNS profile can be accessed throughout the fabric. The figure below depicts the logical relationships of the DNS managed objects within the fabric.
A context must contain a dnsLBL object in order to use the global default DNS service. Label matching enables tenant contexts to consume the global DNS provider. Since the name of the global DNS profile is "default", the context label name is "default" (dnsLBL name = default).
To summarize the DNS Policy described above, there are 2 parts to configuring DNS in the Cisco ACI Fabric Solution:
- Create a DNS Profile (“default”) which will contain the information on DNS providers and DNS domains.
- Associate this DNS Profile (“default” or another DNS profile) name to a DNS label under the required Tenant.
At the time of this Technote, the following is true: At FCS, the Cisco ACI Fabric Solution will support ONLY 1 DNS Policy for the whole Pod with the name “default”. As per design at this time, the APIC will ONLY use the DNS Policy Profile with the name “default”.
So configuring Part 1 configures and enables DNS Policy for the APIC(s) to use and the “default” DNS profile name is available for other Nodes in the ACI Fabric Pod in the required Tenants. For ACI Pod Management purposes, Part 2 is necessary to apply the “default” DNS Policy Profile to the Leaf(s) and Spines(s) in the ACI Fabric.
Note: In the flowing procedures and examples, there is an assumption that Layer 2 or Layer 3 management connectivity is configured.
Part 1 - Create a DNS Profile (“default”) which will contain the information on DNS providers and DNS domains.
Method 1.1: Configuring a DNS Server Policy Using the GUI
Step 1- On the menu bar, choose FABRIC > Fabric Policies, and in the Navigation pane, expand Global Policies > DNS Profiles, and click the default DNS profile. If the default DNS profile is NOT already present, simply Right + Click on DNS Profiles and select “Create DNS Profile” and name it “default”.
Step 2- In the Work pane, in the Management EPG field, from the drop-down list, choose the appropriate management EPG (default (Out-of-Band)).
Step 3- Expand DNS Providers, and perform the following actions:
- In the Address field, type the provider address.
- In the Preferred column, click the checkbox if you want to have this address as the preferred provider. You can have only one preferred provider.
- Click Update.
- (Optional) To add a secondary DNS provider, expand DNS Providers, and in the Address field, type the provider address. Click Update.
Step 4- Expand DNS Domains, and perform the following actions:
- In the Name field, type the domain name (cisco.com).
- In the Default column, click the checkbox to make this domain the default domain. You can have only one domain name as the default.
- Click Update.
- (Optional) To add a secondary DNS domain, expand DNS Domains, and in the Address field, type the secondary domain name. Click Update.
Step 5- Click Submit. The Status dialog box displays Changes Saved Successfully.
Step 6- Click OK. The DNS server is configured.
Method 1.2: Configuring a DNS Server Policy Using the REST API
In the following examples for API, the DNS Server Policy Criteria used in this example is as follows:
DNS Domain = cisco.com
DNS Providers = 64.102.6.247 (Preferred)
173.37.87.157, 171.70.168.183, 61.44.124.122
Task 1.2.1: API Example for JSON
method: POST
url: http://10.122.254.211/api/node/mo/uni/fabric/dnsp-default.json
payload:
{"dnsProfile":{"attributes":{"dn":"uni/fabric/dnsp-default","name":"default","descr":"added by tdeleon@cisco.com","rn":"dnsp-default","status":"created"},"children":[{"dnsDomain":{"attributes":{"dn":"uni/fabric/dnsp-default/dom-cisco.com","name":"cisco.com","isDefault":"true","descr":"added by tdeleon@cisco.com","rn":"dom-cisco.com","status":"created"},"children":[]}},{"dnsProv":{"attributes":{"dn":"uni/fabric/dnsp-default/prov-[161.44.124.122]","addr":"161.44.124.122","rn":"prov-[161.44.124.122]","status":"created"},"children":[]}},{"dnsProv":{"attributes":{"dn":"uni/fabric/dnsp-default/prov-[171.70.168.183]","addr":"171.70.168.183","rn":"prov-[171.70.168.183]","status":"created"},"children":[]}},{"dnsProv":{"attributes":{"dn":"uni/fabric/dnsp-default/prov-[173.37.87.157]","addr":"173.37.87.157","rn":"prov-[173.37.87.157]","status":"created"},"children":[]}},{"dnsProv":{"attributes":{"dn":"uni/fabric/dnsp-default/prov-[64.102.6.247]","addr":"64.102.6.247","preferred":"true","rn":"prov-[64.102.6.247]","status":"created"},"children":[]}},{"dnsRsProfileToEpg":{"attributes":{"tDn":"uni/tn-mgmt/mgmtp-default/oob-default","status":"created"},"children":[]}}]}}
response: {"imdata":[]}
Task 1.2.2: API Example for XML
method: POST
url: http://10.122.254.211/api/node/mo/uni/fabric.xml
payload:
<dnsProfile name="dnsp-xmlpost">
<dnsProv addr="64.102.6.247" preferred="yes"/>
<dnsProv addr=“173.37.87.157"/>
<dnsProv addr=“171.70.168.183”/>
<dnsProv addr=“161.44.124.122"/>
<dnsDomain name="cisco.com" isDefault=“yes"/>
<dnsRsProfileToEpg tDn="uni/tn-mgmt/mgmtp-default/oob-default"/>
</dnsProfile>
Method 1.3: Configuring a DNS Server Policy Using the CLI.
In the following examples for CLI, the DNS Server Policy Criteria used in this example is as follows:
DNS Domain = cisco.com
DNS Providers = 64.102.6.247 (Preferred)
173.37.87.157, 171.70.168.183, 61.44.124.122
Step 1 - In the CLI, change the directory to ACI directory for the Fabrics DNS-Profiles. Check to see if the “default” profile is already defined.
Example:
admin@apic1:~> cd /aci/fabric/fabric-policies/global-policies/dns-profiles
admin@apic1:dns-profiles> ls -al
total 1
drw-rw---- 1 admin admin 512 Jul 29 15:52 .
drw-rw---- 1 admin admin 512 Jul 29 15:52 ..
-r--r----- 1 admin admin 0 Jul 29 15:52 summary
admin@apic1:dns-profiles> cat summary
dns-profiles:
name management-epg dns-providers dns-domains description
---- -------------- ------------- ----------- -----------
Step 2 - Configure a DNS server policy using the CLI.
Note: The following steps are making the assumption the “default” DNS Profile is not present. If present, simply use parts of the example below for modifications and new additions to existing “default” DNS Profile.
Example:
admin@apic1:dns-profiles> mocreate default
admin@apic1:dns-profiles> cd default/
admin@apic1:default> cd dns-providers/
admin@apic1:dns-providers> mocreate 64.102.6.247 preferred yes
admin@apic1:dns-providers> mocreate 173.37.87.157
admin@apic1:dns-providers> mocreate 171.70.168.183
admin@apic1:dns-providers> mocreate 161.44.124.122
admin@apic1:dns-providers> cd ../dns-domains/
admin@apic1:dns-domains> mocreate cisco.com default yes
admin@apic1:dns-domains> cd ../
admin@apic1:default> moset management-epg uni/tn-mgmt/mgmtp-default/oob-default
admin@apic1:default> moconfig commit
Committing mo 'fabric/fabric-policies/global-policies/dns-profiles/default'
Committing mo 'fabric/fabric-policies/global-policies/dns-profiles/default/dns-domains/cisco.com'
Committing mo 'fabric/fabric-policies/global-policies/dns-profiles/default/dns-providers/161.44.124.122'
Committing mo 'fabric/fabric-policies/global-policies/dns-profiles/default/dns-providers/171.70.168.183'
Committing mo 'fabric/fabric-policies/global-policies/dns-profiles/default/dns-providers/173.37.87.157'
Committing mo 'fabric/fabric-policies/global-policies/dns-profiles/default/dns-providers/64.102.6.247'
All mos committed successfully.
Part 2 - Associate the DNS Profile (“default”) name to a DNS Label under the required Tenant (“mgmt”).
As mentioned earlier, for ACI Pod Management purposes Part 2 is necessary to apply the “default” DNS Policy Profile to the Leaf(s) and Spines(s) in the ACI Fabric.
Method 2.1: Associate the DNS Profile (“default”) name to a DNS Label for the Tenant “mgmt” using the GUI.
Step 1- On the menu bar, click TENANTS > mgmt.
Step 2- In the Navigation pane, expand Networking > Private Networks > oob.
Step 3- In the Work pane, under Properties, in the DNS labels field, enter the appropriate DNS label (default). Click Submit.
The DNS profile label is now configured on the tenant and private network.
Method 2.2: Associate the DNS Profile (“default”) name to a DNS Label for the Tenant “mgmt” using the REST API.
Task 2.2.1: API Example for JSON
method: POST
url:
http://10.122.254.211/api/node/mo/uni/tn-mgmt/ctx-oob/dnslbl-default.json
payload:
{"dnsLbl":{"attributes":{"dn":"uni/tn-mgmt/ctx-oob/dnslbl-default","name":"default","status":"created","rn":"dnslbl-default"},"children":[]}}
response: {"imdata":[]}
Task 2.2.2: API Example for XML
method: POST
url:
http://10.122.254.211/api/node/mo/uni/tn-mgmt/ctx-oob.xml
payload:
<dnsLbl name="default"/>
Method 2.3: Associate the DNS Profile (“default”) name to a DNS Label for the Tenant “mgmt” using the CLI.
admin@apic1:default> cd /aci/tenants/mgmt/networking/private-networks/oob/dns-profile-labels/
admin@apic1:dns-profile-labels> ls -al
total 1
drw-rw---- 1 admin admin 512 Jul 29 16:02 .
drw-rw---- 1 admin admin 512 Jul 29 16:02 ..
admin@apic1:dns-profile-labels> mocreate default
admin@apic1:dns-profile-labels> cd default
admin@apic1:default> moconfig commit
Committing mo 'tenants/mgmt/networking/private-networks/oob/dns-profile-labels/default'
All mos committed successfully.
Part 3 - HOW TO Verify that Parts 1 & 2 for DNS Profile “default” is configured and applied to Fabric Controllers Switches.
Regardless of the method (GUI, REST API, or CLI) used to create the DNS Profile “default”, you can use the following example to verify DNS configuration and current DNS status on the Controllers & Switches.
Task 3.1: Verify configuration for the Fabric -> Fabric Policies -> Global Policies -> DNS Profiles -> default
From the APIC Controller:
admin@apic1:~> cd /aci/fabric/fabric-policies/global-policies/dns-profiles/default
admin@apic1:default> cat summary
# dns-profile
name : default
description : added via CLI by tdeleon@cisco.com
ownerkey :
ownertag :
management-epg : tenants/mgmt/node-management-epgs/default/out-of-band/default
dns-providers:
address preferred
-------------- ---------
161.44.124.122 no
171.70.168.183 no
173.37.87.157 no
64.102.6.247 yes
dns-domains:
name default description
--------- ------- -----------
cisco.com yes
Task 3.2: Verify configuration for the Tenant -> mgmt -> Networking -> Private Networks -> ooh -> DNS labels
admin@apic1:default> cd /aci/tenants/mgmt/networking/private-networks/oob/dns-profile-labels/default
admin@apic1:default> cat summary
# dns-lbl
name : default
description :
ownerkey :
ownertag :
tag : yellow-green
Task 3.3: Verify configuration is applied and working on the Fabric Controllers & Switches.
From an APIC Controller:
admin@apic1:~> cat /etc/resolv.conf
# Generated by IFC
search cisco.com
nameserver 64.102.6.247
nameserver 161.44.124.122
nameserver 173.37.87.157
nameserver 171.70.168.183
admin@apic1:~> ping www.cisco.com
PING origin-www.cisco.com (72.163.4.161) 56(84) bytes of data.
64 bytes from www1.cisco.com (72.163.4.161): icmp_seq=1 ttl=238 time=35.4 ms
64 bytes from www1.cisco.com (72.163.4.161): icmp_seq=2 ttl=238 time=29.0 ms
64 bytes from www1.cisco.com (72.163.4.161): icmp_seq=3 ttl=238 time=29.2 ms
From a Switch (Leaf\Spine):
leaf1# cat /etc/resolv.conf
search cisco.com
nameserver 64.102.6.247
nameserver 171.70.168.183
nameserver 161.44.124.122
nameserver 173.37.87.157
leaf1# cat /etc/dcos_resolv.conf
# DNS enabled
leaf1# ping www.cisco.com
PING origin-www.cisco.com (72.163.4.161): 56 data bytes
64 bytes from 72.163.4.161: icmp_seq=0 ttl=238 time=29.255 ms
64 bytes from 72.163.4.161: icmp_seq=1 ttl=238 time=29.212 ms
64 bytes from 72.163.4.161: icmp_seq=2 ttl=238 time=29.343 ms
