CSS Zone based DNS solution question

Similar Messages

• CSS Zone based DNS for Site Redundancy?

  I am in the process of changing from rules based dns to zone based dns. I had used the document below to provide redundancy between 2 sites.
  http://www.cisco.com/en/US/products/hw/contnetw/ps792/products_configuration_example09186a00801dcd75.shtml
  The is an acl in the document which says
  "If the primary site is up, then this ACL will tell requests landing on this site to prefer the Primary site.
  clause 10 permit any any destination content owner_backup/WWW-backup prefer hacked_redirectt
  clause 99 permit any any destination any
  apply circuit-(VLAN1)
  apply dns
  Once I implemented a dns-server zone, this acl no longer has an effect. The requests are round robbining unless I set the dns-server zone to preferlocal. Unfortunately this does not solve my problem, if the main site is up both css's should prefer the main site.
  How is this same thing accomplished with zone based dns, or is it even possible? Thanks.

  Anyone? Gilles, any words of advice?
  I found this in the documentation for acl's, it states...
  "If you configure a CSS with the dns-server command, and the CSS receives a
  DNS query for a domain name that you configured on the CSS using the host
  command, the DNS query will not match on an ACL that is configured with the
  apply dns command.
  However, if you configure a domain name on a content rule on a CSS using the
  add dns domain_ name command, a DNS query for that domain name will match
  on an ACL that is configured with the apply dns command."
  The problem with this statement is I am not using the "host" command and I am also not using the "add dns" command. I am using the "dns-record a" command.

• GSLB Zone-Based DNS Payment Gw - Config Active-Active: Not Failing Over

  Hello All:
  Currently having a bit of a problem, have exhausted all resources and brain power dwindling.
  Brief:
  Two geographically diverse sites. Different AS's, different front ends. Migrated from one site with two CSS 11506's to two sites with one 11506 each.
  Flow of connection is as follows:
  Client --> FW Public Destination NAT --> CSS Private content VIP/destination NAT --> server/service --> CSS Source VIP/NAT --> FW Public Source NAT --> client.
  Using Load Balancers as DNS servers, authoritative for zones due to the requirement for second level Domain DNS load balancing (i.e xxxx.com, AND FQDNs http://www.xxxx.com). Thus, CSS is configured to respond as authoritative for xxxx.com, http://www.xxxx.com, postxx.xxxx.com, tmx.xxxx.com, etc..., but of course cannot do MX records, so is also configured with dns-forwarders which consequently were the original DNS servers for the domains. Those DNS servers have had their zone files changed to reflect that the new DNS servers are in fact the CSS'. Domain records (i.e. NS records in the zone file), and the records at the registrar (i.e. tucows, which I believe resells .com, .net and .org for netsol) have been changed to reflect the same. That part of the equation has already been tested and is true to DNS Workings. The reason for the forwarders is of course for things such as non load balanced Domain Names, as well as MX records, etc...
  Due to design, which unfortunately cannot be changed, dns-record configuration uses kal-ap, example:
  dns-record a http://www.xxxx.com 0 111.222.333.444 multiple kal-ap 10.xx.1.xx 254 sticky-enabled weightedrr 10
  So, to explain so we're absolutely clear:
  - 111.222.333.444 is the public address returned to the client.
  - multiple is configured so we return both site addresses for redundancy (unless I'm misunderstanding that configuration option)
  - kal-ap and the 10.xx.1.xx address because due to the configuration we have no other way of knowing the content rule/service is down and to stop advertising the address for said server/rule
  - sticky-enabled because we don't want to lose a payment and have it go through twice or something crazy like that
  - weighterr 10 (and on the other side weightedrr 1) because we want to keep most of the traffic on the site that is closer to where the bulk of the clients are
  So, now, the problem becomes, that the clients (i.e. something like an interac machine, RFID tags...) need to be able to fail over almost instantly to either of the sites should one lose connectivity and/or servers/services. However, this does not happen. The CSS changes it's advertisement, and this has been confirmed by running "nslookups/digs" directly against the CSSs... however, the client does not recognize this and ends up returning a "DNS Error/Page not found".
  Thinking this may have something to do with the "sticky-enabled" and/or the fact that DNS doesn't necessarily react very well to a TTL of "0".
  Any thoughts... comments... suggestions... experiences???
  Much appreciated in advance for any responses!!!
  Oh... should probably add:
  nslookups to some DNS servers consistently - ALWAYS the same ones - take 3 lookups before getting a reply. Other DNS servers are instant....
  Cheers,
  Ben Shellrude
  Sr. Network Analyst
  MTS AllStream Inc

  Hi Ben,
  if I got your posting right the CSSes are doing their job and do advertise the correct IP for a DNS-query right?
  If some of your clients are having a problem this might be related to DNS-caching. Some clients are caching the DNS-response and do not do a refresh until they fail or this timeout is gone.
  Even worse if the request fails you sometimes have to reset the clients DNS-demon so that they are requesting IP-addresses from scratch. I had this issue with some Unixboxes. If I remeber it corretly you can configure the DNS behaviour for unix boxes and can forbidd them to cache DNS responsed.
  Kind Regards,
  joerg

• Content Rule-Based DNS

  We have configured the CSS for content rule-based DNS operation for GSLB. The CSS are installed behind a firewall. CSS are configured with private addresses for the services and the VIP. This VIP is translated at the firewall for external access.
  In this scenarion, when the CSS receives a DNS query it returns the VIP (private address) and hence the clients can't reach. How can I change it to retun the public address to the user.

  you can configure the CSS to return the public ip address.
  But internal users that may require to use the private ip address will also receive the public ip address.
  To configure the CSS, you need to use dns a-record and therefore use dns zone-based solution instead of rule-based.
  http://www.cisco.com/en/US/products/hw/contnetw/ps792/products_configuration_guide_chapter09186a00801eebaa.html
  Regards,
  Gilles.

• CSS 11501S GSLB DNS

  Hi
  I am in the process of planning for a GSLB failover solution for a web site. I have attached a very basic diagram showing an example of the topology.
  The aim is to have two sites. A primary site and a DR site to be used as a failover solution.
  The main site has two web servers that will need to be load balanced and the failover DR site will only have 1 web server.
  My initial plan was to use 2 Cisco CSS 11501S devices as I believe this would provide the load balancing and GSLB functionality I require.
  To achieve this I was going to use the CSS's as the primary and secondary name servers for the domain. This has raised a few question marks….
  Both of our sites are connected to a private WAN (with private IP ranges). See attached diagram. Our internet access is provide through a third party “Firewall Port” directly off the WAN. We don't manage the firewall that connects to the internet. This third party firewall provides the NAT for our public facing services (web servers, mail servers, ftp servers etc).
  So my questions are…
  * Because the CSS's and web servers are located on a private network will the CSS's be able to respond to the DNS requests with the PUBLIC IP address (as seeen from the internet) of the servers as apposed to the private IP address of the servers? If the firewall in front of the CSS's was connected to the internet this could be done via DNS doctoring but our firewall is on a private subnet!
  * Is it possible to get the CSS's to respond to DNS requests for other domain devices that do not reside behind the CSS - E.g. a MX record for a mail server that resides on another 'private' network?
  *Is there a better way to achieve this?
  Any assistance would be much appreciated!!

  Thanks for the reponse Gilles. When you say
  "If you configure the css to answer with the public ip address, you can't access your vip from the internal network anymore."
  Do you mean that you will only get the public ip address from a DNS query and therefore this won't work locally?
  If I have a host file entry providing the private address resolution for my internal hosts will this work?
  "Also, be aware we do not support GSLB on the CSS anymore.
  So, if this is a new install, it is better to start with a solution that we support - GSS"
  Why is this no longer supported? Are there a lot of problems with GSLB on the CSS? It is pretty hard to justify the cost of a solution including 2 GSS's for GSLB and 1 CSS for server load balancing when comapred to the price of 2 CSS's with the enhanced license for both GSLB and server load balancing.
  I have one client that wants to use their existing CSS's for a solution like this and another that is starting from scratch.
  Thanks

• Permissions to create Reverse Lookup Zones in DNS

  What Active Directory permissions are needed to create Reverse Lookup Zones in DNS?  My co-worker is getting an access denied error when completing the wizard for this and the zone is NOT created.  He is a member of the "DnsAdmins" group and
  he can create Forward Lookup Zones.  We are running Server 2008 R2 SP1 on our Domain Controllers where DNS is running.  Any ideas?

  Set permissions for the DnsAdmins group on the DomainDNSZones application partition. To do this, follow these steps:
  Click Start, click Run, type Adsiedit.msc, and then click
  OK.
  In the task pane, right-click ADSI Edit, and then click
  Connect to.
  Under Connection Point, click Select or type a Distinguished Name or Naming Context, type the following, and then click
  OK:
  CN=MicrosoftDNS,DC= DomainDNSZones,DC=<var>Domain</var>,DC=<var>Domain_Extension</var>
  In the task pane, locate and right-click CN=MicrosoftDNS,DC= DomainDNSZones,DC=<var>Domain</var>,DC=<var>Domain_Extension</var>, and then click
  Properties.
  Click the Security tab, and then click Advanced. The
  Advanced Security Settings for MicrosoftDNS dialog box appears.
  In the Permissions tab, click Add.
  In the Enter the object name to select box, type DnsAdmins, and then click
  Check Names to verify the name.
  Click OK. The Permission Entry for Microsoft DNS dialog box appears.
  In the Apply onto drop-down list, click This object only.
  Click to select the Allow check box for the Full Control
  permission, and then click OK.
  In the Advanced Security Settings for MicrosoftDNS dialog box, click
  Apply, and then click OK.
  Click OK to close the properties dialog box for the DomainDNSZones application partition.
  Close the ADSI Edit window.
  Test whether you can create a new DNS zone now.
  If you found this post helpful, please "Vote as Helpful". If it answered your question, remember to "Mark as Answer". MCSE,MSCITP-EA

• How do I remove a DNS Solution Error?  Sometimes when I do a search using a Firefox browser, this message comes up and it doesn't take me to the site I am looking for.

  Sometimes I use Firefox for browsing and when I do a search,  the search engine will not take me to the site but I get a message that says "DNS Solution Error".
  I believe it is some kind of malware.  I appreciate any help from anyone who knows how to fix it.

  You may have installed a malicious or defective Firefox extension. Remove all extensions that you don't know you need. If in doubt, remove all of them. Otherwise, check the Firefox network settings (not the Network pane in System Preferences) for a proxy server.

• System Copy based on Solution Manager 4.0

  Dear All
  How to install System Copy based on Solution Manager 4.0
  Thanks

  Dear All
  How to install System Copy based on Solution Manager 4.0
  Thanks

• Receiving a DNS Solution Yahoo Error Handler Page and some pages won't display

  I recently downloaded the Stuffit Expander and ever since then Firefox hasn't been the same. I receive a DNS Solution Yahoo Error Handler page when I do a search sometimes. And now some pages won't even display for me when they should. How do I get rid of this Yahoo thing (In simple terms please)? Thanks!

  Thank you jscher2000! This seems to have fixed it! I appreciate it :)

• For Macbook Pro Mid2010: Why not build a WiFi based AirDrop solution between iOS8 and Yosemite? Really sad it does not work.

  For Macbook Pro Mid2010: Why not build a WiFi based AirDrop solution between iOS8 and Yosemite? Really sad it does not work.

  Your Mac is too old
  To Airdrop between a Mac an iOS device
  System Requirements
  To see if your Mac works with AirDrop, make sure you’re in the Finder by clicking the desktop (the background area of your screen), or by clicking the Finder icon in the Dock. Then, check to see if AirDrop is listed as an option in the Go menu. If you don't see AirDrop listed, your Mac doesn't support this feature.
  In order to transfer files between a Mac and and an iPhone, iPad or iPod touch
  your iOS device needs to include a lightning connector
  your iOS device needs iOS 7 or later installed
  your Mac needs to be a 2012 or later model with OS X Yosemite installed
  Your Mac and iOS device both need bluetooth and Wi-Fi turned on. You do not have to be connected to a specific Wi-Fi network.
  To transfer files between two Mac computers, you need the Mac models listed below with Wi-Fi turned on and OS X Lion or later installed.
  From:
  Mac Basics: AirDrop lets you send files from your Mac to nearby Macs and iOS devices - Apple Support

• Traditional ACL vs Zone Based FW

  I have a 3845 ISR that I have been managing for a couple years that has a traditional ACL based config.  We just purchased a new 3845 for redundancy and it arrived with the zone based config from Cisco.  Any opinions on whether I should take the existing router to a zone based config or should I configure the new router with traditional ACL config that I am more comforatable with? 

  If there was the option to use a Zone based FW or just straight access lists then surely the Zone based FW would be considered a better option as it has more features than just permit or deny. The Zoned based FW will also inspect traffic and block any traffic with malicous code for example. I am not an expert in this arena, but based on Security exam topics and other publications, the FW approach seems to be gaining traction versus managing ACLs alone. Although, ACLs will always have their place in the network...
  The choice is based on your comfort level, but both are viable options...
  BR,
  Cary
  Sent from Cisco Technical Support iPad App

• Nearest time zones based on user time zone

  Hi,
  In my application, user accesses the applet in the browser and based on the user time zone I need to display the list of available server which are near to his time zone.
  Please provide me some hints on how to sort the time zones based on the time zone offset.
  Thanks
  Aravind

  Hi,
  In my application, user accesses the applet in the browser and based on the user time zone I need to display the list of available server which are near to his time zone.
  Please provide me some hints on how to sort the time zones based on the time zone offset.
  Thanks
  Aravind

• Look-up java time zone based on location?

  I have a test app where I can assign a java timezone and return time info - However, I don't see a way to look-up a java time zone based on location (combination of city/province/state/country).
  Is this possible?

  Has any one found a way to lookup a timezone based on a city/region in the world? So one could be able to type any city and state/province and country combination and get the corresponding timezone for that region. Is there a place where one can buy this data?
  Thank you

• How do I assign a css class based on spry data?

  I need to assign a css class based on the value of spry data. IOW - I need to do a calculation on two values and assign a class to that <tr> if the resulting value if > 0. Is it possible to plug spry data into php? Is there a better way to go about doing this? Spry may have a function that will hide or style data based on the value of that data, but I can't find it.

  I think I need to provide better information. I currently have:
  <tbody spry:repeatchildren="JSCC_Courses" spry:choose="choose" >  
                          <tr spry:when="'{method}' == 'WEB'" style="background-color: #fffdc7;">                                       
                              <td>{callno}</td>
                              <td>{rubric}</td>
                              <td>{session}</td>
                              <td>{hours}</td>
                              <td>{title}</td>
                              <td>{days}</td>
                              <td>{time}</td>
                              <td>{room}</td>
                              <td>{instructor}</td>
                              <td>{seats}</td>
                              <td>{location}</td>
                            </tr>
                           <tr spry:when="'{method}' == 'VDC'" style="background-color: #cbffc7;" >                                       
                              <td>{callno}</td>
                              <td>{rubric}</td>
                              <td>{session}</td>
                              <td>{hours}</td>
                              <td>{title}</td>
                              <td>{days}</td>
                              <td>{time}</td>
                              <td>{room}</td>
                              <td>{instructor}</td>
                              <td>{seats}</td>
                              <td>{location}</td>
                            </tr>
                         <tr spry:default="default">                                       
                              <td>{callno}</td>
                              <td>{rubric}</td>
                              <td>{session}</td>
                              <td>{hours}</td>
                              <td>{title}</td>
                             <td>{days}</td>
                              <td>{time}</td>
                              <td>{room}</td>
                              <td>{instructor}</td>
                              <td>{seats}</td>
                              <td>{location}</td>
                           </tr>
  </tbody>
  I now need to add a class to the <tr> if the {seats} > 0. I'm having trouble conceptualizing how this works in conjunction with my current spry:whens.

• Cisco Zone-based firewall issue/ not receiving return traffic

  Hi,
  I have created a Cisoc IOS Zone based firewall on my cisco 3945 router. I have an issue receiving any returning traffic. Here is a simplified version of my issue.
  I have two zone pairs: Internal to Outside and Outside to Internal.
  In the zone pair Out-to-Int I have a few rules allowing connections to specific servers on specific ports. The default class-map drops any non-matching packets.
  In the zone pair Int-to-Out I have a rule saying internal PCs can access any destination on the internet over “any” service. When I put the action as “Inspect” I cannot connect to the internet. It’s as if my return traffic is not detected by the firewall and instead gets dropped by the default class map in the Out-to-Int pair.
  To make it work I need to do two changes. I need to choose Allow instead of Inspect and I need to change the default class-map on the Out-to-Int pair to “allow” for unmatched traffic. But this is not good because I have a default allow on my out-to-int pair.
  Am I misunderstanding something? Shouldn’t the inspect action on the Int-to-Out zone allow for return traffic no matter what rules I applied on the Out-to-Int pair? Thank you in advance for your help.

  Please share your config. Then we can see what's wrong there.
  Don't stop after you've improved your network! Improve the world by lending money to the working poor:
  http://www.kiva.org/invitedby/karsteni