Versions Compared

Version Old Version 1 New Version Current
Changes made by

Panna .

Shwetha S (Deactivated)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Following are the tasks to configure a DNS view:

  1. Add a DNS view, as described in Adding a DNS View below.

  2. Add zones to the DNS view. You can add authoritative forward-mapping and reverse-mapping zones, as well as delegated, forward, and stub zones. For information about configuring each type of zone, see Configuring Authoritative Zones and Configuring Delegated, Forward, and Stub Zones.

You can optionally do the following:

  1. Define a Match Clients list and a Match Destination list to restrict access to the DNS view. For more information, see Defining Match Clients Lists and Defining a Match Destinations List below.

  2. Copy resource records from one zone to another. This is useful when different DNS views have the same zone and have multiple resource records in common. For information, see Managing DNS Views below.

  3. Create resource records in a group and share the group among multiple zones. For information, see Configuring Shared Record Groups.

  4. Specify which interface IP address is published in the glue A record of the DNS view. For information, see Changing the Interface IP Address.

  5. Manage recursive views. For information, see Managing Recursive DNS Views below.

  6. Manage the order of the DNS views, as this determines the order in which the NIOS appliance checks the Match Clients list. For information, see Managing the Order of DNS Views.

  7. Configure forwarders for a DNS view. For more information, see Using Forwarders.

  8. Enable AAAA filtering and configure a list of IPv4 networks and addresses for allowing or denying AAAA filtering from the appliance. For information, see Controlling AAAA Records for IPv4 Clients.

Adding a DNS View

You can add up to 1000 DNS views. When you add a DNS view, specify the following:

  • The network view in which you are creating the DNS view.
    The appliance lists the network views only when there are multiple network views. Otherwise, it automatically associates the DNS view with the default network view.

  • A Match Clients list specifying the hosts allowed access to the DNS view.
    If you do not define a list, the appliance allows all hosts to access the DNS view. For more information, see Defining Match Clients Lists below.

  • Whether recursive queries are allowed.
    When a name server is authoritative for the zones in a DNS view, you can disable recursion since your name server should be able to respond to the queries without having to query other servers.
    if you want to allow a Grid member to respond to recursive queries from specific IP addresses, you can create an empty DNS view, that is, one that has no zones in it, and enable recursion. For information, see Configuration Example: Configuring a DNS View/wiki/spaces/nios90draft/pages/73282458.

Note

Note

This setting overrides the recursion setting at the Grid and member levels..

To configure a new DNS view:

  1. If there is more than one network view in the Grid, select the network view in which you are creating the DNS view.

  2. From the DataManagement tab -> DNS tab, expand the Toolbar and click Add -> AddDNSView.

  3. In the AddDNSView wizard, complete the following fields:

    • DNSView: Enter the name of the DNS view. It can be up to 64 characters long and can contain any combination of printable characters. Each DNS view must have a unique name. You cannot create two DNS views with the same name, even if they are in different network views.

    • Comment: Optionally, enter information about the DNS view. You can enter up to 256 characters.

    • EnableRecursion: This field's initial default state is inherited from the Grid. It is inactive and greyed out until you click Override. After you click override, you can select or clear the checkbox to define a setting that applies to the DNS view only.
      Note that a DNS view actually inherits its recursion setting from the Grid members that serve its zones. When you first create a DNS view though, it does not have any zones and therefore inherits its setting from the Grid. After you create zones in the DNS view, Grid Manager can then determine the associated members and display the resulting inheritance. If a DNS view has multiple zones served by multiple members with different recursion settings, you can view the different settings in the Multi-Inheritance viewer.
      You can click Inherit to have the DNS view inherit its recursion setting from the Grid.
      If the set rpz_recursive_only command is set to no for a DNS view or zone, you can deselect the Enable Recursion checkbox even if the RPZ zone is configured as the Grid secondary. In a single DNS view, if the set rpz_recursive_only command is set to no for one zone and not set to no for another zone, then you cannot disable recursion. Ensure that there is no conflict between set rpz_recursive_onlyyes, none, and no settings in different zones in the same view when you disable recursion. If a scheduled Grid upgrade is in progress, then you cannot deselect the Enable Recursion checkbox.

    • Disable: Select this checkbox to disable this DNS view. Note that disabling a DNS view may take a longer time to complete depending on the size of the data. 

  4. Save the configuration and click Restart if it appears at the top of the screen, or click Next to define a Match Clients list. For information, see Defining Match Clients Lists below or
    Click the Schedule icon at the top of the wizard to schedule this task. In the ScheduleChange panel, enter a date, time, and time zone. For information, see Scheduling Tasks.

Defining Match Clients Lists

...

To define a Match Clients list for an existing DNS view:

  1. From the Data Management tab, click the DNS tab > Zones tab> dns_view checkbox -> Edit icon. Or, if there is only one DNS view, for example the predefined default view, you can just click the Edit icon beside it.

  2. In the DNSView editor, select the MatchClients tab, and select one of the following:

    • None: Select this if you want to configure a Match Clients list. The appliance allows all clients to access the DNS view. This is selected by default.

    • NamedACL: Select this and click SelectNamedACL to select a named ACL. Grid Manager displays the NamedACLs Selector. Select the named ACL you want to use. If you have only one named ACL, Grid Manager automatically displays the named ACL. When you select this option, the appliance allow access to the DNS view from sources that have the Allow permission in the named ACL. You can click Clear to remove the selected named ACL.

    • SetofACEs: Select this to configure individual ACEs. Click the Add icon and select one of the following from the drop-down list. Depending on the item you select, Grid Manager either adds a row for the selected item or expands the panel so you can specify additional information about the item you are adding.

      • IPv4Address and IPv6Address: Select this to add an IPv4 address or IPv6 address. Click the Value field and enter the IP address. The Permission column displays Allow by default. You can change it to Deny by clicking the field and selecting Deny from the drop-down list.

      • IPv4Network: In the AddIPv4Network panel, complete the following, and then click Add to add the network to the list:

        • Address: Enter an IPv4 network address and either type a netmask or move the slider to the desired netmask.

        • Permission: Select Allow or Deny from the drop-down list.

      • IPv6Network: In the AddIPv6Network panel, complete the following, and then click Add to add the network to the list:

        • Address: Enter an IPv6 network address and select the netmask from the drop-down list.

        • Permission: Select Allow or Deny from the drop-down list.

      • TSIGKey: In the AddTSIGKey panel, complete the following, and then click Add to add the TSIG key to the list:

        • Keyname: Enter a meaningful name for the key, such as a zone name or the name of the client or Grid member. This name must match the name of the same TSIG key on other name servers.

        • KeyAlgorithm: Select either HMAC-MD5 or HMAC-SHA256.

        • KeyData: To use an existing TSIG key, type or paste the key in the KeyData field. Alternatively, you can select the key algorithm, select the key length from the GenerateKeyData drop down list, and then click GenerateKeyData to create a new key.

      • DNSone2.xTSIGKey: Select this when the other name server is a NIOS appliance running DNS One 2.x code. The appliance automatically populates the value of the key in the Value field. The Permission column displays Allow by default. You cannot change the default permission.

      • AnyAddress/Network: Select this to allow or deny any IP addresses to access the DNS view.
        After you have added access control entries, you can do the following:

        • Select the ACEs that you want to consolidate and put into a new named ACL. Click the Create new named ACL icon and enter a name in the ConverttoNamedACL dialog box. The appliance creates a new named ACL and adds it to the NamedACL panel. Note that the ACEs you configure for this operation stay intact.

        • Reorder the list of ACEs using the up and down arrows next to the table.

        • Select an ACE and click the Edit icon to modify the entry.

        • Select an ACE and click the Delete icon to delete the entry. You can select multiple ACEs for deletion.

  3. Save the configuration and click Restart if it appears at the top of the screen. You can also click the Schedule icon at the top of the editor to schedule this task. In the ScheduleChange panel, enter a date, time, and time zone.

Defining a Match Destinations List

You can define a Match Destinations list that identifies destination addresses and TSIG keys that are allowed access to a DNS view. When the NIOS appliance receives a DNS request from a client, it tries to match the destination address or TSIG key in the incoming message with its Match Destination list to determine which DNS view, if any, the client can access. After the appliance determines that a host can access a DNS view, it checks the zone level settings to determine whether it can provide the service that the host is requesting for that zone.
You can define a Match Destination list when you edit an existing DNS view as follows:

  1. From the Data Management tab, click the DNS tab > Zones tab> dns_view checkbox -> Edit icon. Or, if there is only one DNS view, for example the predefined default view, you can just click the Edit icon beside it.

  2. In the DNSView editor, select the MatchDestinations tab, and select one of the following:

    • None: Select this if you want to configure a Match Destinations list. The appliance allows all destination addresses to access the DNS view. This is selected by default.

    • NamedACL: Select this and click SelectNamedACL to select a named ACL. Grid Manager displays the NamedACLs Selector. Select the named ACL you want to use. If you have only one named ACL, Grid Manager automatically displays the named ACL. When you select this option, the appliance allows access to the DNS view from the destination addresses that have the Allow permission in the named ACL. You can click Clear to remove the selected named ACL.

    • SetofACEs: Select this to configure individual ACEs. Click the Add icon and select one of the following from the drop-down list. Depending on the item you select, Grid Manager either adds a row for the selected item or expands the panel so you can specify additional information about the item you are adding, as follows.

      • IPv4Address and IPv6Address: Select this to add an IPv4 address or IPv6 address. Click the Value field and enter the IP address. The Permission column displays Allow by default. You can change it to Deny by clicking the field and selecting Deny from the drop-down list.

      • IPv4Network: In the AddIPv4Network panel, complete the following, and then click Add to add the network to the list:

        • Address: Enter an IPv4 network address and either type a netmask or move the slider to the desired netmask.

        • Permission: Select Allow or Deny from the drop-down list.

      • IPv6Network: In the AddIPv6Network panel, complete the following, and then click Add to add the network to the list:

        • Address: Enter an IPv6 network address and select the netmask from the drop-down list.

        • Permission: Select Allow or Deny from the drop-down list.

      • TSIG Key: In the AddTSIGKey panel, complete the following, and then click Add to add the TSIG key to the list:

        • Key name: Enter a meaningful name for the key, such as a zone name or the name of the client or Grid member. This name must match the name of the same TSIG key on other name servers.

        • Key Algorithm: Select either HMAC-MD5 or HMAC-SHA256.

        • Key Data: To use an existing TSIG key, type or paste the key in the KeyData field. Alternatively, you can select the key algorithm, select the key length from the Generate Key Data drop down list, and then click Generate Key Data to create a new key.

      • DNSone2.xTSIGKey: Select this when the other name server is a NIOS appliance running DNS One 2.x code. The appliance automatically populates the value of the key in the Value field. The Permission column displays Allow by default. You cannot change the default permission.

      • Any Address/Network: Select this to allow or deny any IP addresses to access the DNS view.
        After you have added access control entries, you can do the following:

        • Select the ACEs that you want to consolidate and put into a new named ACL. Click the Create new named ACL icon and enter a name in the ConverttoNamedACL dialog box. The appliance creates a new named ACL and adds it to the NamedACL panel. Note that the ACEs you configure for this operation stay intact.

        • Reorder the list of ACEs using the up and down arrows next to the table.

        • Select an ACE and click the Edit icon to modify the entry.

        • Select an ACE and click the Delete icon to delete the entry. You can select multiple ACEs for deletion.

  3. Save the configuration and click Restart if it appears at the top of the screen. You can also click the Schedule icon at the top of the editor to schedule this task. In the ScheduleChange panel, enter a date, time, and time zone.

Enabling the Match Recursive Only Option

You can enable the match-recursive-only option for the DNS view. When you enable this option, only recursive queries from matching clients match the selected DNS view. This option can be used in conjunction with the match client list and match destination list. Ensure that you configure those options and the order of the DNS views accordingly if you want to also enable the match-recursive-only option.
To enable the match-recursive-only option, complete the following:

  1. From the Data Management tab, click the DNS tab > Zones tab> dns_view checkbox -> Edit icon. Or, if there is only one DNS view, for example the predefined default view, you can just click the Edit icon beside it.

  2. In the DNSView editor, select the General tab -> Advanced tab, and select the following:

    • Enablematchrecursiveonlyoption: This option is disabled by default. Select this option to enable the match-recursive-only option for the DNS view. When you select this option, only recursive queries from matching clients match this view. Note that this option can be used in conjunction with the match-clients and match-destinations options. Ensure that you configure those options and the order of the DNS views accordingly if you want to also enable match-recursive-only.

  3. Save the configuration.

Note

Note

You can also enable or disable the match-recursive-only option for a specific DNS view on a specific member by using the CLI command set enable_match_recursive_only. For information about this command, refer to the Infoblox CLI Guide.


Copying Zone Records

Different views of the same zone may have a number of records in common. If this is the case, you can copy zone records between views and zones.

...

To copy zone records between DNS zones and views:

  1. From the DataManagement tab -> DNS tab, click CopyRecords from the Toolbar.

  2. In the CopyRecords dialog box, Grid Manager displays the last selected zone or the zone from which you are copying zone records in the Source field. Complete the following to copy records:

    • Destination: Click SelectZone to select the destination zone. When there are multiple zones, Grid Manager displays the ZoneSelector dialog box from which you can select one. After you select the zone, Grid Manager displays the associated DNS view.

    • CopyAllrecords: Select this option to copy all the zone records.

    • CopySpecificRecords: Select this option to copy specific types of records. Select a resource record type from the Available column and click the right arrow to move it to the Selected column.

    • CopyOptions: Select one of the following:

      • Delete all records in destination before copying the records: Select to delete all resource records in the destination zone before the records are copied.

      • Overwrite existing records: Select to overwrite existing resource records that have the same domain name owners as the records being copied.

  3. Click Copy&Close.

Note

Note

When you copy resource records between zones and there are pending scheduled tasks associated with these records, the appliance allows the copying of zone records before it executes the scheduled tasks.

Managing the DNS Views of a Grid Member

A Grid member can serve zones in different DNS views. You can manage the DNS views associated with a Grid member as follows:

  • You can specify which interface IP address is published in glue A records in the DNS view, as described in Changing the Interface IP Address below.

  • You can assign an empty recursive view to a member, as described in Managing Recursive DNS Views.

  • You can control the list of DNS views as described in Changing the Order of DNS Views.

Anchor
CHIIAd
CHIIAd
Changing the Interface IP Address

By default, a Grid member publishes its LAN address in glue A records in the DNS view. You can change this default for each DNS view associated with a member. You can specify the NAT IP address or another IP address.
To specify the interface IP address for glue A records in a view:

  1. From the Data Management tab, click the DNS tab -> Members tab -> member checkbox, and then click the Edit icon.

  2. In the Member DNS Configuration editor, click Toggle Expert Mode if the editor is in basic mode, and then select the DNS Views tab.
    The Address Of Member Used in DNS Views table lists the default DNS view and DNS views with zones that are served by the member.

  3. To change the address, click the entry in the Interface column of a DNS view, and select one of the following:

    • NAT IP Address: Select this to use the member NAT address for glue A records in a Grid setting. Select this when you want to notify the Grid Master that it should expect packets from this member on the NAT address, not the configured interface address. The Grid Master broadcasts this NAT address to all NAT members outside of its NAT group. Do not use this option for an independent appliance serving as a DNS server. Select Other IP Address to publish the NAT address for the independent appliance. For information about NAT compatibility, see NAT Groups.

    • Other IP Address: Select this to specify another address for glue A records, or to publish the NAT address for an independent appliance. Enter the address in the Address field.

      Note that the 255.255.255.255 limited broadcast address is reserved. The appliance does not automatically create glue A records for this address. You can however create an NS record without the associated glue records.

  4. Save the configuration and click Restart if it appears at the top of the screen.

Managing Recursive DNS Views

When you add a DNS view that has recursion enabled, the appliance resolves recursive queries from hosts on the Match Clients list of that view. If the DNS view contains zones and you delete those zones, the appliance retains the view in its configuration file, as long as recursion is enabled in the view. Such a view is called an empty recursive DNS view because it does not contain any zones. It enables the appliance to respond to recursive queries from the specified clients.
In a Grid, all members automatically store DNS views that have recursion enabled in their configuration files. If you do not want a Grid member to respond to recursive queries for clients in a particular DNS view, you can remove the view from the member's configuration file.
To delete or retain an empty recursive DNS view in the DNS configuration file of a Grid member:

  1. From the Data Management tab, click the DNS tab > Members tab> Grid_member checkbox -> Edit icon.

  2. In the MemberDNSConfiguration editor, click ToggleExpertMode if the editor is in basic mode, and then select the DNSViews tab.

  3. The RecursiveViewsAssignedtothisMember section lists the empty recursive DNS views. Move a DNS view to the Selected column to explicitly assign the view to the Grid member and include it in the DNS configuration file of the member. Move a DNS view to the Available column to remove it from the configuration file of the member.
    Empty recursive DNS views that you retain in the configuration file are automatically listed at the bottom of the list of DNS views. You can move them up on the list when you manually change the order of the DNS views, as described in Managing the DNS Views of a Grid Member below.

  4. Save the configuration and click Restart if it appears at the top of the screen.

Managing the Order of DNS Views

When a member receives a query from a DNS client, it checks the Match Client lists in the order the DNS views are listed in the OrderofDNSViews table of the DNSViews tab in the DNS Member editor. The NIOS appliance can order DNS views automatically, or you can order the DNS views manually. If you choose to have the appliance automatically update the order of the DNS views, it does so after each of the following events:

...

To change the order of DNS views:

  1. From the DataManagement tab, click the DNS tab > Members tab> Grid_member checkbox -> Edit icon.

  2. In the MemberDNSConfiguration editor, click ToggleExpertMode if the editor is in basic mode, and then select the DNSViews tab.

  3. In the Order of DNS Views section, select one of the following:

    • OrderDNSViewsAutomatically: Click this to automatically order views after adding a new DNS view, removing a DNS view, or changing the match client list.

    • OrderDNSViewsManually: This table lists the DNS views that have zones assigned to the Grid member and the empty recursive views associated with the member. Select a DNS view, then click an arrow to move it up or down in the list.

  4. Save the configuration and click Restart if it appears at the top of the screen.

Managing DNS Views

You can list the DNS views, and then modify, disable, or remove any custom DNS view. You can modify and disable the default DNS view; however, under no circumstances can it be removed.

...

Modifying DNS Views

To modify a DNS view:

  1. From the DataManagement tab, click the DNS tab > Zones tab> dns_view checkbox -> Edit icon.

  2. In the DNSView editor, you can do the following:

    • In the General tab, you can change any of the information you entered through the wizard. You can also disable a DNS view to temporarily block access to a DNS view. Disabling a DNS view excludes it from the named.conf file.

...

    • Note that disabling a DNS view may take a longer time to complete depending on the size of the data.

    • In the MatchClients tab, define or update a Match Clients list, as described in Defining Match Clients Lists.

    • In the Match Destinations tab, define or update match destinations, as described in Defining a Match Destinations List below.

    • In the Forwarders tab, configure forwards for the view, as described in Using Forwarders.

    • In the Queries tab, enable AAAA filtering and configure a list of IPv4 networks and addresses for allowing or denying AAAA filtering, as described inEnabling AAAA Filtering.

    • In the DNSSEC tab, you can specify parameters for DNSSEC as described in Configuring DNSSEC on a Grid.

    • In the RootNameServers tab, you can configure root name servers, as described in About Root Name Servers.

    • In the SortList tab, define a sort list for the DNS view, as described in Defining a Sort List.

    • In the Blacklist tab, define blacklist rulesets, as described in Enabling Blacklisting.

    • In the ExtensibleAttributes tab, you can modify the attributes. For information, see Using Extensible Attributes.

    • The Permissions tab displays if you logged in as a superuser. For information, see About Administrative Permissions.

    • In the RecordScavenging tab, define the rules for DNS records scavenging in the DNS view, as described in Configuring DNS Record Scavenging Properties.

    • In the Updates tab, specify the secure dynamic updates settings, as described in Secure Dynamic Updates.

  2. Save the configuration and click Restart if it appears at the top of the screen.
    or
    Click the Schedule icon at the top of the wizard to schedule this task. In the ScheduleChange panel, enter a date, time, and time zone. For information, see Scheduling Tasks.

Deleting DNS Views

You can delete a DNS view if it is not the only view associated with a network view and if it is not selected for dynamic DNS updates. You cannot remove the system-defined default DNS view. When you remove a DNS view, the NIOS appliance removes the forward and reverse mappings of all the zones defined in the DNS view.
To delete a DNS view:

...