Configuring DNS Cache Acceleration
- Shwetha S (Deactivated)
- Naveen J Oommen
- Panna .
When you enable the virtual DNS cache acceleration feature on IB-FLEX and non IB-FLEX appliances, it acts as a high-speed DNS caching-only name server. This feature provides DNS cache acceleration support for recursive UDP DNS queries.
The DNS cache acceleration feature is bundled with tiered licensing for IB-FLEX appliances and for non-IB-FLEX appliances it is based on the type of tiered license that is installed. Only the Tier 1 (unlimited QPS up to capability) license can be installed on IB-2215 and IB-V2225 appliances. When you install the license, you are entitled to use the DNS cache acceleration feature. For non-IB-Flex appliances, the warning message is based on the tiered license that is installed, and the QPS is rate-limited which is based on the type of license installed. If the tiered license and the QPS exceed the threshold, a warning message is displayed. For more information on the Tiered licensing feature, see the Features on the Software DNS Cache Acceleration Platforms table below for features on the Software DNS cache acceleration platforms.
All the appliances support RPZ, but the response for RPZ queries are not cached by the DNS cache accelerator. Instead, these queries are bypassed to the host. You can configure the cache expiry period for RPZ queries. Note that the maximum cache lifetime for DNS cache acceleration is set to 300 seconds if the RPZ license is installed. However, for IB-Flex appliances, you must configure RPZ zones for a member.
You can also use elastic scaling to pre-provision DNS cache acceleration. These appliances support Intel x86_64 systems with IOMMU, Hugepages processors, virtio-net, and Intel 82599 10 G NIC and SRIOV with Intel 82599 ethernet controllers for DNS cache acceleration.
You can configure DNS cache acceleration using the Grid Manager or API. To view accelerated cache details, you can either log in to Grid Manager, or use CLI commands, or Infoblox API. Infoblox supports Auto Scaling that contains OpenStack packages to automatically scale the required number of resources based on your application. For more information, refer to Auto Scaling for Virtual DNS Cache Acceleration.
From NIOS 9.0.4 onwards:
Virtual DNS cache acceleration caches TCP queries and cached queries are responded from virtual DNS cache acceleration instead of BIND.
While there is TCP DNS query load, if you make changes to features that push new configurations to the virtual DNS Cache Acceleration file (For example: enable/disable TCP support on vDCA, Toggling ADP First/DCA First and Toggling Single/multi TCP query in a session), performing a DNS force restart may cause the Grid member to go offline. To recover from this issue, Infoblox recommends that you perform a product reboot.
Note
Although, DNS Cache Acceleration can be enabled on all of the X6 series appliances. Infoblox recommends using DNS cache acceleration only on TE-2306 and TE-4106 appliances when used as IB-FLEX appliances.
Associated characteristics of the supported appliance include the following:
Cache delete through the Grid Manager, CLI, or Infoblox API. For more information, see Clearing DNS Cache.
ACL for IPv4 and IPv6.
Sending SNMP traps for DNS cache acceleration service.
SNMP queries for supported appliances.
Fixed RRSET order for accelerated responses, for A and AAAA record types, for IPv4, and IPv6.
Both non-accelerated recursive and authoritative DNS with Software ADP.
The following table lists the features that are either supported or not supported on the Software DNS cache acceleration platforms:
Features on the Software DNS Cache Acceleration Platforms
Features | IB-FLEX | IB-2215 | IB-2225 | IB-v2215 | IB-v2225 | IB-4015 | IB-4025 | IB-v4015 | IB-v4025 |
|---|---|---|---|---|---|---|---|---|---|
Tiered licensing | Licensing is based on the Flex Grid Activation license on the Grid. Note that the queries per second are limited by the number of CPUs for IB-FLEX. | IB-40x5 appliances support four tiers of DNS QPS and the QPS levels are enforced by rate limiting | |||||||
RPZ | Yes, the maximum cache lifetime for DNS cache acceleration is set to 300 seconds if RPZ zones are configured for the member. | Yes, the maximum cache lifetime for DNS cache acceleration is set to 300 seconds if the RPZ license is installed. | |||||||
Caching (A, AAAA, MX, CNAME, PTR) | Yes | Yes | |||||||
Do not cache (EDNS, TCP, Any, TSIG) | Yes | Yes | |||||||
Caching over additional interfaces (v4, v6) | Yes | Yes | |||||||
Dump Acceleration Cache (CLI, GUI, PAPI) | Yes | Yes | |||||||
Clear Acceleration Cache (CLI, GUI, PAPI) | Yes | Yes | |||||||
Cache pre-fetch and cache refresh | Yes | Yes | |||||||
ACLs (Allow-queries/Responses, Match-Clients/Destination, Blackhole) | Yes | Yes | |||||||
AAAA Filtering (Bypassed but support configuring) | Yes | Yes | |||||||
Fixed RRSET ordering | Yes | Yes | |||||||
DNS64 | Yes | Yes | |||||||
DNS monitoring feature (netmon) | Yes | Yes | |||||||
DNS Query logging (BIND only) | Yes | Yes | |||||||
DNS Views | Yes, it supports up to six DNS views. | Yes, it supports up to six DNS views. | |||||||
Forward/Stub zones | Yes | Yes | |||||||
DNS cache acceleration related restrictions for configuration | Yes, for NIOS version 8.2.0, restrictions are enforced based on whether the DNS cache acceleration feature is enabled or disabled. | No | |||||||
Reporting | Yes, for more information Reports for IB-FLEX, see About IB-FLEX. | Yes | |||||||
VLAN | Yes | Yes | |||||||
DSCP | No, Infoblox does not support DSCP for virtual appliances. | Infoblox does not support DSCP for physical or virtual appliances only if DCA is enabled. | |||||||
Sort list | Yes | Yes | |||||||
Anycast (OSPF and BGP) | Yes | Yes | |||||||
BFD (Bidirectional Forwarding Detection) | Yes | Supported on all appliances | |||||||
HA Support | Yes, only for non-SRIOV. | Yes | |||||||
NIC Bonding | Yes | Yes | |||||||
Multiple-Interfaces on the same subnet | No | No | |||||||
IP Rate-limit and Response logging | No | No | |||||||
EDNS Client Subnet support | No | No | |||||||
NXDomain-redirection | Yes | Ye | |||||||
DNSSEC (Bypassed but support configuring) | Yes | Yes | |||||||
Debug enhancements | Yes | Yes | |||||||
SNMP Support for DCA service-related traps | Yes | Yes | |||||||
SNMP stats support for DNS QPS and CHR | Yes | Yes | |||||||
NX Mitigation | No | No | |||||||
NetFilter (Tracking tables) | No | Not supported on any appliance | |||||||
Traffic-capture (All modes) | Yes, there is partial support. Note that tcpdump captures both queries and responses. | Yes, there is partial support. Note that tcpdump captures both queries and responses. | |||||||
No flush-mode support for DNS cache acceleration cache | Yes | Yes | |||||||
Per-interface UDP DNS cache acceleration response counters | Yes | Yes | |||||||
CLI commands | You can use the commands | You can use the commands | |||||||
DNS Query rewrite (Bypassed but supports configuring) | No | No | |||||||
Threat Protection | Supported on IB-FLEX platforms. Allows enabling Software ADP and DNS cache acceleration simultaneously on IB-FLEX platforms. | Supported on IB-FLEX platforms. Allows enabling Software ADP and DNS cache acceleration simultaneously. | |||||||
Subscriber Secure Policy | Yes | Yes | |||||||
Features | IB-FLEX | TE-906 | TE-1506 | TE-1606 | TE-2306 | TE-4106 |
|---|---|---|---|---|---|---|
Tiered licensing | Licensing is based on the Flex Grid Activation license on the Grid. Note that the queries per second are limited by the number of CPUs for IB-FLEX. | IB-40x5 appliances support four tiers of DNS QPS and the QPS levels are enforced by rate limiting |
|
|
|
|
RPZ | Yes, the maximum cache lifetime for DNS cache acceleration is set to 300 seconds if RPZ zones are configured for the member. | Yes, the maximum cache lifetime for DNS cache acceleration is set to 300 seconds if the RPZ license is installed. |
|
|
|
|
Caching (A, AAAA, MX, CNAME, PTR) | Yes | Yes |
|
|
|
|
Do not cache (EDNS, TCP, Any, TSIG) | Yes | Yes |
|
|
|
|
Caching over additional interfaces (v4, v6) | Yes | Yes |
|
|
|
|
Dump Acceleration Cache (CLI, GUI, PAPI) | Yes | Yes |
|
|
|
|
Clear Acceleration Cache (CLI, GUI, PAPI) | Yes | Yes |
|
|
|
|
Cache pre-fetch and cache refresh | Yes | Yes |
|
|
|
|
ACLs (Allow-queries/Responses, Match-Clients/Destination, Blackhole) | Yes | Yes |
|
|
|
|
AAAA Filtering (Bypassed but support configuring) | Yes | Yes |
|
|
|
|
Fixed RRSET ordering | Yes | Yes |
|
|
|
|
DNS64 | Yes | Yes |
|
|
|
|
DNS monitoring feature (netmon) | Yes | Yes |
|
|
|
|
DNS Query logging (BIND only) | Yes | Yes |
|
|
|
|
DNS Views | Yes, it supports up to six DNS views. | Yes, it supports up to six DNS views. |
|
|
|
|
Forward/Stub zones | Yes | Yes |
|
|
|
|
DNS cache acceleration related restrictions for configuration | Yes, for NIOS version 8.2.0, restrictions are enforced based on whether the DNS cache acceleration feature is enabled or disabled. | Yes | Yes | yes | No | No |
Reporting | Yes, for more information Reports for IB-FLEX, see About IB-FLEX. | No | No | No | Yes | Yes |
VLAN | Yes | Yes | ||||
DSCP | No, Infoblox does not support DSCP for virtual appliances. | Infoblox does not support DSCP for physical or virtual appliances only if DCA is enabled. |
|
|
|
|
Sort list | Yes | Yes |
|
|
|
|
Anycast (OSPF and BGP) | Yes | Yes |
|
|
|
|
BFD (Bidirectional Forwarding Detection) | Yes | Supported on all appliances |
|
|
|
|
HA Support | Yes, only for non-SRIOV. | Yes |
|
|
|
|
NIC Bonding | Yes | Yes |
|
|
|
|
Multiple-Interfaces on the same subnet | No | No |
|
|
|
|
IP Rate-limit and Response logging | No | No |
|
|
|
|
EDNS Client Subnet support | No | No |
|
|
|
|
NXDomain-redirection | Yes | Yes |
|
|
|
|
DNSSEC (Bypassed but support configuring) | Yes | Yes |
|
|
|
|
Debug enhancements | Yes | Yes | ||||
SNMP Support for DCA service-related traps | Yes | Yes | ||||
SNMP stats support for DNS QPS and CHR | Yes | Yes | ||||
NX Mitigation | No | No | ||||
NetFilter (Tracking tables) | No | Not supported on any appliance | ||||
Traffic-capture (All modes) | Yes, there is partial support. Note that tcpdump captures both queries and responses. | Yes, there is partial support. Note that tcpdump captures both queries and responses. | ||||
No flush-mode support for DNS cache acceleration cache | Yes | Yes | ||||
Per-interface UDP DNS cache acceleration response counters | Yes | Yes | ||||
CLI commands | You can use the commands | You can use the commands | ||||
DNS Query rewrite (Bypassed but supports configuring) | No | No | ||||
Threat Protection | Supported on IB-FLEX platforms. Allows enabling Software ADP and DNS cache acceleration simultaneously on IB-FLEX platforms. | Supported on IB-FLEX platforms. Allows enabling Software ADP and DNS cache acceleration simultaneously. | ||||
Subscriber Secure Policy | Yes | Yes | ||||
Note
By default, all malformed packets are dropped early when the accelerated threat protection service is enabled.
Viewing Accelerated Cache Details
When you view cached contents of the DNS accelerator through the Grid Manager, there might be a slight impact on the DNS query performance of the selected member.
To view accelerated cache from the Grid Manager:
From the Data Management tab, select the DNS tab and click the Members tab -> Member checkbox. Choose View from the Toolbar, and then click View Cache.
Click Yes in the View Acceleration Cache dialog box.
The system displays a File Download was Successful message and the cache data is displayed in table format in a new browser tab or browser window.
Limitations for Virtual DNS Cache Acceleration
You cannot enable the DNS cache acceleration feature during a scheduled NIOS upgrade, but if you have already enabled this feature, it will function normally during the upgrade process.
The appliance prompts for a reboot when you enable the DNS cache acceleration feature for the first time. You must accept it to start the service.
You must disable the DNS cache acceleration feature and reboot the appliance manually to switch from virtual DNS cache acceleration to authoritative servers.
The appliance prompts for a reboot when you enable virtual DNS cache acceleration and Software ADP on IB-FLEX, IB-22x5 and IB-40x5 platforms .
DSCP is not supported if vDCA is enabled on IB-FLEX 22x5 and IB-40x5.
DHCP license cannot be installed if the DCA license is installed and vice versa.
DCA and Microsoft Management licenses cannot be installed and configured simultaneously.
On all vNIOS appliances that support vDCA (virtual DNS Cache Acceleration) or vADP (virtual Advanced DNS Protection), you must run vDCA or vADP on a single virtual NUMA node. If the configuration of the virtual NUMA node and physical NUMA node are not the same, it may result in performance degradation.
For virtual DCA appliances using virtio, it is recommended to increase the number of virtio queues to 2 for IB-v14x5, 4 for IB-v22x5, 4 for IB-v40x5, 2 for IB-FLEX Small, 4 for IB-FLEX Medium and 4 for IB-FLEX Large systems.
The output for
show dns-accel-cacheCLI command is restricted to 255 bytes for DNS type 64 and DNS type 65 records respectively. If one or more serviceparam value contributes to the displayed output, the param size is displayed in brackets. To view the complete output, use the expand option in the show dns-accel-cache CLI command.
Limitations for DNS Cache Acceleration in Subscriber Services Parental Control
Enabling DNS Cache Acceleration for subscriber services in the Parental Control tab has the following limitations:
The DNS Cache Acceleration subscriber site features, query count logging and blocked and allowed list support are applicable on Virtual DNS Cache Acceleration.
The DNS Cache Acceleration subscriber site features, query count logging and blocked and allowed list support and retains only unknown bits and does not support unknown policies (AVP).
DNS Cache Acceleration uses BIND to process the guests behind Customer Premises Equipment (CPEs).
The appliance prompts for a reboot when there is a configuration change.
DNSTAP is required for query count logging.
DNS Cache Acceleration does not cache blocked domains from BIND as it only uses category information for resolved domains.
At Virtual DNS Cache Acceleration, the subscriber has access only to the primary MSP IP address.
DNS Cache Acceleration subscriber site feature supports only 16 additional blocking policies.
Before blocking another opt in subscriber at DNS Cache Acceleration, an opt in subscriber must resolve a domain.
Proxy-All replies comes from DNS Cache Acceleration as long as the client connection status to MSP is "connected." If the client connection status is "disconnected," the first few queries goes to BIND, and future requests comes from DNS Cache Acceleration. Note that, TCP idle connections are closed every 20 seconds by MSP.
The query name for the subscriber allowed and blocked list must contain a known TLD (top-level domain) and, if there are any prefixes, must conclude with a '.'.
Only domain names are supported by the subscriber allowed and blocked lists, the wildcards and services are not supported.
For Information on Upgrading Parental Control at DNS Cache Acceleration, see Upgrading Parental Control at DNS Cache Acceleration.
IB-FLEX Platform Settings for DNS Cache Acceleration
When you enable the DNS cache acceleration feature on IB-FLEX, ensure that it has enough CPU and memory to start the service. Note that you cannot start the service if the total CPU is less than 8 cores or if memory is less than 12G. To start the service, see the number of mandatory resources mentioned in the Total Resource Usage for Different Use Cases table.
If the DNS cache acceleration feature is enabled on a pre-provisioned member and fails to start due to insufficient resources on the member, the DCA status is displayed as failed. If you disable DCA on a member with insufficient resources, the member is not displayed in the DCA -> Members tab.
Note
Under certain circumstances, the DNS cache acceleration feature may not function normally when you perform a product restart. This happens due to increased resource allocation on the virtual machine and the appliance does not log any entries in the syslog. Infoblox recommends that you restart or reboot the system and free up server resources if you encounter this issue.
Before enabling DNS Cache Acceleration or ADP on virtual platforms, ensure that the ssse3, sse4_1, and sse4_2 CPU flags are set on the host server. For more information, see https://help.ubuntu.com/lts/serverguide/DPDK.html.en
If you see the "/usr/bin/fast-path.sh: error starting /usr/bin/fp-rte. Check logs for details" error message in the infoblox.log file, ensure that the ssse3, sse4_1, and sse4_2 flags are set for the VM.