Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

Understanding vDNS workflow in Contrail Networking

0

0

Article ID: KB33932 KB Last Updated: 25 Mar 2019Version: 1.0
Summary:

This article explains the Contrail networking vDNS design and sync process.

Solution:

There are four possible methods of providing DNS services, each of which can be set in the IPAM dialogue box:

  1. None: No DNS services are provided to VMs, the DNS server address is not provided to VMs when the DHCP server leases IP address to clients.

  2. Default: DNS resolution is based on the compute node’s DNS configuration. In this case, DNS requests from VMs are proxied to the compute node’s DNS server. The static IP to host mappings stored the /etc/hosts file on the compute node is also used.

  3. Virtual DNS: Contrail provides a virtual DNS service for name resolution.

  4. Tenant: DNS is provided by the tenant’s own DNS servers. Contrail just sends the proper DNS server IP address to clients when the IPAM DHCP server leases IP addresses to clients.


To deploy a virtual DNS server, start by navigating to the Configure > DNS > Servers hierarchy. Next, click the plus (+) sign to create a new virtual DNS server and provide a name for identification and a domain name. There are also additional options that can be configured for the associated Virtual DNS server:
  • Time to Live: The time-to-live (TTL) of DNS entries in seconds.

  • DNS Forwarder: The server that the Contrail Virtual DNS server forwards requests to that it cannot resolve locally.

  • Record Resolution Order: The order in which records are returned should there be multiple matches for a DNS request. The options are Random, Fixed, or Round Robin.

  • External Visibility: Enables external access to the Contrail Virtual DNS records.

 
In every subnet, there is one IP address reserved for the Gateway vRouter address when it is enabled. There is also a second IP address reserved for Services; it is typically, the w.x.y.2 address from the subnet. This Services address is used by the DHCP server and can be seen in DHCP responses sent to clients. The same address is also used as the DNS server address for the subnet if an external DNS name server is not configured. If a virtual DNS server is used, this w.x.y.2 address will be sent as the domain-name-server (DNS) address in the DHCP response to the client.

Every time a VM is created, an A record entry for it is added into the zone file (/etc/contrail/dns) of the vDNS server associated with the IPAM used for the VN to which the VM belongs to. Agent propagates it to contrail-named via contrail-dns running on the controllers.

Contrail Agents on all compute nodes establish XMPP connections with both the DNS servers. All updates are sent to both of them keeping them in sync. When a VM triggers a query, it is sent to both the DNS servers. The first response received is used.

 Scheduling is applied at vDNS level.

Record order: when a name has multiple records matching, scheduling determines the order in which the records are sent in the response.

  • Fixed - the records are sent in the order of creation
  • Round-robin - the record order is cycled for each request to the record
  • Random - the records are sent in random order


Serial numbers are incremented every time the zone file is updated. Serial numbers play a role at the time of zone transfers from primary to secondary name servers. For the transfer to happen, primary's serial number should be greater than that of the secondary's

There is a master-master relationship ( no active-standby relationship ) between vDNS records.

Race condition: A smaller value for the MINIMUM field in SOA would help if records for the domain does not exist and to avoid the race condition where DNS query will be answered by only one vDNS server which does not have vDNS entry.

This value is used as TTL for negative cache entry. It helps to timeout the negative cache entry faster if we expect the queried domain to become available shortly. If not, this would generate a lot of queries unnecessarily. On the other hand, if the time out value is high and the domain becomes valid shortly after the negative cache entry is created, the resolution would not succeed until the cache entry is timed out.

 Log file can be viewed at /var/log/contrail/contrail-named.log

Use command, 'contrail-named' to ensure bind version is same in both controllers

Commands to see vDNS records: http://controller-ip:8092/Snh_ShowDnsConfig

Zone files records inside directory /etc/contrail/dns/ on both the DNS servers, count of zone files should be same

Note: There is no command which can be used to indicate whether DNS records are in sync or not.
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search