Hands-on Lab. Infoblox Core DDI Infoblox Inc. All rights reserved. Hands-on lab - Infoblox integration with Microsoft Page 1 of 61

Transcription

1 1. Hands-on Lab Infoblox Core DDI 2016 Infoblox Inc. All rights reserved. Hands-on lab - Infoblox integration with Microsoft Page 1 of 61

2 Getting the Most from your Grid Type: 2 hour Hands on Lab Presenter: Alan Newman & Dave Funk Configure different ways of serving DNS data, what to avoid and best practices when designing DNS topologies DHCP designs, and how to avoid common configuration mistakes to create a highly available DHCP environment Optimize your grid leveraging extensible attributes and smart folders DNS Module Script Let s login to the grid Infoblox Inc. All rights reserved. Hands-on lab - Infoblox integration with Microsoft Page 2 of 61

3 Navigate to Grid > Grid Manager > Members. Note that in addition to the Grid Master (GM), there is a Grid Master Candidate (GMC) in a different data center. This is an architectural best practice, marked as (BP) from here on. The GMC holds all the data, just like the GM, and can be promoted if the GM is unreachable. The GMC should be far enough away to not experience the same disaster that the GM would (hurricane, fire, etc.) Infoblox Inc. All rights reserved. Hands-on lab - Infoblox integration with Microsoft Page 3 of 61

4 You ll see that there are members in two data centers and in two remote offices. The name of each member suggests its location and role. Internet Data Center #1 Data Center #2 External Authoritative ext-auth.dc1 External Authoritative ext-auth.dc / /24 Grid Master gm.dc1 Internal Autoritative dns-int-auth-ms.dc1 DHCP dhcp.dc1 Internet Forwarder dns-fwd.dc1 GM Candidate gmc.dc2 Internal Autoritative dns-int-auth.dc / /24 DHCP dhcp.dc2 Internet Forwarder dns-fwd.dc2 Branch Office #1 Branch Office #2 Branch Office DNS/DHCP branch01.br1 Branch Office DNS/DHCP branch02.br / /24 We need to configure these members to serve external authoritative DNS, internal authoritative DNS, and resolve DNS queries out to the Internet. Additionally, we ll setup some members as DHCP servers, but let s setup DNS first Infoblox Inc. All rights reserved. Hands-on lab - Infoblox integration with Microsoft Page 4 of 61

5 First, let s set up the external authoritative DNS nameservers. These are the nameservers whose role is to answer queries from recursive DNS servers on the Internet about your Internet-facing zones. You need to have at least two external authoritative DNS servers in different networks. (BP) This provides redundancy. HA (High Availability) is not required since there are multiple nameservers, but it does provide additional resilience, and provides minimal disruption during upgrades. External authoritative DNS servers should be in a DMZ, with a public IP. (BP) This makes it easy to allow DNS servers on the Internet to query them without exposing the rest of your network to attack. External authoritative DNS servers should have recursion disabled. (BP) For maximum security, do not combine external authoritative DNS servers and recursion. A successful attack on either function would compromise both. If these roles must exist on the same appliance, they should be in different DNS views. Locate the external authoritative member in DC#1 and configure it to answer all queries from the Internet for all the authoritative zones, but also disable recursion. The word None in this window can be confusing. It does not mean deny everything, it means that no access list is explicitly set. With no access list set, all clients are allowed. The default condition (shown below) allows queries from any IP, but does not allow recursion Infoblox Inc. All rights reserved. Hands-on lab - Infoblox integration with Microsoft Page 5 of 61

6 Locate the external authoritative member in DC#2 and configure it to answer all queries from the Internet for all the authoritative zones, but also disable recursion. The word None in this window can be confusing. It does not mean deny everything, it means that no access list is explicitly set. With no access list set, all clients are allowed. The default condition (shown below) allows queries from any IP, but does not allow recursion Infoblox Inc. All rights reserved. Hands-on lab - Infoblox integration with Microsoft Page 6 of 61

7 Consider using DNSSEC for external authoritative zones, if the TLD zone is signed. (BP) This allows DNS resolvers to verify that the answer to a query is coming from a legitimate, authorized DNS server for that zone, helping prevent DNS cache poisoning. This indirectly protects your company, as your customers or external users can be more certain that they are connecting to the correct servers on the Internet, and traffic is not being maliciously re-directed. Note that DNSSEC substantially increases the database object count, since it generates several signature/security records for each original one. External zones typically have modest amounts of zone data, so this usually does not present a problem. Internal zones are typically not signed, since cache poisoning attacks launched from your own internal networks, and directed to your own internal DNS servers would be very unusual. The two (public) IPs for these DNS servers can now be configured at the parent level of your domain (typically, your domain registrar) to be authoritative for your external zones. If you signed your zones (DNSSEC), give your registrar the DS records as well, as these are required for DNSSEC to work. Next, let s set up the Internet forwarders. Forwarders typically are caching only DNS servers. They are used by the local authoritative DNS servers to resolve non-authoritative (typically Internet) queries. Forwarders will build up a query cache, so that many queries can be answered immediately by the forwarder. Internet forwarders are placed near connections to the Internet. (BP) This can help with performance by reducing the introduced by DNS resolution. Internet forwarders are usually located inside the firewall, on the internal network. (BP) This provides an additional layer of protection, since they do not need public facing IPs. It also allows them to be closer to the end client, providing better information for DNS Firewall (if deployed). Internet forwarders should not be authoritative for any zone. (BP) Since they hold no authoritative zone data, these servers can be sized purely according to transaction rate, not object count. This usually means that the server can be smaller. Internet forwarders do not have to be configured with High Availability. (BP) Internal recursive DNS servers choose which forwarder to query base on observed roundtrip time to each forwarder, so the failure of a single forwarder may cause longer resolution times, but not outright failure. Again, HA (High Availability) is not required since there are multiple nameservers, but it does provide additional resilience, and provides minimal disruption during upgrades Infoblox Inc. All rights reserved. Hands-on lab - Infoblox integration with Microsoft Page 7 of 61

8 Locate the dns-fwd.dc1 member that is on the internal network in DC#1 and configure it to use recursion. You can safely allow recursion for all hosts and networks since this DNS server is on the internal network. If you prefer, you can list all the internal networks, or better yet, use Infoblox s Named ACL feature to quickly and easily maintain an ACL that contains the desired networks. We won t cover Named ACLs in this lab, but it is well documented in the Infoblox Admin Guide Infoblox Inc. All rights reserved. Hands-on lab - Infoblox integration with Microsoft Page 8 of 61

9 Configure this forwarder to use DNSSEC validation. (BP) This helps prevent DNS cache poisoning by making sure the response to a query comes from a legitimate, authorized name server. This is only effective if the remote queried zoned is signed, but signed zones are becoming more common Infoblox Inc. All rights reserved. Hands-on lab - Infoblox integration with Microsoft Page 9 of 61

10 The top level zone public key needs to be installed so DNSSEC knows where the chain of trust begins. We ll install the root zone public key. You can easily obtain the key by running a dig command: dnskey +multiline Obtaining the key may not work from the lab, however the key is listed in the footnote of this page. You must use the DNSKEY 257 public key (the 257 signifies that this is the Key Signing Key). Specify a single dot for the zone, specify RSA/SHA-256 for the algorithm (the root zone uses this key signing algorithm), and copy the paste the long (and cryptic looking) key 1 into the Public Key box. Keep the Secure Entry Point box checked this indicates that the key is a KSK (key signing key). 1 AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX bfdauevpquyehg37nzwajq9vnmvdxp/vhl496m/qzxkjf5/efucp2gadx6rs6cxpoy68lsvpvjr0zswzz1apazvn9dlzehex7icjbbtua6g3lqp zw5hoa2hzctmjjpj8lbqf6dsv6dobqzgul0sgicgoyl7oyqdxfz57relsqageu+ipadttj25asrtaoub8ongclmqramrlkbp1dfwhyb4n7knnn ulq QxA+Uk1ihz0= 2016 Infoblox Inc. All rights reserved. Hands-on lab - Infoblox integration with Microsoft Page 10 of 61

11 Locate the dns-fwd.dc2 member that is on the internal network in DC#2 and configure it to use recursion. You can safely allow recursion for all hosts and networks since this DNS server is on the internal network. If you prefer, you can list all the internal networks, or better yet, use Infoblox s Named ACL feature to quickly and easily maintain an ACL that contains the desired networks. We won t cover Named ACLs in this lab, but it is well documented in the Infoblox Admin Guide Infoblox Inc. All rights reserved. Hands-on lab - Infoblox integration with Microsoft Page 11 of 61

12 Configure this forwarder to use DNSSEC validation. (BP) This helps prevent DNS cache poisoning by making sure the response to a query comes from a legitimate, authorized name server. This is only effective if the remote queried zoned is signed, but signed zones are becoming more common Infoblox Inc. All rights reserved. Hands-on lab - Infoblox integration with Microsoft Page 12 of 61

13 Here as well the top level zone public key needs to be installed so DNSSEC knows where the chain of trust begins. We ll install the root zone public key. You can easily obtain the key by running a dig command: dnskey +multiline Obtaining the key may not work from the lab, however the key is listed in the footnote of this page. You must use the DNSKEY 257 public key (the 257 signifies that this is the Key Signing Key). Specify a single dot for the zone, specify RSA/SHA-256 for the algorithm (the root zone uses this key signing algorithm), and copy the paste the long (and cryptic looking) key 2 into the Public Key box. Keep the Secure Entry Point box checked this indicates that the key is a KSK (key signing key). 2 AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX bfdauevpquyehg37nzwajq9vnmvdxp/vhl496m/qzxkjf5/efucp2gadx6rs6cxpoy68lsvpvjr0zswzz1apazvn9dlzehex7icjbbtua6g3lqp zw5hoa2hzctmjjpj8lbqf6dsv6dobqzgul0sgicgoyl7oyqdxfz57relsqageu+ipadttj25asrtaoub8ongclmqramrlkbp1dfwhyb4n7knnn ulq QxA+Uk1ihz0= 2016 Infoblox Inc. All rights reserved. Hands-on lab - Infoblox integration with Microsoft Page 13 of 61

14 Next, let s set up the Internal Authoritative DNS servers. We will set up larger internal authoritative DNS servers at each of the data centers. (BP) These will be authoritative for entire internal namespace. (BP) These will be configured as high availability pairs (because they are critical to internal name resolution). (BP) These need to be sized to handle an object count equivalent to the entire internal namespace, and an aggregate transaction rate equal to the queries sent by local DNS clients and those forwarded by the small-site DNS servers. (BP) We will set up smaller internal authoritative DNS servers at each of the small sites. (BP) Each site will only be authoritative for the zones at that site. (BP) These smaller DNS servers will forward queries for non-local domains to the DNS servers at the data centers. (BP) First, let s set up the larger internal authoritative DNS servers. Locate the HA member that is on the internal network in DC#1 and running DNS services. Notice that it is authoritative for all internal zones by navigating to: Data Management > DNS > Members/Servers, then clicking on the nameserver Infoblox Inc. All rights reserved. Hands-on lab - Infoblox integration with Microsoft Page 14 of 61

15 Verify that this nameserver will accept queries from the small site DNS servers, and all end host networks (BP) This will allow clients in the data centers to use these local DNS servers, and will allow end hosts at the small sites to use these DNS servers if their local DNS server goes down Infoblox Inc. All rights reserved. Hands-on lab - Infoblox integration with Microsoft Page 15 of 61

16 Configure the DNS server with forwarders, so it knows where to send queries it cannot resolve authoritatively authoritatively. Forward to the Internet forwarders we set up earlier. Enable Use Forwarders Only to prevent root server lookups Infoblox Inc. All rights reserved. Hands-on lab - Infoblox integration with Microsoft Page 16 of 61

17 Locate the dns-int-auth member that is on the internal network in DC#2 and running DNS services. Notice that it is authoritative only for its internal zone by doing: Data Management > DNS > Members/Servers, and then on the nameserver Infoblox Inc. All rights reserved. Hands-on lab - Infoblox integration with Microsoft Page 17 of 61

18 Verify that we will accept queries from the small site DNS servers, and all end host networks (BP) This will allow clients in the data centers to use these local DNS servers, and will allow end hosts at the small sites to use these DNS servers if their local DNS server goes down Infoblox Inc. All rights reserved. Hands-on lab - Infoblox integration with Microsoft Page 18 of 61

19 Configure the DNS server with forwarders, so it knows where to send queries it cannot resolve authoritatively. Forward to Internet forwarders we set up earlier. Enable Use Forwarders Only to prevent root server lookups Infoblox Inc. All rights reserved. Hands-on lab - Infoblox integration with Microsoft Page 19 of 61

20 Now, let s set up the smaller (remote site) internal authoritative DNS servers. Locate the member that is on the internal network in Branch 1. Notice that it is authoritative only for its internal zone by doing: Data Management > DNS > Members/Servers, and then on the nameserver Infoblox Inc. All rights reserved. Hands-on lab - Infoblox integration with Microsoft Page 20 of 61

21 Verify that this DNS server will accept queries from the internal networks. Configure the DNS server with forwarders, so it knows where to send queries it cannot resolve authoritatively. Forward to the larger internal authoritative DNS servers we set up earlier. Enable Use Forwarders Only to prevent root server lookups Infoblox Inc. All rights reserved. Hands-on lab - Infoblox integration with Microsoft Page 21 of 61

22 Configure DNS clients at Branch 1 to query the local DNS server first, then the nearest data center DNS server. (BP) This provides resiliency if the local DNS server goes offline. Anycast can also be used so that DNS clients query the closest available DNS server automatically. More on this later. Locate the member that is on the internal network Branch 2. Notice that it is authoritative only for its internal zone by navigating to: Data Management > DNS > Members/Servers, and then clicking on the nameserver Infoblox Inc. All rights reserved. Hands-on lab - Infoblox integration with Microsoft Page 22 of 61

23 Verify that this DNS server will accept queries from the internal networks. Configure the DNS server with forwarders, so it knows where to send queries it cannot resolve authoritatively. Forward to the larger internal authoritative DNS servers we set up earlier. Enable Use Forwarders Only to prevent root server lookups Infoblox Inc. All rights reserved. Hands-on lab - Infoblox integration with Microsoft Page 23 of 61

24 Configure DNS clients at Branch 2 to query the local DNS server first, then the nearest data center DNS server. (BP) This provides resiliency if the local DNS server goes offline. Anycast can also be used so that DNS clients query the closest available DNS server automatically. More on this later. This completes the DNS module Infoblox Inc. All rights reserved. Hands-on lab - Infoblox integration with Microsoft Page 24 of 61

25 2016 Infoblox Inc. All rights reserved. Hands-on lab - Infoblox integration with Microsoft Page 25 of 61

26 DHCP Module Script Now, let s set up DHCP. A high availability DHCP member will be deployed at each data center. These members will be the DHCP failover peer for the DHCP servers at the smaller sites. (BP) This provides resiliency, in case the smaller site DHCP server goes offline. The DHCP server at each smaller site will be configured to serve all the local leases; the larger DHCP server Failover peer will only serve leases to the remote site if the remote DHCP server goes offline. (BP) This keeps all the local leases served by the closest DHCP server. The smaller sites will use a single non-high availability appliance for both DNS and DHCP. (BP) We have already provided resiliency by having alternate paths for DNS and DHCP services. The DHCP members at the data centers must be sized to accommodate the host lease pools at the data center, as well as the lease pools configured on the DHCP servers at the small sites that peer with the data center DHCP server in a Failover association. Here are the networks we re using in our example grid: /24 Data Center #2 (internal) /24 Data Center #1 (internal) /24 Branch Office # /24 Branch Office # /24 Data Center #1 (external) /24 Data Center #2 (external) 2016 Infoblox Inc. All rights reserved. Hands-on lab - Infoblox integration with Microsoft Page 26 of 61

27 Locate the dhcp.dc1 HA member that is on the internal network in DC#1 and running DHCP services. Verify that it is serving DHCP for the network in its data center, and for Branch 1 (this is for a later DHCP Failover configuration) Infoblox Inc. All rights reserved. Hands-on lab - Infoblox integration with Microsoft Page 27 of 61

28 In Member DHCP Properties > IPv4 DDNS, ensure that Update DNS on DHCP Lease Renewal is not checked. (BP) This is almost never needed, and incurs unnecessary overhead. Locate the member that is on the internal network Branch 1. Verify that it is configured to serve DHCP for its local network Infoblox Inc. All rights reserved. Hands-on lab - Infoblox integration with Microsoft Page 28 of 61

29 In Member DHCP Properties > IPv4 DDNS, ensure that Update DNS on DHCP Lease Renewal is not checked. (BP) This is almost never needed, and incurs unnecessary overhead. Set up a DHCP Failover association between the Branch 1 DHCP server and the DC#1 DHCP server. Make sure the Branch 1 DHCP primary has 100% of the load. This will cause the Branch 1 DHCP to issue all the leases, unless it fails. In that case, the DC#1 DHCP will issue all the leases Infoblox Inc. All rights reserved. Hands-on lab - Infoblox integration with Microsoft Page 29 of 61

30 Assign the DHCP Failover association to the DHCP network range for Branch Infoblox Inc. All rights reserved. Hands-on lab - Infoblox integration with Microsoft Page 30 of 61

31 Locate the dhcp.dc2 HA member that is on the internal network in DC#2 and running DHCP services. Verify that it is serving DHCP for the network in its data center, and for Branch 1 (this is for a later DHCP Failover configuration) Infoblox Inc. All rights reserved. Hands-on lab - Infoblox integration with Microsoft Page 31 of 61

32 In Member DHCP Properties > IPv4 DDNS, ensure that Update DNS on DHCP Lease Renewal is not checked. (BP) This is almost never needed, and incurs unnecessary overhead. Locate the member that is on the internal network Branch 2. Verify that it is configured to serve DHCP for its local network. In Member DHCP Properties > IPv4 DDNS, ensure that Update DNS on DHCP Lease Renewal is not checked. (BP) This is almost never needed, and incurs unnecessary overhead Infoblox Inc. All rights reserved. Hands-on lab - Infoblox integration with Microsoft Page 32 of 61

33 Set up a DHCP Failover association between the Branch 2 DHCP server and the DC#2 DHCP server. Make sure the Branch 2 DHCP primary has 100% of the load. This will cause the Branch 2 DHCP to issue all the leases, unless it fails. In that case, the DC#2 DHCP will issue all the leases Infoblox Inc. All rights reserved. Hands-on lab - Infoblox integration with Microsoft Page 33 of 61

34 Assign the DHCP Failover association to the DHCP network range for Branch 2. This completes the DHCP module Infoblox Inc. All rights reserved. Hands-on lab - Infoblox integration with Microsoft Page 34 of 61

35 Extensible Attributes and Smart Folders Module Script To make sure we re all on the same page, let s briefly define what Extensible Attributes (or EAs ) and Smart Folders are. EAs are simply metadata that are attached to objects, like networks, hosts, DNS zones, etc. You might want a network to have an EA called Location, with a value of New York, for example. There are included EAs, but you ll probably want to create your own. These can be mandatory, optional, and even inherited down through the data hierarchy. Smart Folders are customized searches that dynamically update as objects change values. EAs and Smart Folders can be used together to create views into just the data you want to see. Let s start by creating some EAs for our two data centers. We ll create an EA named Data Center, of type List. This will limit the values of this EA to just the values in the list. Add DC#1 and DC#2 as separate list values. Similarly, create a Cabinet list, with values Cabinet #1, Cabinet #2, Cabinet #3, Cabinet #4. Similarly, create a Deployment list, with values Production, Staging, QA. Similarly, create an Application list, with values Oracle, SharePoint, Exchange, but let s only allow a Host to be associated with these values. After you create your list, click Next, then click the Add (+) button in the Restrict to Specific Object Types box. The Admin Group object is automatically added. Click to the right of this object to expose the down arrow. Click on the down arrow to show the available list of objects Infoblox Inc. All rights reserved. Hands-on lab - Infoblox integration with Microsoft Page 35 of 61

36 Select Host, then Save & Close. This EA (Application) can now only be assigned to Hosts Infoblox Inc. All rights reserved. Hands-on lab - Infoblox integration with Microsoft Page 36 of 61

37 Let s assign some of the EAs we created to some objects. In our example grid, we have a /16 IPv4 network container, with some /24 networks within it, including networks for production, staging, and QA application servers. Using Data Management > IPAM, we browsed to each Host, and added EAs. Here is an example for server oraprod1.dc2.mycompany.com: It is a good idea to assign EAs to your objects as you create them. Every wizard that adds an object contains a step to add EAs. Adding them as you go is easy and quick. Adding them later (after you have many objects) would be more time consuming (unless you use CSV import or APIs). EAs can be individually configured to be mandatory, to enforce proper data entry Infoblox Inc. All rights reserved. Hands-on lab - Infoblox integration with Microsoft Page 37 of 61

38 Now, let s create some Smart Folders in My Smart Folders, using our example data. Click Create, specify these filter criteria for our production Oracle servers, and click Apply, to see the results in the editor window: The results look good, so change the Name to Production Oracle, and click Save. You ll see the name populate in My Smart Folders, and the Finder window. The Finder window (found on the left in almost every screen) is the quickest and easiest method to navigate much of the grid s data, including Smart Folders Infoblox Inc. All rights reserved. Hands-on lab - Infoblox integration with Microsoft Page 38 of 61

39 Now, let s create a Smart Folder that shows all the staging servers: Smart Folders are dynamic. If we add another object that matches a Smart Folder s criteria, it will automatically appear in the Smart Folder Infoblox Inc. All rights reserved. Hands-on lab - Infoblox integration with Microsoft Page 39 of 61

40 Let s create another Oracle staging server using Data Management > IPAM, making sure to assign EAs: Application: Oracle Cabinet: Cabinet #2 Data Center: DC#1 Deployment: Staging 2016 Infoblox Inc. All rights reserved. Hands-on lab - Infoblox integration with Microsoft Page 40 of 61

41 Using the Finder (on the left), locate the Staging Servers Smart Folder created earlier the new staging server appears: As you can see, using EAs along with Smart Folders makes it easy to keep track of important objects, but Smart Folders can still be used even without EAs Infoblox Inc. All rights reserved. Hands-on lab - Infoblox integration with Microsoft Page 41 of 61

42 Let s create a Smart Folder that doesn t use EAs, and will contain all our servers. servers have MX records, so we can leverage this to create a Smart Folder. Click Create, specify these filter criteria for our servers, and click Apply, to see the results in the editor window: Click Save Infoblox Inc. All rights reserved. Hands-on lab - Infoblox integration with Microsoft Page 42 of 61

43 Now let s create another Smart Folder that doesn t use EAs, and will contain all the IPv4 DNS reverse zones on the grid. Click Create, specify these filter criteria for our reverse zones, and click Apply, to see the results in the editor window: Click Save. Try creating additional Smart Folders. Take a look at the available search criteria to get additional ideas on how to provide useful dynamic windows to your IPAM data using Smart Folders. Remember, the ways you can organize your data is almost limitless if you also use Extensible Attributes along with Smart Folders. Consult the NIOS Administrator Guide (available in the Infoblox DDI user interface) for additional useful information regarding Smart Folders and Extensible Attributes. This completes the Extensible Attributes and Smart Folders Module 2016 Infoblox Inc. All rights reserved. Hands-on lab - Infoblox integration with Microsoft Page 43 of 61

44 DNS Optimization Type: 2 hour Hands on Lab Presenter: Alan Newman & Dave Funk Configure, deploy and use the DNS Traffic Control global server load balancer Configure and deploy Anycast to load balance DNS queries within your grid Handle overlapping networking and isolating DNS data with Network and DNS Views 2016 Infoblox Inc. All rights reserved. Hands-on lab - Infoblox integration with Microsoft Page 44 of 61

45 Anycast Module Script Let s take a look at how Anycast can be used to help with DNS resiliency. Anycast is a network routing technique where configured hosts have the exact same IP address. Clients trying to reach that IP address are routed to the topologically nearest host. Anycast requires the use of a routing protocol, such as BGP or OSPF. After Anycast DNS is configured on your Infoblox grid, DNS clients (workstations, laptops, etc.) can be set to use one DNS server address the Anycast DNS address. There might be (that is, should be) several DNS servers configured with the Anycast address. The DNS client will automatically use the closest DNS server. If one of the DNS servers goes offline, the route will be withdrawn, and the DNS client will use the next closest DNS server, and so on. This greatly simplifies end host DNS configuration, since all DNS client resolvers can use the same nameserver address. Internal recursive DNS servers choose which forwarder to query based on observed roundtrip time to each forwarder. Don t use Anycast here; the built-in roundtrip time method was designed for this purpose. (BP) Initially, the RTT for each forwarder is seeded with a low value, so each forwarder will be used, and its real RTT learned. Let s configure Anycast on the DNS servers at each of the small sites and the two data center internal authoritative DNS servers, using OSPF (BGP will be similar) Infoblox Inc. All rights reserved. Hands-on lab - Infoblox integration with Microsoft Page 45 of 61

46 Go to Grid > Grid Manager > Members, and edit the member that is on the internal network Branch 1, and select Anycast: Add IPv4 address to the Anycast Interfaces list, and select OSPF. Add the parameters as shown in the OSPF Area Configuration area (use wallyworld for the Key). Click Add. Save & Close Infoblox Inc. All rights reserved. Hands-on lab - Infoblox integration with Microsoft Page 46 of 61

47 Go to Data Management > DNS > Members/Servers, and edit the member that is on the internal network Branch 1. Click Toggle Advanced Mode (upper left), click the Advanced tab, and add the Anycast address you configured in the previous step to Listen on these additional IP addresses. It should appear in the dropdown list. Save & Close. Repeat the above Anycast configuration for the Branch 2 (branch01.br2.mycompany.com) member, and each of the data center internal DNS servers (dns-int-auth-ms.dc1.mycompany.com, dns-int-auth.dc2.mycompany.com). Do a Restart, as prompted Infoblox Inc. All rights reserved. Hands-on lab - Infoblox integration with Microsoft Page 47 of 61

48 The Anycast IP address can now be configured on DNS clients. Anycast will figure out which actual DNS server will be used by the client by selecting the closest one (fewest number of router hops). If you want to know which DNS server is responding on the Anycast address, enable the Hostname bind directive and Server-id directive on each Anycast member: Data Management > DNS > Members/Servers. Edit the member, and go to General > Advanced, and enable the above directives. Selecting Hostname will return the DNS name of the DNS server, and selecting User defined will return the string you define. Repeat this configuration for all the members configured with Anycast. In our example grid, the Anycast members are branch01.br1.mycompany.com, branch02.br2.mycompany.com, dns-int-auth-ms.dc1.mycompany.com, dns-int-auth.dc2.mycompany.com. Now you can run this dig command from a terminal window on a client on your network that has the dig command installed (Macs and Linux machines have dig pre-installed). Substitute your actual Anycast address for the Anycast address we are using in this lab s example grid. dig id.server chaos You should see a response that contains the Hostname (or User defined string) of the responding DNS server. This completes the Anycast module Infoblox Inc. All rights reserved. Hands-on lab - Infoblox integration with Microsoft Page 48 of 61

49 Network View / DNS View Module Script First, let s talk about what Network Views and DNS Views are, and what they can provide. A Network View is a single routing domain. One common case for using Network Views is when company mergers or acquisitions occur. Invariably, there will be network overlap. These overlapping networks can be put into different Network Views. If you are planning on running DHCP on overlapping networks, remember that a grid member can serve DHCP in one network view only. A DNS View is used to resolve queries differently, depending on the IP of DNS client. This is typically used to serve different zone data for the same zone name, depending whether the DNS client is on an internal, or external network. You might, for example, have a mycompany.com publically facing zone that resolves for Internet users, and a completely different mycompany.com zone that is internally facing, containing completely different data. These two zones would be placed into two different DNS Views. A match-list is used to ensure DNS clients query the correct zone. A DNS View can be in one Network View only, but a Network View can have multiple DNS Views Infoblox Inc. All rights reserved. Hands-on lab - Infoblox integration with Microsoft Page 49 of 61

50 Let s start by creating an additional Network View. Note that there is an initial default Network View. Go to Administration > Network Views, and click the + button. Add an AcquiredCompany Network View. Save & Close. This will automatically create a default DNS View within the new Network View. Go into your new Network View by selecting the Data Management tab, and selecting the new Network View from the dropdown list in the upper left. Notice that it looks like you have a new DNS server with no data, and essentially, that is exactly what you have! Any networks or zones that you create will be separately contained in this Network View and DNS View. Create a new authoritative zone (e.g., newzone.com), and assign it to an internal DNS server (e.g., branch01) Infoblox Inc. All rights reserved. Hands-on lab - Infoblox integration with Microsoft Page 50 of 61

51 Now that you have this new view (and zone within it), how do you make it available to DNS clients? This is done by configuring the Match Clients list for the DNS View. Edit the DNS View by navigating to Data Management > DNS > Zones, and clicking the pencil icon next to the DNS View name. Click Match Clients. Click Set of ACEs and add an address or network that you want to resolve queries for in this view. Now you need to make sure to properly order the DNS Views on the members that are serving multiple DNS Views (in our example, this member is branch01). Navigate to Data Management >Members/Servers > (DNS member). Edit, Advanced > DNS Views > Order of DNS Views). You will see all DNS views here, even DNS views in other Network Views. First match wins, so configure carefully. This completes the Network View / DNS View module Infoblox Inc. All rights reserved. Hands-on lab - Infoblox integration with Microsoft Page 51 of 61

52 DTC Module DNS Traffic Control (DTC) provides Global Server Load Balancing (GSLB) functionality integrated into the Infoblox Grid and user interface. DTC starts with a Load Balanced Domain Name (LBDN). Each LBDN can have one or more Pools of Servers. A Pool is an abstraction used to organize Servers. A Server is just an IP address, and can be an SLB, a VIP or a real server. If the DNS Query matches a pattern in any of the LBDNs you have configured, the system will use DTC to determine which IP address to return. If the DNS Query does not match any pattern in any of the active LBDNs, the system uses normal DNS processing. In this Lab, we ll use DTC to implement a Disaster Recovery Plan. We ll have two datacenters: a Primary Datacenter and a Secondary Datacenter. The Primary will be active and the Secondary will be passive. This is a very simple use case for DTC. DTC can be used to load balance across multiple active datacenters, using a variety of load balancing methods including the user s location, Round Robin and Ratio (weighted Round Robin). Preparing the lab Before starting the lab, please make sure to load the DTC Grid configuration to streamline this lab. Do the following: 1. Login to the Infoblox Grid (i.e. (admin, infoblox)) 2. Click on Grid à Grid Manager 3. Under Toolbar click on Restore à Restore Grid (as shown below) 4. Make sure to uncheck Discovery data and Infoblox Reporting & Analytics App (as shown below) 2016 Infoblox Inc. All rights reserved. Hands-on lab - Infoblox integration with Microsoft Page 52 of 61

53 5. Click on Select, then Select again then browse to the Bloxfest Grid Lab Configs folder (which is located on the Desktop) and select the startup-config-for-dtc-bloxfest.bak. Click on the Open button and then Upload. 6. Click on Restore then click on Yes (when prompted to Confirm restore). 7. Wait for few seconds then click on Yes (when you see the Successful restore message). 8. Wait for few minutes while the DTC Grid configuration is getting applied (as it requires the Grid Master to reboot). 9. Then log back into the Grid Master (i.e. once the restore operation has completed. Verify that Show Restart Banner is enabled Please make sure that the Show Restart Banner is selected by going through these steps: - Click on Grid à Grid Manager à Members - Click on Grid Properties à Edit - Click on the Advanced tab - Verify that Show Restart Banner is selected (as shown below) - Click on Save & Close Configure the Servers First, we ll create two DTC Servers which will represent our Primary Datacenter and our Secondary Datacenter. In a real implementation, the Server s IP address would be the VIP for the Datacenter Infoblox Inc. All rights reserved. Hands-on lab - Infoblox integration with Microsoft Page 53 of 61

54 To create the two Servers called PrimaryDatacenter and SecondaryDataceneter. Go to Data Management à Traffic Management à Traffic Management Click Add à DTC Server from Toolbar Type PrimaryDatacenter in Name field Type in Host field Click Save & Close Similarly Add the second DTC Server named SecondaryDatacenter by doing the following, Click Add à DTC Server from Toolbar Type SecondaryDatacenter in Name field Type in Host field Click Save & Close Health Monitors 2016 Infoblox Inc. All rights reserved. Hands-on lab - Infoblox integration with Microsoft Page 54 of 61

55 Health Monitors check to see if a Server is available, and are part of the Pool configuration. In this Lab, we ll use the default ICMP Monitor to check the availability of the Datacenters. DTC has multiple types of Health Monitors including HTTP/S, SIP, SNMP, TCP and PDP. For this Lab, we ll simply use ICMP. Configure the Pool Now, we ll put the two Servers representing our two datacenters into a Pool. A pool contains one or more Servers, a method for load balancing among them and one or more Health Monitors. In this Lab, we ll have two Servers in our Pool, use the Global Availability Load Balancing method and the ICMP Health Monitor. The Global Availability Load Balancing method always returns the first Server that is available in the list of Servers. Availability is based on the Health Monitor(s) you select. Global Availability is perfect for DR, because we want all traffic to go to the Primary datacenter as long as it is available. If disaster strikes, and the Primary datacenter goes down, we want all traffic to go to the Secondary datacenter. When the Primary datacenter comes back online, we want all traffic to go to the Primary datacenter again. Let s create a Pool, will call it DataCenterPool Click Add à DTC Pool from Toolbar Type DataCenterPool in Name field on DTC Pool Wizard>Step 1 of 6 screen Click Next Select icmp as health monitor on DTC Pool Wizard>Step 2 of 6 by putting it under Active column Click Next Select Global Availability under Preferred drop down menu 2016 Infoblox Inc. All rights reserved. Hands-on lab - Infoblox integration with Microsoft Page 55 of 61

56 Click Next Add PrimaryDatacenter and SecondaryDatacenter as Pool Members by Click + and selecting the DTC Server PrimaryDatacenter Repeat above step for adding DTC Server SecondaryDatacenter Click Save & Close Your screen should now look like the figure below Configure the Load Balanced Domain Name Now, we need to create the Load Balanced Domain Name (LBDN). The LBDN contains one or more patterns. For this lab, we ll use *.xyzcorp.com for the pattern. The LBDN configuration includes a Load Balancing method to determine which Pool to use for a given user. Since we only have one Pool, the Load Balancing Method is moot. However, in a real-world configuration, it is important to choose a Load Balancing Method that selects the right Pool for your use case. Let s create the LBDN. Click Add à DTC LBDN from Toolbar 2016 Infoblox Inc. All rights reserved. Hands-on lab - Infoblox integration with Microsoft Page 56 of 61

57 On DTC LBDN>Step 1 of 5 screen do the following Type LBDN-xyzcorp.com in Display Name field Click + to add pattern *.xyzcorp.com in Patterns table Click Next On DTC LBDN>Step 2 of 5 screen keep default values checked for A and AAAA records Click + to add xyzcorp.com as a DNS zone under Associated Zones table Click Next On DTC LBDN>Step 3 of 5 screen Click + to add DataCenterPool under Pools table Click Save & Close then Restart Your screen should now look like the figure below 2016 Infoblox Inc. All rights reserved. Hands-on lab - Infoblox integration with Microsoft Page 57 of 61

58 Test the Disaster Recovery Plan Now, we want to test our Disaster Recovery Plan. The Primary Datacenter is online, so all traffic, from all over the world, should always go to the Primary Datacenter. Use the following IPs from different locations in the world and see that DTC always returns the IP address of the Primary datacenter. Use IP as an IP from Germany Use IP as an IP from USA Let s test the LBDN using built-in Test tool, Select LBDN LBDN-xyzcorp.com Click Test DTC LBDN from Toolbar Fill the fields as follows on Test DTC LBDN Wizard screen Query Source Query Name Member dc1-gm.infoblox.com (using Select button) Record Type A (from pull down menu) Click Start Observe the Result in DNS response. It should be the IP of PrimaryDatacenter ( ) 2016 Infoblox Inc. All rights reserved. Hands-on lab - Infoblox integration with Microsoft Page 58 of 61

59 Let s simulate taking the Primary datacenter offline by doing the following, Launch Putty (i.e. SSH) to connect to (i.e. Ubuntu Linux server) Login: olympic Password: infoblox You can simulate a Linux server crash by blocking all incoming ICMP traffic by typing the following command: sudo iptables A INPUT p icmp d j DROP Note: When the above command gets executed, you will see the message sudo: unable to resolve host ubu-dtcvmd-dns. Don t worry about this message. Simply ignore it. Wait 30 seconds for the security policy to be applied and continue with the lab. Let s test DTC LBDN again after PrimaryDatacenter is no longer reachable by ICMP Go to Data Management à Traffic Management à Traffic Management Select LBDN LBDN-xyzcorp.com Click Test DTC LBDN from Toolbar Fill the fields as follows on Test DTC LBDN Wizard screen Query Source Query Name Member dc1-gm.infoblox.com (using Select button) Record Type A (from pull down menu) Click Start Observe the Result in DNS response. It should be the IP of SecondaryDatacenter ( ) as shown below 2016 Infoblox Inc. All rights reserved. Hands-on lab - Infoblox integration with Microsoft Page 59 of 61

60 Repeat with Query Source of (Result should be the same) Enable ICMP traffic again (i.e. to simulate that the server is now reachable) by typing the following command on the Linux server: sudo iptables D INPUT 1 Note: Wait 30 seconds for the policy to be applied and continue with the lab. Let s test DTC LBDN one more time after PrimaryDatacenter is now reachable by ICMP Go to Data Management à Traffic Management à Traffic Management Select LBDN LBDN-xyzcorp.com Click Test DTC LBDN from Toolbar Fill the fields as follows on Test DTC LBDN Wizard screen Query Source Query Name Member dc1-gm.infoblox.com (using Select button) Record Type A (from pull down menu) Click Start Observe the Result in DNS response is now showing Infoblox Inc. All rights reserved. Hands-on lab - Infoblox integration with Microsoft Page 60 of 61

61 2016 Infoblox Inc. All rights reserved. Hands-on lab - Infoblox integration with Microsoft Page 61 of 61