Transparent DNS query intercept

1

Authoritative DNS server for domain brocade.com 209.157.23.130

4. ServerIron changes the source

 

 

 

 

 

 

 

 

 

 

 

address in the reply to the authoritative

 

 

 

 

 

 

 

 

 

 

 

DNS server.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

If the reply is from a proxy DNS server,

 

DNS

 

 

 

 

 

 

 

 

 

 

the ServerIron also changes the

 

 

 

 

 

 

 

 

 

 

 

 

 

 

destination address from the

 

 

 

 

 

 

ServerIron configured to

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

ServerIron’s source IP address to the

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

client’s IP address.

 

 

 

 

 

 

intercept DNS queries to

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

209.157.23.130

 

 

 

 

 

 

 

 

 

 

 

 

 

 

SI

 

 

 

 

 

 

Alternative (proxy) DNS

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

209.200.22.100

2. ServerIron either redirects client

 

Source IP address

 

 

 

 

 

 

 

209.157.23.100

 

 

 

 

 

 

 

query to the proxy DNS server, or

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

intercepts and directly responds to the

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

query.

 

 

 

 

 

 

 

 

 

proxy DNS

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Whether the ServerIron redirects or

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

directly responds to query depends on

 

 

 

 

 

 

 

 

 

 

transparent DNS configuration.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

3. If ServerIron redirects client query to

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

the proxy DNS server, the DNS server

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

sends response back to the

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

ServerIron, to the configured source IP

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

address.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

DNS

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

1. Client’s local DNS server

 

 

 

 

 

 

 

 

 

5. Client receives response. Source

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

sends a recursive query for

 

 

 

 

 

 

 

 

 

 

address of response is the authoritative

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

brocade.com.

 

 

 

 

 

 

 

 

 

 

DNS server.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

The ServerIron’s redirection or

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

interception is transparent to the client.

 

 

 

 

 

 

Redirecting queries

To configure transparent DNS query intercept to redirect queries to a proxy DNS server or another GSLB ServerIron ADX:

Configure a real server with the IP address of the proxy DNS server or other GSLB ServerIron ADX to which you want to redirect queries.

Configure a virtual server with the IP address of the authoritative DNS server that you want to intercept.

Specify the domain and host application for which you want to intercept queries.

Configure an IP policy to enable the ServerIron ADX to examine incoming DNS packets.

NOTE

In standard GSLB configuration, the ServerIron ADX sends a DNS query to the DNS server to get the IP addresses for the domain and performs health-checks on them. However in this transparent intercept mode, where you do not do GSLB on the DNS response, the ServerIron ADX does not do these things.

NOTE

The ServerIron ADX intercepts queries only for domain names configured on the ServerIron ADX. For domain names that are not configured on the ServerIron ADX, the ServerIron ADX still sends queries to the authoritative DNS server.

ServerIron ADX Global Server Load Balancing Guide

97

53-1002437-01

 

Page 108 Page 110
Page 109
Image 109
Brocade Communications Systems 12.4.00 manual Redirecting queries, Transparent DNS query intercept
Page 108 Page 110
Top Page Image Contents