Differences

This shows you the differences between two versions of the page.

--- infoblox_nios:dtc [2023/07/10 12:26] – bstafford
+++ infoblox_nios:dtc [2025/08/24 17:02] (current) – [EDNS0] bstafford
@@ Line 3: / Line 3: @@
 The DTC uses a MaxMind database for GeoIP information. The one that comes with NIOS is old.
-You can [[https://dev.maxmind.com/geoip/geolite2-free-geolocation-data?lang=en|sign up]] for a free account with MaxMind and download the [[https://www.maxmind.com/en/accounts/835974/geoip/downloads|free "lite" version]] of the database
+You can [[https://dev.maxmind.com/geoip/geolite2-free-geolocation-data?lang=en|sign up]] for a free account with MaxMind and download the [[https://www.maxmind.com/en/accounts/835974/geoip/downloads|free "lite" version]] of the database. "GeoLite2-City" gives you city level data. Extract the GeoLite2-City.mmdb file from the tar.gz download file and upload to NIOS under Grid > DNS > Traffic Control > Topology Database > Import GeoIP Database.
 When the DTC subscription expires, [[https://docs.infoblox.com/space/nios86/25593433/License+Expiry|the expected behaviour]] is for the DTC service to stop working.
+  * **Internal & External Applications**: Leverages metadata to provide traffic management for internal services. Route and balance external traffic to optimatl resource based on rulesets.
+  * **Disaster Recovery**: Automate service restoration for business-critical apps during disasters.
+  * **Global Datacenter Management**: Distribute traffic intelligently to geo-diverse servers on premises or in the hybrid cloud.
+  * **Hybrid/Multi-Cloud Enablement**: Enables hybrid and multi-cloud by load balancing multiple instances of an application in different sites across private, public, hybrid, and multi-cloud environments.
+  * **View/Zone Consolidations**: Collapse views with redundant zones, while still retaining the ability to provide differentiated answers by client IP address. Eliminate double-work created by having multiple instances of the same zone.
+  * **Cascade LBDNs for Multi-Tier Scalability**: Leverage multiple LBDNs in a cascading fashion for large multi-tier applications requiring scalable tiers of decision making.
+  * **SRV Record Support**: Gives administrators a way to intelligently direct authentication by non-site-aware Active Directory clients.
+===== Enable/Disable =====
+You can enabled/disable LBDN/Pool/Server without restarting DNS by using "DTC:Object".
+See [[infoblox:api#dtc|here]] for the API. In the UI, this requires hovering the cursor over the topology viewer.
+===== Health Checks =====
+Data Management > DNS > Traffic Control > Manage Health Monitors > [Monitor Name] > Request / Response.
+In the "HTTP Request Box", don't forget that for proper monitoring you will need to include a second line with "HTTP/1.1" because, by default, DTC uses "HTTP/1.0"
+Also, if there are multiple sites behind one IP, you may need to add the "HOST ... " line
+e.g.
+<code>GET /app1.html
+HTTP/1.1
+HOST: www.example.corp</code>
+If you need to use HOST, you will probably need to form the config as follows:
+<code>GET http://www.dtc.example.corp/index.html
+HTTP/1.1</code>
 ===== Limits =====
@@ Line 27: / Line 55: @@
   * Use a naming convention for LBDN’s, and their associated Pools, Servers, and Topology rules.These naming conventions can be used for filtering within the GUI table views (they can be saved) and to identify a Server vs. Pool Topology rule
+===== DNSSEC =====
+Documentation on DNSSEC with DTC is [[https://docs.infoblox.com/space/nios90/299368879/Managing+DNS+Traffic+Control+LBDNs|here]].
+You can have DNSSEC and DTC configurations on the same zone.  There are some prerequisites and limitations that you won’t come across with unsigned zones.
+  * The GM must have DTC license, because it will create signatures for each possible response.
+  * There cannot be CNAMEs at the zone apex. Sometimes DTC is used for this workaround for BIND’s reluctance to put CNAMEs at the apex.
+See the section "[[https://docs.infoblox.com/space/nios90/299368879/Managing+DNS+Traffic+Control+LBDNs|Associating LBDNs with DNSSEC Signed Zones]]" in the documentation.
+===== EDNS0 =====
+When using DTC, if you want DTC to consider EDNS0 option, select "When DNS Traffic Control is enabled, direct traffic according to EDNS0 Client Subnet when possible" from Grid Properties > Traffic Control.
+DTC doesn't pay any attention to the "Add" and "Copy" features of NIOS Forwarders (DNS Properties > Forwarding) as that feature is for Infoblox Threat Defense cloud only.
+===== Healthcheck Palo Alto Networks Panorama =====
+Use DTC to pole both members of a Panorama HA pair to see which is active. Use in "Global Availability" balance.
+HTTP request:
+<code>
+	GET /api/?type=op&cmd=%3Cshow%3E%3Chigh-availability%3E%3Cstate%3E%3C%2Fstate%3E%3C%2Fhigh-availability%3E%3C%2Fshow%3E&key=my-really-long-api-key-here== HTTP/1.1
+	Host: panorama.example.com
+	Connection: close</code>
+Response Code Check
+<code>	A valid response code equals 200</code>
+Search for a string in the response content "both the header and body"
+Regular expression
+<code>	<state>primary-active</state></code>
+The content is valid if the regular expression is "found"
 ===== Logging =====
 ==== HTTP Check ====
-The following is when checking that GET works with specific match in body.
+As per [[https://docs.infoblox.com/space/nios90/1381139017/Setting+DNS+Logging+Categories|Setting DNS Logging Categories]] page, you can enable logging for DTC at a Grid or member level.
+  * **DTC load balancing**: Records information about which client is directed to which server.
+  * **DTC health monitors**: Records any changes to the health state of a monitored server
+The following (DTC load balancing log) is when a client makes a query to something DTC answers.
+DNS query
+  * Facility: Daemon
+  * Level: Info
+  * Server: named
+  * Message: request [source: 192.168.11.30#43915, qname: web.desk.corp, rtype: A, lbdn: web.desk.corp], response [data: 192.168.16.238, rtype: A, ttl: 5] (1 of 1)
+The following (DTC health monitor log) is when checking that GET works with specific match in body.
+When the web server was broken by updating the page, the following message is generated.
   * Facility : ''User''
   * Level: ''INFO''
   * Server: ''idns_healthd''
-  * Message: ''[HTTP monitor 'web-test' checked 'web1' (web1.staffordhome.uk:80), IPv4 status is OFFLINE (A match for the regular expression was 'not found' in the response. The configuration specifies 'found'.)]''
+  * Message: ''[HTTP monitor 'web-test' checked 'web1' (web1.example.com:80), IPv4 status is OFFLINE (A match for the regular expression was 'not found' in the response. The configuration specifies 'found'.)]''
+When the page is restored, the following message is generated.
+  * Facility : ''User''
+  * Level: ''INFO''
+  * Server: ''idns_healthd''
+  * Message: ''[HTTP monitor 'web-test' checked 'web1' (web1.example.com:80), IPv4 status is ONLINE]''
+  * Message: ''[ICMP monitor 'icmp' checked 'web1' (web3.example.com:0), IPv4 status is ONLINE]''
+The following is for a failed ping. NIOS 9.0.6. Facility may be User in older versions.
+  * Facility: Kern
+  * Level: Info
+  * Server: idns_healthd
+  * Message: ''[ICMP monitor 'icmp' checked 'web1-server' (192.168.22.33:0), IPv4 status is OFFLINE (There was no response to the ICMP request.)]''
+  * Facility: Kern
+  * Level: Info
+  * Server: idns_healthd
+  * Message: ''Message: [ICMP monitor 'icmp' checked 'web1-server' (192.168.22.33:0), IPv4 status is ONLINE]''