DNS Traffic Control

The DTC uses a MaxMind database for GeoIP information. The one that comes with NIOS is old.

You can sign up for a free account with MaxMind and download the free "lite" version of the database. “GeoLite2-City” gives you city level data. Extract the GeoLite2-City.mmdb file from the tar.gz download file and upload to NIOS under Grid > DNS > Traffic Control > Topology Database > Import GeoIP Database.

When the DTC subscription expires, the expected behaviour is for the DTC service to stop working.

• Internal & External Applications: Leverages metadata to provide traffic management for internal services. Route and balance external traffic to optimatl resource based on rulesets.
• Disaster Recovery: Automate service restoration for business-critical apps during disasters.
• Global Datacenter Management: Distribute traffic intelligently to geo-diverse servers on premises or in the hybrid cloud.
• Hybrid/Multi-Cloud Enablement: Enables hybrid and multi-cloud by load balancing multiple instances of an application in different sites across private, public, hybrid, and multi-cloud environments.
• View/Zone Consolidations: Collapse views with redundant zones, while still retaining the ability to provide differentiated answers by client IP address. Eliminate double-work created by having multiple instances of the same zone.
• Cascade LBDNs for Multi-Tier Scalability: Leverage multiple LBDNs in a cascading fashion for large multi-tier applications requiring scalable tiers of decision making.
• SRV Record Support: Gives administrators a way to intelligently direct authentication by non-site-aware Active Directory clients.

You can enabled/disable LBDN/Pool/Server without restarting DNS by using “DTC:Object”.

See here for the API. In the UI, this requires hovering the cursor over the topology viewer.

Data Management > DNS > Traffic Control > Manage Health Monitors > [Monitor Name] > Request / Response.

In the “HTTP Request Box”, don't forget that for proper monitoring you will need to include a second line with “HTTP/1.1” because, by default, DTC uses “HTTP/1.0”

Also, if there are multiple sites behind one IP, you may need to add the “HOST … ” line

e.g.

GET /app1.html
HTTP/1.1
HOST: www.example.corp

If you need to use HOST, you will probably need to form the config as follows:

GET http://www.dtc.example.corp/index.html
HTTP/1.1

• You can choose up to 4 Extensible Attributes to use as source types for topology rules.
• GSLB results are returned only if the query resolves to an authoritative zone to which an LBDN is explicitly linked.
• DNS Traffic Control querying process is not supported for recursive queries.
• No authentication support in HTTP or HTTP/S monitor.
• No Automatic MaxMind updates. A single MaxMind DB per grid and only gets updated when anew version is manually uploaded. Please note- this does not need to be updated very often.
• The SIP monitor does not support SCTP transport.
• DNS Traffic Control license cannot be installed on the Infoblox 4030 appliance as it is intended as a caching only appliance.
• Infoblox does not support running DNS Traffic Control on the TE-810 and TE-820 appliances.
• DTC health monitoring does not monitor dual stack servers (supporting IPv4 and IPv6interfaces) if the Infoblox appliance health monitoring interface does not also have IPv4 andIPv6 IP stacks.
• The DNS Traffic Control does not support the Global application of an LBDN pattern against all queries. The appliance returns a result only if the query resolves to an authoritative zone to which an DNS Traffic Control LBDN is explicitly linked.

Best Practices To get the most from Infoblox DTC, Infoblox recommends the following best practices:

• A new DTC configuration should always be tested using the built-in LBDN test tool.
• For web application servers, HTTP and HTTP/S health monitors should be used to verify application level availability i.e. test for a specific string being returned rather than simply port80 availability.
• Always view the traffic management structures through the built-in hierarchical map view that can be used to quickly view the overall traffic management structure of a selected DNS Traffic Control Object.
• Use a naming convention for LBDN’s, and their associated Pools, Servers, and Topology rules.These naming conventions can be used for filtering within the GUI table views (they can be saved) and to identify a Server vs. Pool Topology rule

Documentation on DNSSEC with DTC is here.

You can have DNSSEC and DTC configurations on the same zone. There are some prerequisites and limitations that you won’t come across with unsigned zones.

• The GM must have DTC license, because it will create signatures for each possible response.
• There cannot be CNAMEs at the zone apex. Sometimes DTC is used for this workaround for BIND’s reluctance to put CNAMEs at the apex.

See the section “Associating LBDNs with DNSSEC Signed Zones” in the documentation.

When using DTC, if you want DTC to consider EDNS0 option, select “When DNS Traffic Control is enabled, direct traffic according to EDNS0 Client Subnet when possible” from Grid Properties > Traffic Control.

DTC doesn't pay any attention to the “Add” and “Copy” features of NIOS Forwarders (DNS Properties > Forwarding) as that feature is for Infoblox Threat Defense cloud only.

Use DTC to pole both members of a Panorama HA pair to see which is active. Use in “Global Availability” balance.

HTTP request:

	GET /api/?type=op&cmd=%3Cshow%3E%3Chigh-availability%3E%3Cstate%3E%3C%2Fstate%3E%3C%2Fhigh-availability%3E%3C%2Fshow%3E&key=my-really-long-api-key-here== HTTP/1.1
	Host: panorama.example.com
	Connection: close

Response Code Check

	A valid response code equals 200

Search for a string in the response content “both the header and body”

Regular expression

	<state>primary-active</state>

The content is valid if the regular expression is “found”

As per Setting DNS Logging Categories page, you can enable logging for DTC at a Grid or member level.

• DTC load balancing: Records information about which client is directed to which server.
• DTC health monitors: Records any changes to the health state of a monitored server

The following (DTC load balancing log) is when a client makes a query to something DTC answers.

DNS query

• Facility: Daemon
• Level: Info
• Server: named
• Message: request [source: 192.168.11.30#43915, qname: web.desk.corp, rtype: A, lbdn: web.desk.corp], response [data: 192.168.16.238, rtype: A, ttl: 5] (1 of 1)

The following (DTC health monitor log) is when checking that GET works with specific match in body.

When the web server was broken by updating the page, the following message is generated.

• Facility : User
• Level: INFO
• Server: idns_healthd
• Message: [HTTP monitor 'web-test' checked 'web1' (web1.example.com:80), IPv4 status is OFFLINE (A match for the regular expression was 'not found' in the response. The configuration specifies 'found'.)]

When the page is restored, the following message is generated.

• Facility : User
• Level: INFO
• Server: idns_healthd
• Message: [HTTP monitor 'web-test' checked 'web1' (web1.example.com:80), IPv4 status is ONLINE]
• Message: [ICMP monitor 'icmp' checked 'web1' (web3.example.com:0), IPv4 status is ONLINE]

The following is for a failed ping. NIOS 9.0.6. Facility may be User in older versions.

• Facility: Kern
• Level: Info
• Server: idns_healthd
• Message: [ICMP monitor 'icmp' checked 'web1-server' (192.168.22.33:0), IPv4 status is OFFLINE (There was no response to the ICMP request.)]

• Facility: Kern
• Level: Info
• Server: idns_healthd
• Message: Message: [ICMP monitor 'icmp' checked 'web1-server' (192.168.22.33:0), IPv4 status is ONLINE]