Netscaler VPX as Conditional Forwarder DNS

[Hendra Irawan1709154458]

Hi All,

 

Our environment requires its Netscaler VPX function as conditional forwarder only to certain domain. Example: netscaler only forward to another internal DNS Server if query name contain *.corp.domain.net. If name requests to external domain, or others domain, request should be dropped.

 

For some reasons, we set client secure environment's DNS server points to SNIP Address of netscaler. ADNS Service has been configured on netscaler.

 

If we add manually address records for *.corp.domain.net and their ip addresses, client can resolve the name. Also, if we run: "show dns addrec host1", then new proxy record appear on address records: host1.corp.domain.net. Then, client can resolve the address host1.corp.domain.net.

 

How can we achieve so that client can resolve all records on corp.domain.net domain automatically, without running "show dns addrec <address record>" manually?

 

We have set "enable recursion" on DNS settings, on Name servers we add another internal DNS server, and on DNS Suffix, we have add "corp.domain.net" domain.

 

 

 

[CarlStalhood]

Instead of ADNS, create a Load Balancing vServer for DNS protocol. Bind your internal DNS servers to the LB vServer. Then submit queries to the LB vServer.

[Hendra Irawan1709154458]

Hi Carl,

 

After searching, this requirement can be achieved by using dns responder policy and binding it to the vServer of DNS server. http://blog.norz.at/protect-a-dns-server-using-a-citrix-netscaler/

[Mike Chomicz]

@Hendra Irawan1709154458 are you able to provide more details about your config? im looking to do what appears to be the same thing - the link you've provided only has the responder policy dropping requests to a given domain... how do you make it so it uses the netscaler as a forwarder without having to manually run the show dns addrec command? 

[OM Kaewsaenchai]

On 11/27/2020 at 2:08 AM, Mike Chomicz said:

@Hendra Irawan1709154458 are you able to provide more details about your config? im looking to do what appears to be the same thing - the link you've provided only has the responder policy dropping requests to a given domain... how do you make it so it uses the netscaler as a forwarder without having to manually run the show dns addrec command? 

I know your struggle. Citrix Edocs is very poorly written from Lazy Staff or the one who didn't really know that features.

 

You cannot just add Subnet IP as ADNS and point to lookup a that IP, It does not work.(It will only work for local ADNS that NetScaler is ADNS but it won't forward to lookup other external zone /records)

What you need is

1. Need to create Normal LB Virtual Server Protocol = DNS     bine with normal DNS service/service Group. This is your external DNS forwarder.

2. At Traffic Management > DNS > Name Server  > you must add DNS Verserver Created from step 1. Here(This is important! It would tell Netscaler to go resolve external forwarder.)

3. At Traffic Management > DNS > xxxx  1. Create your  NS record , 2. SOA Record, Zone  3. create PROXY MODE=NO  that will make Netscaler as ADNS for that Zone. 

** Youi need to create in this order 1, 2. 3.  ** cannot create Zone PROXY MODE = NO without SOA record.

4. Add any Record Type as required A, MX, txt, SRV, cname, etc...

5. All the client would point to use the DNS VIP as the DNS server IP for lookup.

Edited June 16, 2022 by OM Kaewsaenchai
Add missing info.