GSS & DNS

Mahmoud El Safty is a Global Knowledge Cisco instructor who teaches and blogs from Global Knowledge Egypt.

Although the GSS can be configured to be authoritative for an entire domain, e.g. cisco.com (option 1), the GSS is designed to be integrated into an existing traditional BIND-based or any DNS system. The GSS operates as an A-record DNS server for Hosted Domains (HD) for which it has been delegated authority from a higher-level name server, which generally would be a name server (NS) controlled by an Enterprise or ISP.  In addition to A-record support, the GSS is able to proxy for other query types using NS Forwarding and a back-end name server such as BIND.

Cisco best-practice recommends that the GSS be delegated authority for a fully qualified domain name (FQDN), e.g. www.cisco.com, or an entire sub-domain (*.gss.cisco.com). See examples later in this section.

Clients (web browsers, streaming media players) make recursive DNS requests to their DNS proxies (local name servers) for web pages or for linked content embedded within web pages. Through normal iterative DNS processing and caching, the D-Proxy will query the root name server, the high-level domain name server (e.g. a public .com NS), possibly other intermediate name servers (e.g. corporate cisco.com NS), and ultimately the GSS.

Figure 1 Client resolver iterative DNS process using Cisco GSS

Figure 1 summarizes how the GSS interacts with the client in the Website selection process:

    1. A client (DSL, Mobile user etc) wants to access the website “www.cisco.com”. The resolver (client) sends a recursive query for www.cisco.com to the local client DNS name server (D-proxy).
    2. The local D-proxy does not have an IP address for www.cisco.com, so it sends an iterative query to a root name server. The root name server replies with the address of the intermediate (a.k.a. Top Level Domain — TLD) name servers responsible for the .com domain.
    3. The local D-proxy sends a query to the .com name server, which responds, referring the D-proxy to the authoritative name server for cisco.com.
    4. When the local D-proxy sends a query to the authoritative name server for cisco.com, it responds with the IP addresses of the two GSS’s, which tells the D-proxy to ask the GSS’s for the IP address for www.cisco.com.
    5. The local D-proxy sends its final request directly to one of the two GSS’s. The GSS is authoritative for the www.cisco.com subdomain, so it sends the IP address to the D-proxy. The GSS sends the intelligent IP address of the “best” SLB at a specific data center-in this case, the SLB at data center 1.
    6. The DNS global load-balancing process is complete; the client is directed to the SLB at data center 1 by the IP control or forwarding plane.

Option 2 – Direct delegation of A records to GSS

$TTL 3h
cisco.com. IN SOA nameserver1.cisco.com. adminemail.cisco.com. (
2003070801      ; Serial
3h   ; Refresh  after 3 hours
1h   ; Retry after 1 hour
1w   ; Expire after 1 week
1h ) ; Negative caching TTL of 1 hour
;
; Name servers
;
cisco.com. IN NS nameserver1.cisco.com.
www.cisco.com. IN NS gss1.cisco.com.  <— NS record for www.cisco.com via GSS1
www.cisco.com. IN NS gss2.cisco.com.  <— NS record for www.cisco.com via GSS2
;
; Addresses
;
localhost.cisco.com. IN A 127.0.0.1
nameserver1.cisco.com.     IN A 10.10.10.1
gss1.cisco.com.      IN A 10.1.1.254  <— A record for GSS1
gss2.cisco.com.      IN A 10.1.2.254  <— A record for GSS2
;
Option 3 – Delegate subdomain to GSS’s using CNAME’s
CNAME’s can be used to reduce the number of NS Records configured within the DNS database. Here, the client still asks for www.cisco.com, however, the Name server converts this to www.gslb.cisco.com, using a CNAME record. The Name server then responds to the client D-proxy with the addresses of the GSS’s. The client D-proxy will cache these NS records and then send a query for www.gslb.cisco.com to the GSS’s in a round-robin fashion.

Note: If the D-proxy sends a request to gss1 and it does not respond within 5 seconds, it will automatically try gss2. The D-proxy will then double the polling rate to 10, 20, and 40 seconds to see if gss1 has recovered. However, once it finds a responding GSS it will lock on to it but if both are available then it will round robin

$TTL 3h
cisco.com. IN SOA nameserver1.cisco.com. adminemail.cisco.com. (
2003070801      ; Serial
3h   ; Refresh  after 3 hours
1h   ; Retry after 1 hour
1w   ; Expire after 1 week
1h ) ; Negative caching TTL of 1 hour
;
; Name servers
;
cisco.com. IN NS nameserver1.cisco.com.
gslb.cisco.com      IN NS gss1.gslb.cisco.com.  <— delegates authority for gslb.cisco.com via GSS1
gslb.cisco.com .    IN NS gss2.gslb.cisco.com.  <— delegates authority for gslb.cisco.com via GSS2
;
; Addresses
;
localhost.cisco.com.       IN A 127.0.0.1
nameserver1.cisco.com.          IN A 10.10.10.1
gss1.gslb.cisco.com.       IN A 10.1.1.254  <— A record for GSS1
gss2.gslb.cisco.com.       IN A 10.1.2.254  <— A record for GSS2
;
; Aliases
;
www.cisco.com.      IN CNAME www.gslb.cisco.com.  <— client can use either name

In this article

Join the Conversation

1 comment

  1. Savad Reply

    Hi,

    I have domain xyz.com with a DNS server 192.168.1.100.
    GSS is implemented with IP 192.168.1.139 which is again connected to the Cisco ACE load balancer with virtual IP 192.168.2.100 in head office and 192.168.3.100 in DR site which are further connected to the application servers. All are part of xyz.com.

    We configured gss and are able to access the application if we give GSS as the dns server.i e http://test.xyz.com is getting resolved to the VIP of either HO or DR.

    But i dont know how to create a forwarder in my windows server to the gss for my users since its part of the same domain xyz.com

    Can you please help.