« previous next »
Pages: [1]   Go Down

Author Topic: DNS Proxy - DNS Lookup Validation Fails  (Read 399 times)

Offline KgixCraig

  • Contributor
  • *
  • Posts: 1
  • Karma: 0
DNS Proxy - DNS Lookup Validation Fails
« on: January 30, 2012, 03:21:57 PM »
Hi All,

I'm rather new to Netscalers in general, and recently configured our name servers to operate from the Netscalers, and proxy through to our actual name servers for all requests.

This works perfectly, except that we have a client who has a '.si' domain extension which apparently has to pass extensive namesever validation checks before name servers can be used with it. One of these appears to be the inclusion of the list of authoritative name servers in DNS result. BIND does this by default, however the Netscaler does not for the second and subsequent cached results it returns (it does so only for the first result after the cache is cleared, presumably because it just passes the entire BIND generated result from the back-end name server the first time it receives a DNS request for a particular domain).

To illustrate this, domainX.com exists on all four of our back-end name servers. If we run a 'dig' on a back-end server, we get this (IPs/nameservers changed):


; <<>> DiG 9.4.-ESV <<>> @ns-backend1.ourdomain.com domainX.com +nocomments +nocmd
; (1 server found)
;; global options:  printcmd
;domainX.com.      IN   A
domainX.com.   14400   IN   A   1.2.3.4
domainX.com.   86400   IN   NS   ns2.ourdomain.com.
domainX.com.   86400   IN   NS   ns3.ourdomain.com.
domainX.com.   86400   IN   NS   ns4.ourdomain.com.
domainX.com.   86400   IN   NS   ns1.ourdomain.com.


If, however, we run that against the Netscalers, we get this:

; <<>> DiG 9.4.-ESV <<>> @ns3.ourdomain.com domainX.com +nocomments +nocmd
; (1 server found)
;; global options:  printcmd
;domainX.com.      IN   A
domainX.com.   14400   IN   A   1.2.3.4


If I disable DNS caching on the Netscalers, it also works fine.

Now, clearly this is fine for DNS lookups, however for the required checks that the .si registry seems to do, this is causing us problems and is resulting in our client being unable to set our name servers as authoritative for their domains.

Hoping that someone might have a suggestion as to how we can resolve this... Thanks in advance for your time!

Warm regards,

Craig
Logged
Pages: [1]   Go Up
« previous next »