14.2.12 SDNS IANA
SDNS integrates the latest global IANA addresses. When any IP address is entered, SDNS will inquire the latest global IANA address list and gain the corresponding country/district name.
14.2.13 SDNS Dynamic Proximity System (DPS)
SDNS Dynamic Proximity aims at providing a dynamically generated proximity rule table, instead of statically configured proximity rules for SDNS. All the dynamic proximity entries in the table are collected by proximity detection methods.
Figure 14-4 SDNS DPS System
For SDNS DPS, DPS detectors are required for proximity detection and DPS servers are used for DNS resolution:
DPS detector:
- Get all the local DNS IP addresses from DPS masters for proximity detection
- Detect three kinds of dynamic proximity information by sending network requests to remote localDNS
- Report dynamic proximity detection results to DPS servers based on which DPS server may generate dynamic proximity rules
Note: The DPS detectors can be deployed on not only FortiBalancer appliances and but also servers that running the Linux or FressBSD operating system.
DPS server:
- Collect local DNS data and send them to DPS detectors for proximity detection (“sdns statistics on localdns”)
- Generate dynamic proximity rules used for DNS resolution based on detection results
- Accept DNS requests and resolve domain names based on dynamic proximity rules
How SDNS DPS Works
Referring to the above figure, a complete DPS works as follows:
- Users send DNS requests to SDNS DPS servers time and again;
- SDNS DPS servers can have a collection of domain names and corresponding client IP addresses (local DNS IP addresses) after a certain period of time;
- Some SDNS DPS servers (DPS masters) send the collected local DNS IP addresses to DPS detectors which are placed at all the CDN (Content Distribution Network) sites;
- DPS detectors begin to detect the proximities between their CDN sites and local DNSs;
- Once proximity detection is done, DPS detectors report the detection results to all the SDNS DPS servers;
- SDNS DPS servers will resolve domain names based on the proximity detection results.
When SDNS function is turned off, SDNS DPS severs will be turned off as well. However, if SDNS is turned on, SDNS DPS server will not be turned on automatically, and it can be turned on by using the command “sdns dps on”.
14.2.14 SDNS Full-DNS
SDNS supports all DNS resource record types, such as A record, AAAA record, MX record, CNAME record, PTR record etc. As an excellent domain name server, BIND 9 is integrated as a local DNS server in SDNS. Any query packets of A, AAAA and CNAME record types are processed by SDNS, while any other query packets are processed by BIND 9.
Note:
BIND 9 can only be configured via web UI, and CNAME can be configured via web UI or CLI.
CNAME records are only supported for the “region” method. If an SDNS host is not configured with the “region” method, the CNAME configurations on the host cannot work.
When SDNS recursive query is off, if the SDNS module or BIND 9 fails to process query packets, it will directly return failure responses. When SDNS recursive query is on, if the SDNS module fails to process query packets of the A, AAAA, or CNAME record type, BIND 9 will take over the processing of these query packets. Then, if BIND 9 still cannot process the query packets of the A, AAAA, or CNAME record type taken over from the SDNS module or the query packets of other record types, the FortiBalancer appliance will perform recursive queries by forwarding the query packets to other DNS servers for processing and return the final query results to the client.
Assume that only resource records of the A, AAAA, or CNAME type are available for the domain name “image.example.com”. To ensure that the query packets of the other record types can be correctly processed, you are advised to configure a TXT record in the following format for the domain name “example.com” in the BIND 9 zone file:
image IN TXT “A text string”
Note: The “text string” can be any descriptions about this domain name.
Figure 14-5 Full-DNS Working Flow
- The client sends a DNS query to the local DNS.
- The local DNS sends the query packets of any DNS record types (including A, AAAA, MX, CNAME, PTR etc) to FortiBalancer appliance.
- FortiBalancer returns the corresponding DNS record responses.
Note: If the DNS query is of the A record type and a corresponding A record is found in the address pool, the FortiBalancer returns the A record. If the corresponding A record is not found, the FortiBalancer searches for the corresponding CNAME. If the CNAME is available, the FortiBalancer returns the CNAME and the A record corresponding to the CNAME. The FortiBalancer implements the same process on the DNS query of the AAAA record type. If the DNS query is of the CNAME type, the FortiBalancer searches for the corresponding CNAME. If the CNAME is available, the FortiBalancer returns only the
CNAME.
14.2.15 IPv6 support for SDNS
The SDNS module can create the mapping between hostnames and IPv4 or IPv6 addresses through the A and AAAA records. Therefore, the hostnames in DNS queries not only from IPv4 clients but also from IPv6 clients can be resolved to IPv4 or IPv6 addresses.
To configure the AAAA record, it is required to use the “sdns ipv6”or “sdns pool ipv6” command. The AAAA records configured by using the “llb dns host” command cannot be used for the SDNS module. For the AAAA queries, the SDNS module supports only the RR method and does not support health check. Additionally, the IPv6 region table cannot be used in the SDNS module because SDNS proximity rules do not support IPv6.
14.3 GSLB Configuration
14.3.1 Configuration Guidelines
Table 14-1 General Settings of GSLB
Operation | Command |
Configure SLB | Refer to the SLB Configuration section. |
Configure LLB | Refer to the LLB Configuration section. |
Configure basic
SDNS |
sdns on [check|nocheck] sdns interval heartbeat [seconds] sdns interval report [seconds]
sdns member attribute <member_name> <ip> [port] [member_type] sdns member local <member_name> [max_tcp_connections] |
Configure SDNS host method | sdns host method <host_name> <method> [chain_name] sdns host ttl <host_name> <ttl> |
Configure region | sdns region location <region_name> [region_weight] sdns region division <region_name> {region/site_name} |
Configure pool | sdns pool method <host_name> {region|site} <pool_method>
<number_of_vips> [pool_type] sdns pool rule <rule_name> {region|site} <pool_method> <number_of_vips> sdns pool ip {host|rule_name} <pool_name> <vip> [weight] |
Configure disaster recovery | sdns group dr <group_name> <host_name> sdns group standby <group_name> <site_name> dns group primary <group_name> <site_name> |
Configure bandwidth | sdns bandwidth {region|site|member|vip} {region|site|member|ip address} <mode> <maxbandwidth> |
Configure DPS | sdns dps {on|off}
sdns dps master {on|off} <port> sdns dps interval send <interval> sdns dps interval query <interval> sdns dps history <interval> sdns dps member <member_ip> sdns dps detector <site_name> <ip> [port] [detect_interval] |
14.3.1.1 Topology 1
Three FortiBalancer appliances are configured as “all”-type SDNS member in the figure below.
Figure 14-6 Network Topology 1
The port2 IP addresses of the three FortiBalancer appliances are as follows:
FortiBalancer1: 10.3.200.1
FortiBalancer2: 10.3.200.2
FortiBalancer3: 10.3.200.3
14.3.1.2 Topology 2
Among the three FortiBalancer appliances in the figure below, FortiBalancer1 is configured as
“dns”-type SDNS member while FortiBalancer2 and FortiBalancer3 are configured as “proxy”-type SDNS members.
Figure 14-7 Network Topology 2
The port2 IP addresses of the three FortiBalancer appliances are as follows:
FortiBalancer1: 10.3.200.1
FortiBalancer2: 10.3.200.2
FortiBalancer3: 10.3.200.3
14.3.2 Configuration Example Based on Topology 1 via CLI
The basic configurations fall in to three sections as follows:
- SLB configuration: configure virtual IP address.
- LLB configuration: configure host name and assign IP addresses for it. SDNS basic parameter configurations.
14.3.2.1 Configuring SLB
FortiBalancer1
- Step 1 Configure a real server
FortiBalancer(config)#slb real http “rs1” 10.3.200.110 8080 1000 tcp 1 1
- Step 2 Configure avirtual server
FortiBalancer(config)#slb virtual http “vs1” 10.3.210.1 80
- Step 3 Configure SLB policy
FortiBalancer(config)#slb policy static “vs1” “rs1”
FortiBalancer2
- Step 1 Configure a real server
FortiBalancer(config)#slb real http “rs1” 10.3.200.110 8080 1000 tcp 1 1
- Step 2 Configure a virtual server
FortiBalancer(config)#slb virtual http “vs1” 10.3.220.1 80
- Step 3 Configure SLB policy
FortiBalancer(config)#slb policy static “vs1” “rs1”
FortiBalancer3
- Step 1 Configure a real server
FortiBalancer(config)#slb real http “rs1” 10.3.200.110 8080 1000 tcp 1 1
- Step 2 Configure a virtual server
FortiBalancer(config)#slb virtual http “vs1” 10.3.230.1 80
- Step 3 Configure SLB policy
FortiBalancer(config)#slb policy static “vs1” “rs1”
14.3.2.2 Configuring LLB
FortiBalancer1
- Step 1 Configure LLB DNS host entry
Three domain names are configured and each domain name is assigned with one IP address here.
FortiBalancer(config)#llb dns host “www.a.com” 10.3.210.1
FortiBalancer(config)#llb dns host “www.b.com” 10.3.210.1 FortiBalancer(config)#llb dns host “*.c.com” 10.3.210.1
- Step 2 Configure LLB DNS TTL (Time To Live)
FortiBalancer(config)#llb dns ttl “www.a.com” 60
FortiBalancer(config)#llb dns ttl “www.b.com” 60
FortiBalancer(config)#llb dns ttl “*.c.com” 60
FortiBalancer2
- Step 1 Configure LLB DNS host entry
Three domain names are configured and each domain name is assigned with one IP address here.
FortiBalancer(config)#llb dns host “www.a.com” 10.3.220.1
FortiBalancer(config)#llb dns host “www.b.com” 10.3.220.1
FortiBalancer(config)#llb dns host “*.c.com” 10.3.220.1
- Step 2 Configure LLB DNS TTL (Time To Live)
FortiBalancer(config)#llb dns ttl “www.a.com” 60
FortiBalancer(config)#llb dns ttl “www.b.com” 60
FortiBalancer(config)#llb dns ttl “*.c.com” 60
FortiBalancer3
- Step 1 Configure LLB DNS host entry
Three domain names are configured and each domain name is assigned with one IP address here.
FortiBalancer(config)#llb dns host “www.a.com” 10.3.230.1
FortiBalancer(config)#llb dns host “www.b.com” 10.3.230.1 FortiBalancer(config)#llb dns host “*.c.com” 10.3.230.1
- Step 2 Configure LLB DNS TTL (Time To Live)
FortiBalancer(config)#llb dns ttl “www.a.com” 60
FortiBalancer(config)#llb dns ttl “www.b.com” 60 FortiBalancer(config)#llb dns ttl “*.c.com” 60
14.3.2.3 Configuring Basic SDNS
FortiBalancer1
- Step 1 Enable SDNS
FortiBalancer(config)#sdns on
- Step 2 Configure SDNS members (their types are “all”)
FortiBalancer(config)#sdns member attribute FortiBalancer1 10.3.200.1 5888 all
FortiBalancer(config)#sdns member attribute FortiBalancer2 10.3.200.2 5888 all FortiBalancer(config)#sdns member attribute FortiBalancer3 10.3.200.3 5888 all
- Step 3 Configure FortiBalancer1 as a local member
FortiBalancer(config)#sdns member local FortiBalancer1
FortiBalancer2
- Step 1 Enable SDNS
FortiBalancer(config)#sdns on
- Step 2 Configure SDNS members (their types are “all”)
FortiBalancer(config)#sdns member attribute FortiBalancer1 10.3.200.1 5888 all
FortiBalancer(config)#sdns member attribute FortiBalancer2 10.3.200.2 5888 all
FortiBalancer(config)#sdns member attribute FortiBalancer3 10.3.200.3 5888 all
- Step 3 Configure FortiBalancer2 as a local member
FortiBalancer(config)#sdns member local FortiBalancer2
FortiBalancer3
- Step 1 Enable SDNS
FortiBalancer(config)#sdns on
- → Step 2 Configure SDNS members (their types are “all”)
FortiBalancer(config)#sdns member attribute FortiBalancer1 10.3.200.1 5888 all
FortiBalancer(config)#sdns member attribute FortiBalancer2 10.3.200.2 5888 all FortiBalancer(config)#sdns member attribute FortiBalancer3 10.3.200.3 5888 all
- Step 3 Configure FortiBalancer3 as a local member
FortiBalancer(config)#sdns member local FortiBalancer3