What the Server Suite DNS Subsystem Provides

Server Suite provides a DNS subsystem that bypasses the local DNS resolver to address common issues that occur with many local DNS resolvers. These common issues for local DNS resolvers include:

  • Degraded performance when connecting to a slow DNS server or when attempting to use dead DNS servers.

  • Degraded performance when reacquiring a DNS server that went offline and has come back online.

  • Degraded performance related to DNS timeouts.

  • Platform-related DNS idiosyncrasies, such as MDNS, appending.LOCAL suffixes, and so on.

The Delinea DNS subsystem performs the following functions:

  • Looks up hosts by name.

  • Looks up hosts by IP address.

  • Queries DNS service location records (SRV) to discover the domain controllers that support Active Directory services including KDC, KPASSWD, LDAP and the global catalog.

Resolving a Host Name or IP Address

When the DNS client subsystem receives a DNS requests, it attempts to resolve the host name or IP address by first checking the /etc/hosts file. If the file contains a valid entry to resolve the specified host name or IP address, the DNS client subsystem processes the DNS request.

Entries in /etc/hosts must be in the following format:

IPv4_address hostname alias alias ...

where:

  • IPv4_address must be in the first position

  • hostname is a fully-qualified domain name and must be in the second position.

  • aliases are optional and follow the address and hostname entries.

For example:

192.169.147.135 ginger.acme.com ginger

Service (SRV) record queries cannot be satisfied from the /etc/hosts file.

If resolution by /etc/hosts is unsuccessful, the DNS subsystem attempts to select a DNS server that can be used to resolve the host name or IP address (as described in the next section, Selecting a DNS server).

Selecting a DNS Server

If unable to resolve a host name or IP address by finding an entry in the /etc/hosts name (as described in Resolving a host name or IP address), the Delinea DNS subsystem attempts to find a DNS server to resolve the host name or IP address, as follows:

  • It checks for a working DNS server that has already been selected (cached in memory and stored in /var/centrify/kset.dns.server), and if available, uses it.

  • If a working DNS server is not already selected, it checks /etc/resolv.conf for configured DNS servers, and if populated, selects the fastest one from the list.

If no working DNS servers are found, the request fails.

At this point, DNS is considered down, and the Delinea DNS subsystem waits for the interval specified by the dns.dead.resweep.interval (default is 60 seconds), before attempting again to find a DNS server.

Specifying DNS-Related Parameters

Parameters in the Delinea configuration file control many aspects of Delinea DNS subsystem operation. Although you can set any of these parameters, the default settings should provide you with optimal DNS operation. See the Configuration and Tuning Reference Guide for details about any of these parameters.

The DNS subsystem periodically checks in the background to see if a DNS server that is faster than the currently selected one is available. The dns.alive.resweep.interval parameter determines how often this background check occurs; the default value is one hour (3600 seconds).

When a DNS server is selected, its address is stored in the kset.dns.server file, and it is used for all DNS requests until one of the following occurs:

  • The selected server stops responding.

  • A new server sweep discovers a faster DNS server and replaces it.

  • The adclient process is stopped and restarted, which triggers a sweep for a new DNS server.

  • The specified server is no longer in the list of servers in /etc/resolv.conf.

For the sweep, the dns.sweep.pattern parameter determines the probe pattern that is used to find a live DNS server; that is, it sets the protocol to use (TCP or UDP) and the amount of time to wait for a response. By default, this parameter specifies both a TCP and UDP probe.

The dns.timeout and dns.udp.retries parameters determine the amount of time to wait, and how often to re-send a request when the current server does not respond to a request. If the current server does not respond to a request within the specified time out period, it is considered down and Delinea looks for a different server. If it cannot find a live server, DNS is considered down, and the Server Suite Agent for *NIX waits for the period of the dns.dead.resweep.interval parameter, 60 seconds by default, before performing a sweep to find a new server.