During our instructor-led BlueCat Customer training courses, there’s a great deal of interaction between the students and our trainers. In fact, much of the value in our courses comes from this engagement. As you can imagine, students ask a number of questions. We thought it would be useful to give you a sample of some of the questions and answers we’ve come across during class.
1. Configuring Scheduled Deployments
Q: From Address Manager, you can configure DNS and DHCP to be deployed on a scheduled basis. If you’ve configured scheduled deployments and no changes have been made to DNS or DHCP since the last deployment, will the scheduled deployment take place, or will it be skipped?
A: The deployment goes ahead as scheduled but since there are no changes, essentially an empty file is deployed. Note: An exception to this behavior is when you select the Force DNS full deployment checkbox. In this case, the full DNS configuration will be deployed to the DNS server.
2. Configuring Start of Authority
Q: If you configure the Start of Authority (SOA) option at the DNS View level, is it possible to retrieve the serial number at any of the child zone levels from the UI?
A: You can retrieve a zone’s Start of Authority serial number directly from the BlueCat DNS server and display it in Address Manager however, because SOA serial numbers are specific to a zone, you must configure the SOA record (as a deployment option) at the zone level. After deploying DNS to the DNS server, navigate to the zone’s SOA deployment option and click the Retrieve button to view the serial number.
TIP: consider creating a zone template and populating it with the SOA deployment option. Any template-linked zones will have the SOA automatically applied at the zone level and you will be able to use the Retrieve function at any zone.
3. Resource Records
Q: Is there was a way to see a list of all of the resource records that are linked to a host record. For example, if you have three CNAME records linked to “host1.example.com”, is there a way to quickly find those three CNAMEs?
A: BlueCat has a unique approach to managing the relationship between host (A and AAAA) resource records and associated CNAME, SRV and MX records. When you create a CNAME, SRV, or MX record in Address Manager, you must link it to either an existing host or external host record. Then, if you need to delete the host record, the system informs you that the dependent records will also be deleted. By doing it this way, BlueCat helps to prevent any “orphaned CNAME, SRV, or MX records. You can view a list of dependent records, from the host record’s Details tab.
4. Assigning Access Rights
Q: I would like to assign access to rights to certain Address Manager objects such as a DNS zone or an IP network. Is it necessary to assign the view permission at the top level (configuration) in order to assign access to lower-level objects?
A: No, you can assign access rights to lower level objects without needing to assign access rights to a higher-level object. For example, you could assign Full Access permissions to a DNS zone or an IP network. The access/manage the zone or network, the user could use the search functions to navigate directly to the lower level objects. This being said, it’s common to grant read permission to the configuration.
5. Monitoring BlueCat DNS and DHCP servers via SNMP
Q: What is necessary to allow Address Manager to monitor BlueCat DNS and DHCP servers via SNMP? Is it just port numbers? Are there any logs to find out why it’s not being reached?
A: Address Manager monitors BlueCat DNS/DHCP server statistics including CPU load, memory usage, interface statistics as well as application-specific data i.e. DNS queries per second and DHCP leases per second. The configuration steps necessary to monitor DNS/DHCP servers via SNMP are as follows:
- Enable and configure the DNS/DHCP server’s SNMP Service.
- Enable the Adonis Monitoring Service from the Administration page.
- Define the Monitor Settings at either the configuration or server level.
As part of the preparation, ensure that the necessary SNMP ports are allowed on any firewalls and that the correct authentication information has been provided (i.e. community strings for SNMP versions 1 and 2c or username and passphrase information for version 3). To keep you informed of any issues, the system generates an event if the server cannot be contacted via SNMP. You can also create a Notification Group from the Administration page to send email messages or SNMP traps to system administrators.
6. Network Templates
Q: Can you apply more than one network template to the same network?
A: No, you can only apply a single Network Template to a network. You can however, create templates for different purposes (DHCP networks, backbone networks etc.) and then assign each template to the appropriate network.
7. Classless Reverse Space
Q: How does BlueCat handle classless reverse space?
A: DNS reverse zones aren’t displayed in the user interface in the traditional sense. Instead, reverse space is configured through DNS deployment roles at the appropriate IP block or network levels. During deployment, the proper reverse zones are created on the DNS server, based on the roles. Once configured, a PTR resource record is created for every host record in the system, assuming the aforementioned roles exist.
Address Manager also automatically manages classless IN-ADDR.APRA delegation. For example, if you needed to delegate the reverse space for networks smaller than 24-bits, you would perform the following steps in Address Manager:
- Create a DNS Server object representing the server hosting the delegated zone.
- Create the parent IP block representing the parent DNS zone and assign Primary and Secondary deployment roles to the BlueCat DNS server.
- Create the IP block or network (smaller than 24-bits) representing the delegated reverse space and assign the appropriate Primary and Secondary deployment roles to the server hosting the delegated zone.
On deployment, delegation records are added to the parent reverse zone and the necessary CNAME records are added to the zone, one for each delegated PTR record.
8. Changing the Logging Level
Q: How do you change the logging level on a BlueCat server to logs successful and denied queries?
A: The BIND Query logging function is used to log successful and unsuccessful DNS queries. Query logging is enabled from the BlueCat DNS server Administration Console (CLI) interface.
NSA and CISA: Protective DNS key to network defense
U.S. cyber agencies now point to protective DNS as a defense strategy, confirming what BlueCat already knew: DNS is critical to detecting network threats.
BlueCat Integrity 9.3: Deliver DNS like a boss
With the BlueCat Integrity 9.3 release, network admins can get more audit data, manage complexity, and ramp up automation, without compromising performance.
Yes, you can optimize DNS routing for global SaaS use
Routing DNS for SaaS can lead to latency, non-local results, and messy internet breakouts. With BlueCat, optimize SaaS delivery and gain full DNS control.
Yes, you can tame hybrid cloud DNS traffic jams
Admins often use messy conditional forwarding DNS rules to fill hybrid cloud gaps. With BlueCat, automate and gain control over your data pathways.