DNS Automation: Internet breakout and SD-WAN domains
Key takeawaysThis key takeaway was generated through LLMs crawling the page and coming up with an overview of the content.The article explains how BlueCat's intelligent DNS forwarding via BlueCat Edge and service points helps organizations steer application traffic across complex networks—clouds, data centers, branches, and SD-WAN—to maintain uptime and reduce costly MPLS backhauls. It describes operational challenges from constantly changing cloud service domains (for example, Office 365's many shifting domains) and how manual management is impractical. The piece presents Absorbaroo, an automation workflow that watches third-party domain notifications, updates whitelists, and pushes resolution data into SD-WAN controllers to keep trusted connections direct and current.
What operational problem does BlueCat's intelligent forwarding solve for organizations using cloud services and SD-WAN?
BlueCat’s intelligent forwarding addresses the difficulty of directing application and service traffic through heterogeneous environments—clouds, data centers, branches, and SD-WAN controllers—when there is no single central network directory. Without centralized, dynamic resolution, services that move or change IP addresses can break connectivity or force expensive backhauls over MPLS. By acting as the device-facing ‘first hop’ (BlueCat Edge) and using service points and routing rules, BlueCat lets administrators steer trusted traffic either to local internet breakouts or back to a home data center, maintaining consistent policy and reducing reliance on deep packet inspection and MPLS routing.
Why is automation necessary for maintaining direct connections to cloud services like Office 365?
Automation is necessary because cloud services rarely use static domains or IPs—the underlying addresses are updated, load balanced, and changed frequently, often with little or no notice. Manually tracking and updating hundreds of changing domains (Office 365 alone uses over 100 constantly shifting domains) would be time-consuming and error-prone, risking outages or incorrect SD-WAN routing. Automation ensures updates happen in real time or at administrator-defined intervals, keeping whitelists and resolution data current so SD-WAN controllers can continue to route trusted traffic directly to service providers without manual intervention.
How does Absorbaroo maintain trusted connections between BlueCat and SD-WAN controllers?
Absorbaroo is an automation workflow that continuously monitors third-party sites for domain change notifications at intervals set by the administrator. When a service posts updated domains, Absorbaroo automatically downloads the new domain list and pushes it through a whitelist into the SD-WAN system, updating resolution data for all client devices covered by the BlueCat service point. SD-WAN then references the mutually held whitelist to allow direct routing to the trusted service. The published example uses Office 365 and Cisco Meraki SD-WAN, but the framework can be adapted to other third-party services where internet traffic steering is required.
All the modular layers of today’s corporate networks – clouds, data centers, branch office connections, and SD-WAN controllers – have their role to play in delivering a functional network. Yet navigating applications and services through this jumble of environments can be extremely difficult.
When cloud applications, security services, and other network tools try to connect to the services they need, there usually isn’t a single central network directory which can take them to the right place. Since those services are constantly shifting locations, finding a way to keep connections current is critical to maintaining uptime.
Intelligent forwarding with DNS
BlueCat’s uniquely designed intelligent forwarding functions can cut through some of this complexity. BlueCat Edge acts as the device facing response layer or “first hop” connection. Network administrators can use BlueCat’s place on the network to optimize internet access to outside services, either through direct connections (an “internet breakout”) or by routing the query back to a home office data center.
This intelligent DNS functionality has a particularly compelling use case for organizations that want to steer service connections away from costly MPLS network backhauls through a local “internet breakout”. This offers a more elegant solution in comparison to the use of deep packet inspection in SD-WAN to direct internet connections.
Administrators can set up routing rules in BlueCat’s platform to resolve directly to trusted external services such as Office 365, Salesforce, or Dropbox. Rules are also available for internal services as well, routing queries either back to a central datacenter or to regional nodes. All of these routing controls coordinate with SD-WAN controllers to resolve trusted traffic directly to service providers.
BlueCat delivers consistent policy across internal and external access points. Using the power of service points, these policies can be deployed anywhere, including the Data Center, Campus, or Branch, to deliver sophisticated LAN side services that facilitate internet breakout.
Keeping track of trusted connections
There is one slight operational hitch which needs to be accounted for. The domains used by cloud services are rarely static. As the underlying IP addresses are updated, load balanced, and taken offline for maintenance, DNS must adjust so queries resolve and SDWAN routes correctly.
To avoid outages and maintain direct connections to trusted cloud services, BlueCat receives automatic updates as the underlying domains are changed. Doing this manually would be a significant headache. Office 365 alone uses over 100 constantly shifting domains. It would also require constant real-time vigilance, as service providers often switch up domains on the fly with little to no advance notice.
Automation to the rescue
Enter Absorbaroo, an automation workflow designed by BlueCat to maintain direct connections to trusted cloud services. Here’s how it works:
- Absorbaroo maintains a constant watch on third party sites for domain change notifications, checking at intervals defined by the network administrator.
- When services post a notification, Absorbaroo downloads the new domain list automatically
- The domain list is pushed through a whitelist into the SDWAN system, updating the resolution data for all of the client devices covered by that BlueCat service point.
- SDWAN sees the resolution on a mutually held white list and allows the connection to be routed directly out to the trusted service.
The example workflow posted on our BlueCat Labs GitHub repository uses Office 365 and Cisco Meraki SD-WAN controllers, but the framework can be adjusted for use with any third-party service where internet traffic needs to be managed.
Want to learn more about how BlueCat enables traffic steering? Check out our intelligent DNS video.
Published in:
BlueCat provides core services and solutions that help our customers and their teams deliver change-ready networks. With BlueCat, organizations can build reliable, secure, and agile mission-critical networks that can support transformation initiatives such as cloud adoption and automation. BlueCat’s growing portfolio includes services and solutions for automated and unified DDI management, network security, multicloud management, and network observability and health.
Related content
How to map your network with user-defined links in Integrity X
Map your network with user-defined links in Integrity X to define and manage custom relationships, such as dual-stack and NAT environments.
Automate your DDI modernization path by migrating with Micetro
Automate cross-platform DNS and DHCP migration with Micetro to reduce risk, eliminate manual effort, and modernize infrastructure faster.
Your journey to intelligent NetOps begins at Cisco Live
Visit BlueCat’s booth or book a meeting now to learn more about how our solutions can help you build a network that supports constant change.
Replace BIND and ISC with Micetro DNS/DHCP Server (MDDS)
Tired of patching and manually configuring BIND DNS and ISC DHCP? Discover how Micetro MDDS appliances can replace them for modern DDI.