Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
Start a conversation
659
Views
0
Helpful
1
Replies

Cisco Umbreall VA local DNS settings

Ge Qu
Level 1
Level 1

ā€Ž07-17-2023 08:56 PM

Hi,

We recently experiencing DNS issues when we try to upgrade our domain controllers.

What we do is to depromo the old DC and then promo the  new dc with the same IP but different/updated sever names.

Last week, when we do this on the first server, we have DNS issues which we do not expected. We have 2 VAs with one connector on each site and 2 domain controllers on each site are connected to the connector and the VA. Therefore, if one DC is down, the other one should still work as both of them has internal DNS running. on each VA, there are 2 local DNSs configured and each of them hosted on each DCs.

When I was trouble shooting, looking at the 2 local DNS on the VA configured, I was wondering when VA need to forward the local DNS queries to local DNS, how VA pick up which one to use? randomly round robin or send to the active one?

When I looked at the VA console information, 2 local DNS listed one after anther, is there a priority of the 2 local DNS for VA to use?

I could not find this info online, so decided ask here, hope this will help us to understand why Umbrella not working properly when we just brought down one DC/DNS.

Thank you.

Labels:
0 Helpful
1 Reply 1

Jonatan Jonasson
Level 4
Level 4

ā€Ž07-24-2023 03:19 PM

When you were verifying the configured local dns servers, using the "config localdns show" command on the Umbrella VA's, did both AD servers show up in both the "local dns servers" section and the "all-internal-domains" section?

You should also be able to verify when SSH-ed into the Umbrella VA's that each VA can make DNS queries to both domain controllers, using the "nslookup <somehostname> <ipaddressofDC>" command.
It would be worthwhile to test this to verify that the Umbrella VA's aren't experiencing any issues when resolving to one of the DC's.

As for the how the VA selects the DNS server, there is an article on the support site for Umbrella that explains this:
https://support.umbrella.com/hc/en-us/articles/115006628267-How-the-VA-communicates-with-Umbrella-and-local-DNS

In short, each VA should be using all configured DNS servers, preferring the one that responds the fastest (based on round-trip-time/RTT), and then caches the RTT values for 15 minutes.

 

0 Helpful
Customers Also Viewed These Support Documents