Configuring Private DNS

Introduction

Addressing ENF endpoints by IPv6 addresses can become tedious and error-prone as the network grows. Even with a handful of machines, using, memorizing, and entering sequences of numbers can be confusing. To minimize the necessity to use IPv6 addresses, the ENF provides a DNS (Domain Name Server) feature. It is much easier to remember punchpress1.scranton.prod than 2607:8f80:8080:b:bd32:eeb9:2085:b8cb.

The three main concepts to manage when dealing with the ENF DNS are as follows:

  • Zones - zones are the domain names that divide the domain namespace into distinctly administered areas. For example, example.com or internal.scranton.prod. The ENF DNS system is private to your account, so there are no restrictions on the zones you can use.
  • Records - each zone contains resource records that map domain names to values. For example, an AAAA record for punchpress1 in the internal.scranton.prod zone associates the hostname punchpress.internal.scranton.prod to its IPv6 address.
  • Servers - a DNS server is provisioned on a network to allow endpoints to look up records in any zones that have been associated with the network. The endpoints must be configured to use this server for DNS resolution.

DNS Zones

The first step in provisioning DNS services for your network is to define a DNS zone. The domain name of a zone sets the suffix shared by all DNS records in that zone. For example, in a zone named “foo.bar” we might have records “one.foo.bar” and “two.foo.bar” and “client.foo.bar” and “server.foo.bar”, etc.

The name of your zone can be anything you like, because it’s private to your network. For this example, we’ll use the name scranton.prod.

Privileged vs. Non-Privileged Zones

A DOMAIN_ADMIN user can create a privileged DNS Zone that can have multiple networks associated with it. A NETWORK_ADMIN user can use a privileged zone, but cannot modify it – only a DOMAIN_ADMIN can create, modify, or delete a privileged zone.

A non-privileged DNS Zone only has a single network associated with it and may be created by either a NETWORK_ADMIN or a DOMAIN_ADMIN.

Example use-case for a privileged DNS Zone:

The Acme Widget company has IIoT devices at three different location: Rockford, Cleveland, and Paducah. The IT department created a separate network for each factory floor but wants a unified set of names for all of the factory machines. To accomplish this, IT creates a privileged DNS Zone and adds each of the three networks to it.

Creating a Privileged DNS Zone

All commands must be issued by a DOMAIN_ADMIN account.

  1. Create a new zone
    > dns create-zone --zone-domain-name=factory.prod --description=Factory Floor Machines
    Created DNS zone factory.prod!
    +--------------------------------------+--------------+------------------------+------------+---------------------+
    | Id                                   | Zone         | Description            | Privileged | Enf Domain          |
    +--------------------------------------+--------------+------------------------+------------+---------------------+
    | a36de128-74ca-4673-bd29-e9db509f4368 | factory.prod | Factory Floor Machines | true       | 2607:8f80:8080::/48 |
    +--------------------------------------+--------------+------------------------+------------+---------------------+
    1 rows in set
    
  2. Attach one or more networks to the DNS Zone.
    Separate /64 networks with a comma.
    dns add-networks-to-zone --networks=2607:8f80:8080:b::/64,2607:8f80:8080:c::/64 --zone-id=a36de128-74ca-4673-bd29-e9db509f4368
    Added the following networks to zone with id: a36de128-74ca-4673-bd29-e9db509f4368
    +----+-----------------------+
    | Id | Network               |
    +----+-----------------------+
    | 73 | 2607:8f80:8080:c::/64 |
    | 74 | 2607:8f80:8080:b::/64 |
    +----+-----------------------+
    2 rows in set
    

Removing Networks from a DNS Zone

The command for removing networks from a zone is analogous to adding them:

> dns delete-networks-from-zone --networks=2607:8f80:8080:b::/64,2607:8f80:8080:c::/64 --zone-id=a36de128-74ca-4673-bd29-e9db509f4368
Deleted networks from DNS zone!

Creating a non-privileged DNS Zone

To create a non-privileged DNS Zone as a DOMAIN_ADMIN, specify the --enf-network option. Adding this option attaches the specified network to the zone in the same step.

> dns create-zone --zone-domain-name=scranton.prod --enf-network=2607:8f80:8080:b::/64 --description=Scranton Factory Floor

Created DNS zone scranton.prod!
+--------------------------------------+---------------+------------------------+------------+---------------------+
| Id                                   | Zone          | Description            | Privileged | Enf Domain          |
+--------------------------------------+---------------+------------------------+------------+---------------------+
| f45aca46-9c03-49f0-bdb9-81bdfdf778c8 | scranton.prod | Scranton Factory Floor | false      | 2607:8f80:8080::/48 |
+--------------------------------------+---------------+------------------------+------------+---------------------+
1 rows in set

Updating a DNS Zone

Only the description field of a DNS Zone may be updated.

> dns update-zone --zone-id=f45aca46-9c03-49f0-bdb9-81bdfdf778c8 --description=Scranton Warehouse
+--------------------------------------+---------------+--------------------+------------+---------------------+
| Id                                   | Zone          | Description        | Privileged | Enf Domain          |
+--------------------------------------+---------------+--------------------+------------+---------------------+
| f45aca46-9c03-49f0-bdb9-81bdfdf778c8 | scranton.prod | Scranton Warehouse | false      | 2607:8f80:8080::/48 |
+--------------------------------------+---------------+--------------------+------------+---------------------+
1 rows in set

Deleting a DNS Zone

When a zone is no longer needed, it should be deleted. If a field besides the description needs to be updated for a DNS Zone, it must be deleted and created from scratch.

> dns delete-zone --zone-id=f45aca46-9c03-49f0-bdb9-81bdfdf778c8
Deleted DNS Zone with id: f45aca46-9c03-49f0-bdb9-81bdfdf778c8

DNS Records

Once a DNS Zone is created, we can add DNS records that allow us to access an endpoint by name instead of by an IPv6 address. Names are much easier to remember and, therefore, much less error-prone.

Create a DNS Record in a Zone

For this example, we are using the DNS Zone, scranton.prod and machine name, server1.

> dns create-record --zone-id=f45aca46-9c03-49f0-bdb9-81bdfdf778c8 --name=server1 --type=AAAA --ttl=30 --value=2607:8f80:8080:b:bd32:eeb9:2085:b8cb

Created new DNS record!
+--------------------------------------+-----------------------+------+--------------------------------------+-----+
| Id                                   | Name                  | Type | Value                                | TTL |
+--------------------------------------+-----------------------+------+--------------------------------------+-----+
| 7cd23179-c2e4-4fb9-8024-8393b10f3125 | server1.scranton.prod | AAAA | 2607:8f80:8080:b:bd32:eeb9:2085:b8cb | 30  |
+--------------------------------------+-----------------------+------+--------------------------------------+-----+
1 rows in set

The --type option is the type of DNS record to create. The types are similar to DNS record-types on the public internet, but only some are supported. The supported record types are:

Type Description
AAAA This maps a host name to an IPv6 address
CNAME Is an alias from one name to another.
TXT Text record - usually some machine-readable data. See RFC-1464
SRV Server Locator Record
SOA Start of Authority record - authoritative info about a DNS Zone.
NS Name Server record - delegates a zone to use the provided name server

The --ttl option, or time to live determines how long a machine should cache a DNS result. The higher the value, the less load on the DNS Server, but the longer it will take a machine to realize that a record was updated.

The DNS entry is not yet ready to use – there is no server to respond to requests.

Delete a DNS Record

DNS Records cannot be modified – they must be deleted and recreated. If a server is no longer used, the DNS record should be deleted when the server is decommissioned.

> dns delete-record --id=7cd23179-c2e4-4fb9-8024-8393b10f3125
Deleted DNS record!

DNS Server

In the previous two steps, we’ve created a DNS Zone and added a DNS record. The DNS is not yet ready to use because we don’t have a server to respond to a DNS query.

Provision the DNS Server

> dns provision-server --network=2607:8f80:8080:b::/64 --description=Scranton DNS

+--------------------------------------+--------------------------------------+-----------------------+--------------+
| Id                                   | IPv6                                 | Network               | Description  |
+--------------------------------------+--------------------------------------+-----------------------+--------------+
| 1f716f4d-d0b6-4d8d-ae05-3a46bb55ae73 | 2607:8f80:8080:b:82b1:406e:2aac:fb29 | 2607:8f80:8080:b::/64 | Scranton DNS |
+--------------------------------------+--------------------------------------+-----------------------+--------------+
1 rows in set

The endpoints that are now going to use the DNS must be configured to use 2607:8f80:8080:b:82b1:406e:2aac:fb29 as the DNS server.

It is possible to configure a DNS Server’s address by adding the --ipv6 option. This could be used to have a consistent DNS Server address on every network.

> dns provision-server --network=2607:8f80:8080:e::/64 --description=Rockford DNS --ipv6=2607:8f80:8080:e::aaaa
+--------------------------------------+------------------------+-----------------------+--------------+
| Id                                   | IPv6                   | Network               | Description  |
+--------------------------------------+------------------------+-----------------------+--------------+
| f1938b7e-2dc8-42da-93ab-a0b69f0413e7 | 2607:8f80:8080:e::aaaa | 2607:8f80:8080:e::/64 | Rockford DNS |
+--------------------------------------+------------------------+-----------------------+--------------+
1 rows in set

Note that the network must already been associated with at least one DNS zone.

Delete the DNS Server

When deleting a server, both the network and DNS Server’s IPv6 address must be specified.

> dns delete-server --ipv6=2607:8f80:8080:e::aaaa --network=2607:8f80:8080:e::/64
Delete DNS server with ipv6 2607:8f80:8080:e::aaaa in 2607:8f80:8080:e::/64!

Didn't find what you were looking for?

Contact us and we’ll get back to you as soon as possible.

Contact Us