cancel
Showing results for 
Search instead for 
Did you mean: 

WSAM DNS resolution with multiple dns suffix seams wrong

Highlighted
Occasional Contributor

WSAM DNS resolution with multiple dns suffix seams wrong

Hello, I am struggling with JTAC to make them consider this as a bug with no success (I may be wrong and I would like your opinion on this)

I configured IVE network settings entering my DNS server IP and a list of DNS internal domain (example test.lan, sec.test.lan, trd.test.lan)

I configured somes WSAM destination ressources using only the shortnames of the ressources.

When the client start WSAM I can see the configuration is correctly updated.

When we try to ping my ressources (I now that ping will not work but I use it to check the DNS resolution)  here are the results I have:

When pinging shortnames of a ressource (eg. myhost)  that has an A entry in the 1st domain of the suffix list, resolution is OK and done by WSAM

When pinging the fqdn of a ressource (eg. myhost.test.lan) that has an A entry in the 1st domaine of the suffix list, the resolution is OK and done by WSAM

When pinging the shortname of a ressource that has an A entry in another domain of the suffix list (any domain after the first in the list), resolution is OK and done by WSAM

When pinging the fqdn of a ressource that has an A entry in another domain of the suffix list (any domain after the first in the list), resolution is NOK because WSAM tries to resolve the fqdn adding the suffix extensions configured in my NIC interface and never tries to resolve just the fqdn.

The solution we have found is to declare ressources using their IP addresses instead of their shortnames (with IP based matching option ON) and it works for all the DNS resolution

Another solution is to declare many ressources for a single destination using all possible hostnames and fqdn but this is not convenient when you have to manages lots of domains.

JTAC does not consider this as a bug, they say that WSAM will first check the ACL and will try to resolve hostname only if their is an ACL entry. Although this is not the behavior we are facing, they still do not want to escalate this case.

I appreciate any help on this.

Nicolas.

11 REPLIES 11
Highlighted
Frequent Contributor

Re: WSAM DNS resolution with multiple dns suffix seams wrong

I think a good test here would be to go under troubleshooting->tools->commands, then try the nslookup command from the IVE itself to see whether it is able to resolve the shortname based your configuration. If it can, I would be inclined to agree that something isnt right with WSAM.

Having said that, from what I remember of dns suffixes, I believe they should be coma separated, a space between them could be used, but isnt required from what I have seen. Have you tried pasting your dns suffixes into something like notepad, to make sure there are no extra characters or spaces between them, then pasting back under your network settings?

Also, from the description, I am not sure whether your appliance is standalone or in a cluster. If in a cluster, I would look at the network settings for both appliances to make sure they have the same set of dns suffixes.

Hope this helps.



Highlighted
Frequent Contributor

Re: WSAM DNS resolution with multiple dns suffix seams wrong

I may be missing something, but are you completely sure about this? From what I have seen in some of my IVE deployments,  WSAM leverages IVE configured DNS settings, including the contents of the DNS domain suffixes field. With some of our web developers simply refusing to use fully qualified domain names, I've been having to resort to adding there various domain suffixes  (on the IVE) to make their apps accessible.






@zanyterp wrote:

this is correct.

WSAM does not do anything with the domains listed in the network list of domains.

the client OS handles what suffixes to add.

if you need to use shortname, you need to allow IPs; otherwise, you need to define all forms of the names.

what you are listing is the behavior that should occur.





Highlighted
Respected Contributor

Re: WSAM DNS resolution with multiple dns suffix seams wrong

By default it does nothing, yes.
If you enable the option to do DNS lookup only for defined DNS servers, yes, it utilizes those; but the IVE does not control adding the suffixes to requests.
Highlighted
Respected Contributor

Re: WSAM DNS resolution with multiple dns suffix seams wrong

this is correct.

WSAM does not do anything with the domains listed in the network list of domains.

the client OS handles what suffixes to add.

if you need to use shortname, you need to allow IPs; otherwise, you need to define all forms of the names.

what you are listing is the behavior that should occur.

Highlighted
Respected Contributor

Re: WSAM DNS resolution with multiple dns suffix seams wrong

can you provide further information, either here or in the case, on what you feel may be a bug? from here and the case notes, I am not seeing anything that could be considered an issue.

i am sorry to hear that you are disappointed with how the case was handled within JTAC.

Highlighted
Valued Contributor

Re: WSAM DNS resolution with multiple dns suffix seams wrong

Hello Nicolas,

I've found your case and it looks like it has been escalated to one of my colleagues.  He should be getting back to you shortly.  I will try and provide further assistance through the case.

Highlighted
Occasional Contributor

Re: WSAM DNS resolution with multiple dns suffix seams wrong

Hello

You say "WSAM does not do anything with the domains listed in the network list of domains" but it is not the behavior I am seeing.
 I can see WSAM trying to add the dns suffix from the list I configured in the IVE network settings.

Highlighted
Occasional Contributor

Re: WSAM DNS resolution with multiple dns suffix seams wrong

Hello Kita,

I had a phone call with one of your collegue from Advanced JTAC I think, he just told me that declaring the resources using their shortname is not the good solution because in some case the DNS resolution will work and in other case it won't Smiley Frustrated

Seems to me that Juniper do not want to confirm this as a bug even if I am write.

I am just waiting from JTAC to state clearly in my case that the only solution is to declare the resources using their IP address and that the shortname declaration is not fully supported but I am pretty disapointed the way JTAC handled this issue.

Highlighted
Occasional Contributor

Re: WSAM DNS resolution with multiple dns suffix seams wrong

I should have said that I already tried the nslookup resolution for shortname and fqdn from the IVE and of course the IVE was able to resolve the shortnames as well as the fqdn Smiley Happy

The dns suffix list is comma separated with a space. I am sure the list is correctly set.

My appliance is standalone Smiley Happy