Skip to main content
Viptela is now part of Cisco.
Support
Product Documentation
Viptela Documentation

Configuring Split DNS

When an application-aware routing policy allows a vEdge router to send application traffic to and receive application traffic from a service VPN, the router performs a Domain Name System (DNS) lookup to determine how to reach a server for the application. If the router does not have a connection to the internet, it sends DNS queries to a router that has such a connection, and that router determines how to reach a server for that application. In a network in which the internet-connect router is in a geographically distant data center, the resolved DNS address might point to a server that is also geographically distant from the site where the service VPN is located.

Because you can configure a vEdge router to be an internet exit point, it is possible for any router to reach the internet directly to perform DNS lookups. To do this, you create a policy that configures split DNS and that defines, on an application-by-application basis, how to perform DNS lookups.

You configure split DNS with either a centralized data policy or, if you want to apply SLA criteria to the data traffic, an application-aware routing policy. You create these policies on a vSmart controller, and they are pushed to the vEdge routers.

CLI Configuration Procedure

Configure Split DNS with a Centralized Data Policy

The following high-level steps show the minimum policy components required to enable split DNS with a centralized data policy:

  1. Create one or more lists of overlay network sites to which the centralized data policy is to be applied (in an apply-policy command):
    vSmart(config)# policy​
    vSmart(config-policy)# lists site-list list-name
    vSmart(config-lists)# site-id site-id

    The list can contain as many site IDs as necessary. Include one site-id command for each site ID. For contiguous site IDs, you can specify a range of numbers separated with a dash (–).
  2. Create lists of applications or application families for which you want to enable split DNS. You refer to these lists in the match section of the data policy.
    vSmart(config)# policy lists
    vSmart(config-lists)# app-list list-name
    vSmart(config-app-list)# (app application-name | app-family family-name)
  3. Create lists VPNs to which the split DNS policy is to be applied (in a policy data-policy command):
    vSmart(config)# policy lists
    vSmart(config-lists)# vpn-list list-name
    vSmart(config-lists)# vpn vpn-id
  4. Create a data policy instance and associate it with a list of VPNs:
    vSmart(config)# policy data-policy policy-name
    vSmart
    (config-data-policy)# vpn-list list-name
  5. Create a series of match–action pair sequences:
    vSmart(config-vpn-list)# sequence number
    The match–action pairs are evaluated in order, by sequence number, starting with the lowest numbered pair and ending when the route matches the conditions in one of the pairs. Or if no match occurs, the default action is taken (either rejecting the route or accepting it as is).
  6. Process the DNS server resolution for the applications or application families contained in an application list. In list-name, specify one of the names in a policy lists app-list command.
    ​​vSmart(config-sequence)# match dns-app-list list-name
  7. Configure the match–action pair sequence to process DNS requests (for outbound data traffic) or responses (for inbound data traffic):
    vSmart(config-sequence)# match dns (request | response)
  8. Accept matching packets, optionally counting and logging them:
    vSmart(config-sequence)# action accept [count counter-name] [log]
  9. Enable local internet exit:
    vSmart(config-sequence)# action accept nat [pool number] [use-vpn 0]
  10. By default, the DNS servers configured in the VPN in which the policy is applied are used to process DNS lookups for the applications. You can direct DNS requests to a particular DNS server. For a data policy condition that applies to outbound traffic (from the service network), configure the IP address of the DNS server:
    vSmart(config-sequence)# action accept redirect-dns ip-address
    For a data policy condition that applies to inbound traffic (from the tunnel), include the following so that the DNS response can be correctly forwarded back to the service VPN:
    vSmart(config-sequence)# action accept redirect-dns host
  11. f a route does not match any of the conditions in one of the sequences, it is rejected by default. To accept nonmatching prefixed, configure the default action for the policy:
    vSmart(config-policy-name)# default-action accept
  12. Apply the policy to one or more sites in the overlay network:
    vSmart(config)# apply-policy site-list list-name data-policy policy-name (all | from-service | from-tunnel)

Configure Split DNS with an Application-Aware Routing Policy

The following high-level steps show the minimum policy components required to enable split DNS with an application-aware routing policy:

  1. Create one or more lists of overlay network sites to which the centralized data policy is to be applied (in an apply-policy command):
    vSmart(config)# policy​
    vSmart(config-policy)# lists site-list list-name
    vSmart(config-lists-list-name)# site-id site-id

    The list can contain as many site IDs as necessary. Include one site-id command for each site ID. For contiguous site IDs, you can specify a range of numbers separated with a dash (–).
  2. Create SLA classes and traffic characteristics to apply to matching application data traffic:
    vSmart(config)# policy sla-class sla-class-name
    vSmart(config-sla-class)# jitter milliseconds
    vSmart(config-sla-class)# latency milliseconds

    vSmart(config-sla-class)# loss percentage
  3. Create lists of applications or application families to identify application traffic of interest in the match section of the data policy:
    vSmart(config)# policy lists
    vSmart(config-lists)# app-list list-name
    vSmart(config-app-list)# (app application-name | app-family family-name)
  4. Create lists VPNs to which the split DNS policy is to be applied (in a policy data-policy command):
    vSmart(config)# policy lists
    vSmart(config-lists)# vpn-list list-name
    vSmart(config-lists-list-name)# vpn vpn-id
  5. If you are configuring a logging action, configure how often to log packets to syslog files:
    vEdge(config)# policy log-frequency number
  6. Create an application-aware routing policy instance and associate it with a list of VPNs:
    vSmart(config)# policy app-route-policy policy-name
    vSmart
    (config-data-policy-policy-name)# vpn-list list-name
  7. Create a series of match–pair sequences:
    vSmart(config-vpn-list)# sequence number
    The match–action pairs are evaluated in order, by sequence number, starting with the lowest numbered pair and ending when the route matches the conditions in one of the pairs. Or if no match occurs, the default action is taken (either rejecting the route or accepting it as is).
  8. Process the DNS server resolution for the applications or application families contained in an application list. In list-name, specify one of the names in a policy lists app-list command.
    ​​vSmart(config-sequence-number)# match dns-app-list list-name
  9. Configure the match–action pair sequence to process s DNS requests (for outbound data traffic) or responses (for inbound data traffic):
    vSmart(config-sequence-number)# match (request | response)
  10. Define the SLA action to take if a match occurs:
    vSmart(config-sequence)# action sla-class sla-class-name [strict]
    vSmart(config-sequence)# action sla-class sla-class-name [strict] preferred-color colors
    vSmart(config-sequence)# action backup-sla-preferred-color colors
  11. For matching packets, optionally count and log them:
    vSmart(config-sequence)# action count counter-name
    vSmart(config-sequence)# action log
  12. Enable local internet exit:
    vSmart(config-sequence-number)# action acccept nat [pool number] [use-vpn 0]
  13. If a packet does not match any of the conditions in one of the sequences, a default action is taken. For application-aware routing policy, the default action is to accept nonmatching traffic and forward it with no consideration of SLA. You can configure the default action so that SLA parameters are applied to nonmatching packets:
    vSmart(config-policy-name)# default-action sla-class sla-class-name
  14. Apply the policy to one or more sites in the overlay network:
    vSmart(config)# apply-policy site-list list-name app-route-policy policy-name

Structural Components of Policy Configuration for Split DNS

Below are the structural components required to configure split DNS on a vSmart controller. The components related to configuring split DNS are explained in the sections below. For an explanation of the data policy and application-aware routing policy components that are not specifically related to split DNS, see Configuring Centralized Data Policy and Configuring Application-Aware Routing.

policy
  lists
    app-list list-name
      (app application-name | app-family application-family)
    site-list list-name 
      site-id site-id 
    vpn-list list-name 
      vpn-id vpn-id 
 data-policy policy-name 
   vpn-list list-name 
     sequence number 
       match
         dns (request | response)
         dns-app-list list-name
       action accept
         count counter-name
         log
         nat use-vpn 0
         redirect-dns (ip-address | host)
     default-action
       (accept | drop)
apply-policy 
  site-list list-name data-policy policy-name (all | from-service | from-tunnel)
policy
  lists
    app-list list-name
      (app application-name | app-family application-family)
    site-list list-name
      site-id site-id
    vpn-list list-name
      vpn-id vpn-id
log-frequency number
sla-class sla-class-name
  jitter milliseconds
  latency milliseconds
  loss percentage
app-route-policy policy-name
   vpn-list list-name
     sequence number
       match
         dns (request | response)
         dns-app-list list-name
       action
         backup-sla-preferred-color colors
         count counter-name
         log
         nat use-vpn 0
         sla-class sla-class-name [strict] [preferred-color colors]
     default-action
       sla-class sla-class-name
apply-policy
  site-list list-name app-route-policy policy-name

Lists

A data policy or an application-aware routing policy for split DNS uses the following types of lists to group related items. You configure these lists under the policy lists command hierarchy on vSmart controllers.

List Type

Description

Command

Applications and application families

List of one or more applications or application families running on the subnets connected to the vEdge router. Each app-list can contain either applications or application families, but you cannot mix the two. To configure multiple applications or application families in a single list, include multiple app or app-family options, specifying one application or application family in each app or app-family.
application-name is the name of an application. The Viptela software supports about 2300 different applications. To list the supported applications, use the ? in the CLI.
application-family is the name of an application family. It can be one of the following: antivirus, application-service, audio_video, authentication, behavioral, compression, database, encrypted, erp, file-server, file-transfer, forum, game, instant-messaging, mail, microsoft-office, middleware, network-management, network-service, peer-to-peer, printer, routing, security-service, standard, telephony, terminal, thin-client, tunneling, wap, web, and webmail.

app-list list-name
  (app application-name |
  app-family application-family)

Sites

List of one or more site identifiers in the overlay network. To configure multiple sites in a single list, include multiple site-id options, specifying one site number in each option. You can specify a single site identifier (such as site-id 1) or a range of site identifiers (such as site-id 1-10).

site-list list-name
  site-id site-id

VPNs

List of one or more VPNs in the overlay network. To configure multiple VPNs in a single list, include multiple vpn options, specifying one VPN number in each option. You can specify a single VPN identifier (such as vpn-id 1) or a range of VPN identifiers (such as vpn-id 1-10).

vpn-list list-name
  vpn vpn-id

In the vSmart controller configuration, you can create multiple iterations of each type of list. For example, it is common to create multiple site lists and multiple VPN lists so that you can apply data policy to different sites and different customer VPNs across the network.

When you create multiple iterations of a type of list (for example, when you create multiple VPN lists), you can include the same values or overlapping values in more than one of these list. You can do this either on purpose, to meet the design needs of your network, or you can do this accidentally, which might occur when you use ranges to specify values. (You can use ranges to specify data prefixes, site identifiers, and VPNs.) Here are two examples of lists that are configured with ranges and that contain overlapping values:

  • vpn-list list-1 vpn 1-10
    vpn-list list-2 vpn 6-8
  • site-list list-1 site 1-10
    site-list list-2 site 5-15

When you configure data policies that contain lists with overlapping values, or when you apply data policies, you must ensure that the lists included in the policies, or included when applying the policies, do not contain overlapping values. To do this, you must manually audit your configurations. The Viptela configuration software performs no validation on the contents of lists, on the data policies themselves, or on how the policies are applied to ensure that there are no overlapping values.

If you configure or apply data policies that contain lists with overlapping values to the same site, one policy is applied and the others are ignored. Which policy is applied is a function of the internal behavior of Viptela software when it processes the configuration. This decision is not under user control, so the outcome is not predictable.

VPN Lists

Each data or application-aware policy instance is associated with a VPN list. You configure VPN lists with the policy data-policy vpn-list or policy app-route-policy vpn-list command. The VPN list you specify must be one that you created with a policy lists vpn-list​ command.

Sequences

Within each VPN list, a data policy or an application-aware policy contains sequences of match–action pairs. The sequences are numbered to set the order in which data traffic is analyzed by the match–action pairs in the policy. You configure sequences with the policy data-policy vpn-list sequence or policy app-aware-policy vpn-list sequence command.

Each sequence in a policy can contain one match command and one action command.

Match Parameters

For a data policy or an application-aware routing policy for split DNS, you must the following two match conditions. You configure the match parameters with the match command under the policy data-policy vpn-list sequence or policy app-route-policy vpn-list sequence command hierarchy on vSmart controllers.

Description

Command

Value or Range

Enable split DNS, to resolve and process DNS requests and responses on an application-by-application basis dns-app-list list-name Name of an app-list list. This list specifies the applications whose DNS requests are processed.
Specify the direction in which to process DNS packets

dns (request | response)

To process DNS requests sent by the applications (for outbound DNS queries), specify dns request.
To process DNS responses returned from DNS servers to the applications, specify dns response.

Action Parameters

When data traffic matches the match parameters, the specified action is applied to it. You configure the action parameters with the action command under the policy data-policy vpn-list sequence or policy app-route-policy vpn-list sequence command hierarchy on vSmart controllers.

For application-aware routing policy, the action is to apply an SLA class, which defines the maximum packet latency or maximum packet loss, or both, for DNS traffic related to the application. For information about these action parameters, see Configuring Application-Aware Routing.

For a centralized data policy that enables split DNS, configure the following actions. You can configure other actions, as described in Configuring Centralized Data Policy.

Description

Command

Value or Range

Direct data traffic to an Internet exit point on the local router nat use-vpn 0

Count matching data packets. Counting packets is optional, but recommended.

action count counter-name

Name of a counter.

Redirect DNS requests to a particular DNS server. Redirecting requests is optional, but if you do so, you must specify both actions.

redirect-dns host
redirect-dns
ip-address

For an inbound policy, redirect-dns host allows the DNS response to be correctly forwarded back to the requesting service VPN.

For an outbound policy, specify the IP address of the DNS server.

Default Action

If a data packet being evaluated does not match any of the match conditions in a policy, a default action is applied. By default, the data packet is dropped. To modify this behavior, include the policy data-policy vpn-list default-action accept command.

Applying a Policy

For an application-aware route policy to take effect, you apply it to a list of sites in the overlay network:

vSmart(config)# apply-policy site-list list-name app-route-policy policy-name

When you apply the policy, you do not specify a direction (either inbound or outbound). Application-aware routing policy affects only the outbound traffic on the vEdge routers.

For a centralized data policy to take effect, you apply it to a list of sites in the overlay network:

vSmart(config)# apply-policy site-list list-name data-policy policy-name (all | from-service | from-tunnel)

For split DNS to work, you apply a policy to DNS requests originated from a server VPN. If you are specifying the address of a DNS server for a particular application, the policy-name data policy must contain a redirect-dns ip-address action that applies to that application.

vSmart(config)# apply-policy policy-name site-list list-name data-policy policy-name from-service

You also apply a policy to DNS responses being returned from the internet. If you included a redirect-dns action in the outbound policy, the policy-name data policy must contain a redirect-dns host action that applies to the proper application.

vSmart(config)# apply-policy policy-name site-list list-name data-policy policy-name from-tunnel

You can apply the same policy to traffic coming from the service VPN and from the tunnel interface between the router and the internet. If the policy specifies use of a specific DNS for a particular application, the policy must contain two sequences for that application, one with a request-dns ip-address action and the second with a request-dns host action.

vSmart(config)# apply-policy policy-name site-list list-name data-policy policy-name all

Example Configuration

The following example shows a data policy that enables split DNS for a number of applications and counts the DNS traffic:

vSmart# show running-config policy    
policy
 data-policy split_dns
  vpn-list vpn_1
   sequence 1
    match
     dns-app-list facebook
     dns          request
    !
    action accept
     count facebook_app
    !
   !
   sequence 2
    match
     dns-app-list concur
     dns          request
    !
    action accept
     count concur-app
     nat use-vpn 0
     redirect-dns 75.0.0.1
    !
   !
   sequence 3
    match
     dns-app-list yahoo
    !
    action accept
     count yahoo-app
     nat use-vpn 0
     redirect-dns 75.0.0.1
    !
   !
   sequence 4
    match
     dns-app-list salesforce
    !
    action accept
     count salesforce
     nat use-vpn 0
     redirect-dns 75.0.0.1     
    !
   !
   sequence 5
    match
     dns-app-list twitter
     dns          request
    !
    action accept
     count twitter
     nat use-vpn 0
     redirect-dns 75.0.0.1     
    !
   !
   sequence 9
    match
     dns-app-list dns_list
     dns          request
    !
    action accept
     count dns_app_list_count
     nat use-vpn 0
     redirect-dns 75.0.0.1     
    !
   !
   sequence 10
    match
     app-list dns_list
    !
    action accept
     count dns_list_count
     nat use-vpn 0
     redirect-dns 75.0.0.1     
    !
   !
   default-action accept
  !
 !
 lists
  vpn-list vpn_1
   vpn 1
  !
  app-list concur
   app concur
  !
  app-list dns_list
   app dns
  !
  app-list facebook
   app facebook
  !
  app-list gmail
   app gmail
   app gmail_basic
   app gmail_chat
   app gmail_drive
   app gmail_mobile
  !
  app-list intuit
   app intuit
  !
  app-list salesforce
   app salesforce
  !
  app-list twitter
   app twitter
  !
  app-list yahoo
   app yahoo
  !
  app-list zendesk
   app zendesk
  !
  site-list vedge1
   site-id 500
  !
 !
!
vSmart# show running-config apply-policy
apply-policy
  site-list vedge1 data-policy split_dns all
  • Was this article helpful?