-
Getting Started with NetScaler
-
Deploy a NetScaler VPX instance
-
Optimize NetScaler VPX performance on VMware ESX, Linux KVM, and Citrix Hypervisors
-
Apply NetScaler VPX configurations at the first boot of the NetScaler appliance in cloud
-
Configure simultaneous multithreading for NetScaler VPX on public clouds
-
Install a NetScaler VPX instance on Microsoft Hyper-V servers
-
Install a NetScaler VPX instance on Linux-KVM platform
-
Prerequisites for installing NetScaler VPX virtual appliances on Linux-KVM platform
-
Provisioning the NetScaler virtual appliance by using OpenStack
-
Provisioning the NetScaler virtual appliance by using the Virtual Machine Manager
-
Configuring NetScaler virtual appliances to use SR-IOV network interface
-
Configure a NetScaler VPX on KVM hypervisor to use Intel QAT for SSL acceleration in SR-IOV mode
-
Configuring NetScaler virtual appliances to use PCI Passthrough network interface
-
Provisioning the NetScaler virtual appliance by using the virsh Program
-
Provisioning the NetScaler virtual appliance with SR-IOV on OpenStack
-
Configuring a NetScaler VPX instance on KVM to use OVS DPDK-Based host interfaces
-
-
Deploy a NetScaler VPX instance on AWS
-
Deploy a VPX high-availability pair with elastic IP addresses across different AWS zones
-
Deploy a VPX high-availability pair with private IP addresses across different AWS zones
-
Protect AWS API Gateway using the NetScaler Web Application Firewall
-
Configure a NetScaler VPX instance to use SR-IOV network interface
-
Configure a NetScaler VPX instance to use Enhanced Networking with AWS ENA
-
Deploy a NetScaler VPX instance on Microsoft Azure
-
Network architecture for NetScaler VPX instances on Microsoft Azure
-
Configure multiple IP addresses for a NetScaler VPX standalone instance
-
Configure a high-availability setup with multiple IP addresses and NICs
-
Configure a high-availability setup with multiple IP addresses and NICs by using PowerShell commands
-
Deploy a NetScaler high-availability pair on Azure with ALB in the floating IP-disabled mode
-
Configure a NetScaler VPX instance to use Azure accelerated networking
-
Configure HA-INC nodes by using the NetScaler high availability template with Azure ILB
-
Configure a high-availability setup with Azure external and internal load balancers simultaneously
-
Configure a NetScaler VPX standalone instance on Azure VMware solution
-
Configure a NetScaler VPX high availability setup on Azure VMware solution
-
Configure address pools (IIP) for a NetScaler Gateway appliance
-
Deploy a NetScaler VPX instance on Google Cloud Platform
-
Deploy a VPX high-availability pair on Google Cloud Platform
-
Deploy a VPX high-availability pair with external static IP address on Google Cloud Platform
-
Deploy a single NIC VPX high-availability pair with private IP address on Google Cloud Platform
-
Deploy a VPX high-availability pair with private IP addresses on Google Cloud Platform
-
Install a NetScaler VPX instance on Google Cloud VMware Engine
-
-
Solutions for Telecom Service Providers
-
Load Balance Control-Plane Traffic that is based on Diameter, SIP, and SMPP Protocols
-
Provide Subscriber Load Distribution Using GSLB Across Core-Networks of a Telecom Service Provider
-
Authentication, authorization, and auditing application traffic
-
Basic components of authentication, authorization, and auditing configuration
-
Web Application Firewall protection for VPN virtual servers and authentication virtual servers
-
On-premises NetScaler Gateway as an identity provider to Citrix Cloud
-
Authentication, authorization, and auditing configuration for commonly used protocols
-
Troubleshoot authentication and authorization related issues
-
-
-
-
-
-
Configure DNS resource records
-
Configure NetScaler as a non-validating security aware stub-resolver
-
Jumbo frames support for DNS to handle responses of large sizes
-
Configure DNS logging
-
Caching of EDNS0 client subnet data when the NetScaler appliance is in proxy mode
-
Use case - configure the automatic DNSSEC key management feature
-
Use Case - configure the automatic DNSSEC key management on GSLB deployment
-
-
-
Persistence and persistent connections
-
Advanced load balancing settings
-
Gradually stepping up the load on a new service with virtual server–level slow start
-
Protect applications on protected servers against traffic surges
-
Retrieve location details from user IP address using geolocation database
-
Use source IP address of the client when connecting to the server
-
Use client source IP address for backend communication in a v4-v6 load balancing configuration
-
Set a limit on number of requests per connection to the server
-
Configure automatic state transition based on percentage health of bound services
-
-
Use case 2: Configure rule based persistence based on a name-value pair in a TCP byte stream
-
Use case 3: Configure load balancing in direct server return mode
-
Use case 6: Configure load balancing in DSR mode for IPv6 networks by using the TOS field
-
Use case 7: Configure load balancing in DSR mode by using IP Over IP
-
Use case 10: Load balancing of intrusion detection system servers
-
Use case 11: Isolating network traffic using listen policies
-
Use case 12: Configure Citrix Virtual Desktops for load balancing
-
Use case 13: Configure Citrix Virtual Apps and Desktops for load balancing
-
Use case 14: ShareFile wizard for load balancing Citrix ShareFile
-
Use case 15: Configure layer 4 load balancing on the NetScaler appliance
-
-
-
-
-
Authentication and authorization for System Users
-
-
-
Configuring a CloudBridge Connector Tunnel between two Datacenters
-
Configuring CloudBridge Connector between Datacenter and AWS Cloud
-
Configuring a CloudBridge Connector Tunnel Between a Datacenter and Azure Cloud
-
Configuring CloudBridge Connector Tunnel between Datacenter and SoftLayer Enterprise Cloud
-
Configuring a CloudBridge Connector Tunnel Between a NetScaler Appliance and Cisco IOS Device
-
CloudBridge Connector Tunnel Diagnostics and Troubleshooting
This content has been machine translated dynamically.
Dieser Inhalt ist eine maschinelle Übersetzung, die dynamisch erstellt wurde. (Haftungsausschluss)
Cet article a été traduit automatiquement de manière dynamique. (Clause de non responsabilité)
Este artículo lo ha traducido una máquina de forma dinámica. (Aviso legal)
此内容已经过机器动态翻译。 放弃
このコンテンツは動的に機械翻訳されています。免責事項
이 콘텐츠는 동적으로 기계 번역되었습니다. 책임 부인
Este texto foi traduzido automaticamente. (Aviso legal)
Questo contenuto è stato tradotto dinamicamente con traduzione automatica.(Esclusione di responsabilità))
This article has been machine translated.
Dieser Artikel wurde maschinell übersetzt. (Haftungsausschluss)
Ce article a été traduit automatiquement. (Clause de non responsabilité)
Este artículo ha sido traducido automáticamente. (Aviso legal)
この記事は機械翻訳されています.免責事項
이 기사는 기계 번역되었습니다.책임 부인
Este artigo foi traduzido automaticamente.(Aviso legal)
这篇文章已经过机器翻译.放弃
Questo articolo è stato tradotto automaticamente.(Esclusione di responsabilità))
Translation failed!
Configure DNS logging
You can configure the NetScaler appliance to log the DNS requests and responses that it handles. The appliance logs the DNS requests and responses in SYSLOG format. You can choose to log either DNS requests or DNS responses, or both, and send the syslog messages to a remote log server. The log messages can be used to:
- Audit the DNS responses to the client
- Audit DNS clients
- Detect and prevent DNS attacks
- Troubleshoot
A NetScaler appliance can log the following sections in the DNS request or response, based on your configuration:
- Header Section
- Questions Section
- Answer Section
- Authority Section
- Additional Section
DNS profiles
You can use a DNS profile to configure the various DNS parameters that you want the DNS endpoint to apply to the DNS traffic. In the profile, you can enable logging, caching, and negative caching.
Important: From the NetScaler 11.0 release, enabling DNS caching using global DNS parameters have been deprecated. You can enable or disable DNS caching using DNS profiles. You can now enable DNS caching for an individual virtual server by enabling DNS caching in a DNS profile and setting the DNS profile to the individual virtual server.
DNS profiles support the following types of DNS logging:
- DNS Query Logging
- DNS Answer Section Logging
- DNS Extended Logging
- DNS Error Logging
DNS query logging
You can configure a NetScaler appliance to log only the DNS queries that are received by the DNS endpoints on the appliance.
Note: If errors occur during processing of a query, they are logged if this option is set in the DNS profile.
Following is an example of a query log message:
DNS DNS_QUERY 143 0 : U:10.102.27.70#61297:10.102.27.73#53/22142/Q/
(RD)/NO/1/0/0/0#test.com./1#
<!--NeedCopy-->
DNS answer section logging
You can configure a NetScaler appliance to log all the Answer sections in the DNS responses that the appliance sends to the client. DNS Answer Section logging is useful when the NetScaler is configured as a DNS resolver, or in GLSB use cases.
Following is an example of a DNS answer section log:
DNS DNS_RESPONSE 6678 0 : U:100.100.100.210#32776:100.100.100.10#
53/61373/Q/(RD,AA,RA,R)/NO/1/1/2/4#n1.citrix.com1./
28#ANS#AAAA/120/1111:2345:6789:ffab:abcd:effa:1234:3212##
<!--NeedCopy-->
DNS extended logging
To configure a NetScaler appliance to log Authority and Additional sections in the DNS responses, enable Extended logging with Answer Section logging.
Note: If errors occur during processing of either queries or responses, the errors are logged if this option is set in the DNS profile.
Following is an example of a message logged when the cache lookup is completed and the response is embedded in the packet:
DNS DNS_RESPONSE 2252 0 : T:100.100.100.118#21411:100.100.100.10
#53/48537/Q/(RD,AA,CD,RA,R)/NO/1/1/2/6#a1.citrix.com1./1#ANS#A/
120/1.1.1.1##AUTH#citrix.com1/NS/120/n2.citrix.com1#n1.citrix.com1##ADD#n1.citrix.com1
/A/120/1.1.1.1#1.1.1.2##n1.citrix.com1/AAAA/120/
1111:2345:6789:ffab:abcd:effa:1234:3212##n2.citrix.com1/A/120/2.1.1.2
##n2.citrix.com1/AAAA/120/2222:faff:3212:8976:123:1241:64:ff9b##OPT/0/1280/DO##
<!--NeedCopy-->
DNS error logging
You can configure a NetScaler appliance to log the errors or failures that occur when it processes a DNS query or response. For these errors, the appliance logs the DNS header, Question sections and OPT records.
Following is an example of a message logged when an error occurs during processing of a DNS request or response:
DNS DNS_ERROR 149 0 : U:10.102.27.70#27832:10.102.27.73#53/61153/Q/
(RD)/NO/1/0/0/0#test.com./1140#Packet Dropped
<!--NeedCopy-->
Policy-based logging
You can configure custom logging based on DNS expressions by configuring the logAction on DNS policies, Rewrite, or Responder policies. You can specify that logging occurs only when a particular DNS policy evaluates to true. For more information, see Configure policy based logging for DNS.
Understand the NetScaler syslog log message format
NetScaler appliance log DNS requests and responses in the following Syslog format:
<transport> :<client IP>#<client ephemeral port>:<DNS endpoint IP>#<port>
: <query id> /opcode/header flags/rcode/question section count/answer section count
/ auth section count / additional section count #<queried domain name>
/<queried type>#...
<!--NeedCopy-->
-
<transport>:
- T = TCP
- U = UDP
-
<client IP>#< client ephemeral port >: DNS client IP address and port number
-
<DNS endpoint IP>#<port>: NetScaler DNS endpoint IP address and port number
-
<query id>: Query ID
-
<opcode>: Operation code. Supported Values:
- Q: query
- I: inverse query
- S: status
- X0: unassigned
- N: notify
- U: update
- X1-10: unassigned values
-
<header flags>: Flags. Supported Values:
- RD: recursion desired
- TC: truncated
- AA: authoritative response
- CD: check disabled
- AD: authenticated data
- Z: unassigned
- RA: recursion available
- R: response
-
<rcode>: Response Code. Supported Values:
- NO: no error
- F format error
- S: server failure
- NX: non-existent domain
- NI: not implemented
- R: query refused
- YX: Name Exists when it must not
- YXR: RR Set Exists when it must not
- NXR: RR Set that must exist does not
- NAS: Server Not Authoritative for zone
- NA: Not Authorized
- NZ: Name not contained in zone
- X1-5: unassigned
-
/question section count/answer section count/auth section count/additional section count: Question section, Authority section count, and Additional section count in the DNS request
-
<queried domain name>/<queried type>: Queried domain and queried type in the DNS request
-
#ANS#<record type>/<ttl>/.. #AUTH#<domain name>/<record type>/<ttl>.. #ADD#<domain name>/<record type>/<ttl>…:
In DNS responses:
Answer Section is logged if answer section logging is enabled in the DNS profile. Authority and Additional sections are logged if extended logging is enabled in the DNS profile. The log format would differ depending on the type of record. For more information see Understanding the Record Logging Format.
- ANS: answer section
- AUTH: authority
- ADD: Additional section
-
OPT/<edns version>/UDP max payload size/DO: OPT record format in the DNS log
-
OPT/<EDNS version>/<UDP payload size>/<“DO”or empty based on whether DNSSEC OK bit is set or not>/<value of RDLEN>/ECS/<Q/R>/<option length>/<Family>/<Source Prefix-Length>/<Scope Prefix-Length>/<ECS Address>:
If the DNS query or response includes the EDNS Client Subnet (ECS) option, then that is also logged in the OPT record format in the DNS log file.
When a DNS query with an ECS option that includes either an IPv4 or IPv6 address is sent, the ECS option is logged with either of the following options;
- “ECS/Q” indicating that the values in the log are from the query
- “ECS/R” indicating that the values in the log are from the response.
The value of Scope Prefix-Length is also set appropriately. In the DNS Query, it is set to zero, and for response, it is set to the calculated value.
The following table describes the logged details in various scenarios:
Scenario | ECS option set in the DNS Query | ECS option set in the DNS Response | Logged Details |
---|---|---|---|
Both query logging and extended logging enabled | Yes | Yes | ECS option is logged with the string “ECS/R/” and the Scope Prefix-Length is set to the calculated value. |
Both query logging and extended logging enabled | Yes | No | ECS option is logged with the string “ECS/Q” and the Scope Prefix-Length is set to zero. |
Query logging is enabled, but extended logging is not enabled | Yes | Yes | ECS option is logged with the string “ECS/Q/” and the Scope Prefix-Length is set to zero. |
Query logging & extended logging are not enabled | Yes | Yes | ECS option is not logged. |
Query logging is enabled, but extended logging is not enabled | Yes | No | ECS option is logged with the string “ECS/Q/” and the Scope Prefix-Length is set to zero. |
Query logging is not enabled, but extended logging is enabled | Yes | Yes | ECS option is logged with the string “ECS/R/” and the Scope Prefix-Length is set to the calculated value. |
Query logging is not enabled, but extended logging is enabled | Yes | No | ECS option is not logged. |
Understand the record logging format
Following is an example of the record logging format in a Syslog message:
<domainname>/<record type>/ <record ttl> / <resource record data>#<resource record data>#......##
<!--NeedCopy-->
Where:
Record Type | Sample Format | Resource Record Data / Format |
---|---|---|
Address (A) record | A/5/1.1.1.1#1.1.1.2#1.1.1.3## | IPv4 address |
AAAA record | AAAA/5/1::1#1::2#1::3## | IPv6 address |
SOA record | SOA/3600/ns1.dnslogging.test./root.dnslogging.test./100/3600/3/3600/5## | Origin server, contact, and other details. Resource record format is: |
NS record | NS/5/ns1.dnslogging.test | Host name of the nameserver. |
MX record | #MX/5/10/host1.dnslogging.test.#11/host2.dnslogging.test.## | Preference followed by mail exchange server host name |
CNAME record logging | CNAME/5/host1.dnslogging.test.## | Canonical name |
SRV record | SRV/5/1/2/3/host1.dnslogging.test.#4/5/6/host2.dnslogging.test.## | Resource record format: |
TXT record | TXT/5/dns+logging## | Data comprises all the texts. |
NAPTR record | NAPTR/5/10/11////dnslogging#20/21/R/SIP//sip.dnslogging.test## | Resource record format: |
DNSKEY record | DNSKEY/5/1/3/5/AwEAAanP0K+i5bfv5SU478L760EjDjnPqI2Ccx6JZgiDBZhSONP29GfO2bkP056xp7+9Wz8X2oo5sANaDwSzUVR0YtZdPw23gAaktH6pFvnwcIHa/PTFw5VcXyiUaDc+AnaOhNNYOPp7iQ6uTdT9cyuGWJ1OfZ0JRt+8EyX6iwRsLk7WSpz8KidvKs2ij9IXZ3OzaVEEMGY4SMfHIlLhqIho1fyADlbAoSsLEbr/7eqKv1/PLXSuVV9elwkH0pqWALUaSEBbmp49/jbCbc8cZKxzaON9p2jp2j4iodfC8cnEHAS2/4W1FEPpRTyYtcdBq6Uc2orBaaxjhsZELvRcWMr+pDc=#1/3/5/AwEAAbJhKdI21LP0pPxv0k1pFBNClZW97TB4FlCW4e4Fuyq7rY7+aiYdDVxV8N9ZXt4RT3MdNznMVMl/R1ldWLjbCf5bFu9khaM1ME8I25HPTS3J2wK5rjj4HMFRMycUKZCK0UOgyUzd6Fm5b3G04wMIAoqkDHeqlwe7yWGaw94NbZuL## | Resource record format: |
PTR record | PTR/3600/test.com.#test4.com.## | Domain name |
Limitations of DNS logging
DNS logging has the following limitations:
-
If response logging is enabled, only the following record types are logged:
- Address (A) record
- AAAA record
- SOA record
- NS record
- MX record
- CNAME record
- SRV record
- TXT record
- NAPTR record
- DNSKEY record
- PTR record
For all other record types, only L3/L4 parameters, DNS Header, and Question section are logged.
-
RRSIG records are not logged even if response logging is enabled.
-
DNS64 is not supported.
-
DNS proactive update requests or responses are logged according to the settings in the default profile.
-
On the virtual server, if the sessionless option and response logging is enabled, L3/L4 parameters, DNS Header, and DNS Question section are logged instead of the response.
-
The maximum size of the syslog message is 1024 bytes.
-
If you have set a DNS profile for a DNS policy with action type Rewrite Response, the NetScaler appliance does not log the query or the manipulated responses. To log the required information you must use an audit message action in the DNS policy.
-
DNS transactions that are due to DNS monitoring traffic are not logged.
Configuring DNS logging
Following is an overview of configuring DNS logging:
- Create a Syslog action and enable DNS in the action.
- Create a Syslog policy and specify the Syslog action in the policy.
- Globally bind the Syslog policy to enable logging of all NetScaler system events. Or, bind the Syslog policy to a specific load balancing virtual server.
- Create a DNS profile and define any of the following types of logging that you want to enable:
- DNS Query Logging
- DNS Answer Section Logging
- DNS Extended Logging
- DNS Error Logging
- Configure any of the following, based on your requirement:
- DNS service and virtual server for DNS
- ADNS service
- NetScaler as a forwarder
- NetScaler as a resolver
- Set the created DNS profile to one of the DNS entities.
Configure DNS logging for NetScaler configured as DNS Proxy by using the CLI
-
Add a syslog action and enable DNS in the action. At the command prompt, type:
add audit syslogAction <name> (<serverIP> | -lbVserverName <string>) [-serverPort <port>] -logLevel <logLevel> ... [-dateFormat <dateFormat>] [-logFacility <logFacility>] [-tcp ( NONE | ALL )] [-acl ( ENABLED | DISABLED )] [-timeZone ( GMT_TIME | LOCAL_TIME )] [-userDefinedAuditlog ( YES | NO )] [-appflowExport ( ENABLED |DISABLED )] [-lsn ( ENABLED | DISABLED )] [-alg ( ENABLED | DISABLED )] [-transport ( TCP | UDP )] [-tcpProfileName <string>] [-maxLogDataSizeToHold <positive_integer>] [-dns ( ENABLED | DISABLED)] <!--NeedCopy-->
Example:
add audit syslogAction nssyslogact1 10.102.151.136 -logLevel CRITICAL ERROR WARNING NOTICE INFORMATIONAL DEBUG -logFacility LOCAL4 -timeZone LOCAL_TIME -dns ENABLED
-
Create a syslog policy and specify the created syslog action in the policy. At the command prompt, type:
add audit syslogPolicy <name> <rule> <action>
Example:
add audit syslogPolicy syslogpol1 true nssyslogact1
-
Bind the syslog policy globally. At the command prompt, type:
bind audit syslogGlobal -policyName <string> [-priority <positive_integer>]
Example:
bind audit syslogGlobal syslogpol1
-
Create a DNS profile and enable any of the following type of logs that you want to configure:
- DNS Query Logging
- DNS Answer Section Logging
- DNS Extended Logging
- DNS Error Logging
At the command prompt, type:
add dns profile <dnsProfileName> [-dnsQueryLogging ( ENABLED | DISABLED )] [-dnsAnswerSecLogging ( ENABLED | DISABLED )] [-dnsExtendedLogging (ENABLED | DISABLED )] [-dnsErrorLogging ( ENABLED | DISABLED )] [-cacheRecords ( ENABLED | DISABLED )] [-cacheNegativeResponses ( ENABLED | DISABLED )]
Example:
add dns profile dnsprofile1 -dnsQueryLogging ENABLED
-
Configure a service of type DNS. At the command prompt, type:
add service <name> <serverName> <serviceType> <port>
Example:
add service svc1 10.102.84.140 dns 53
-
Configure a load balancing virtual server of service type DNS.
add lb vserver <name> <serviceType> <ip> <port>
Example:
add lb vserver lb1 dns 100.100.100.10 53
-
Bind the service to the virtual server. At the command prompt, type:
bind lb vserver <name> <serviceName>
Example:
bind lb vserver lb1 svc1
-
Set the created DNS profile to the virtual server. At the command prompt, type:
set lb vserver <name> [ - dnsProfileName <string>]
Example:
set lb vserver lb1 –dnsProfileName dnsprofile1
Sample DNS logging configuration for NetScaler appliance configured as DNS proxy
> add audit syslogAction nssyslogact1 10.102.151.136 -logLevel
CRITICAL ERROR WARNING NOTICE INFORMATIONAL DEBUG -logFacility LOCAL4 -timeZone
LOCAL_TIME -dns ENABLED
Done
> add audit syslogPolicy syslogpol1 true nssyslogact1
Done
> bind audit syslogGlobal syslogpol1
Done
> add dns profile dnsprofile1 -dnsqueryLogging ENABLED
Done
> add lb vserver lb1 dns 100.100.100.10 53 –dnsProfileName dnsprofile1
Done
> add service svc1 10.102.84.140 dns 53
Done
> bind lb vserver lb1 svc1
Done
<!--NeedCopy-->
Sample DNS logging configuration for NetScaler appliance configured as ADNS
> add audit syslogAction nssyslogact1 10.102.151.136 -logLevel CRITICAL
ERROR WARNING NOTICE INFORMATIONAL DEBUG -logFacility LOCAL4 -timeZone LOCAL_TIME
-dns ENABLED
Done
> add audit syslogPolicy syslogpol1 true nssyslogact1
Done
> bind audit syslogGlobal syslogpol1
Done
> add dns profile dnsprofile1 -dnsqueryLogging ENABLED
Done
> add lb vserver lb1 dns 100.100.100.10 53 –dnsProfileName dnsprofile1
Done
> add service svc1 10.102.84.140 dns 53
Done
> bind lb vserver lb1 svc1
Done
<!--NeedCopy-->
Sample DNS logging configuration for NetScaler appliance configured as a forwarder
> add audit syslogAction nssyslogact1 10.102.151.136 -logLevel CRITICAL
ERROR WARNING NOTICE INFORMATIONAL DEBUG -logFacility LOCAL4 -timeZone LOCAL_TIME
-dns ENABLED
Done
> add audit syslogPolicy syslogpol1 true nssyslogact1
Done
> bind audit syslogGlobal syslogpol1
Done
> add dns profile dnsprofile1 -dnsqueryLogging ENABLED
Done
> add dns nameserver 8.8.8.8 –dnsProfileName dnsprofile1
Done
<!--NeedCopy-->
Sample DNS logging configuration for a NetScaler appliance configured as a resolver
> add audit syslogAction nssyslogact1 10.102.151.136
-logLevel CRITICAL ERROR WARNING NOTICE INFORMATIONAL DEBUG -logFacility LOCAL4
-timeZone LOCAL_TIME -dns ENABLED
Done
> add audit syslogPolicy syslogpol1 true nssyslogact1
Done
> bind audit syslogGlobal syslogpol1
Done
> add dns profile dnsprofile1 -dnsqueryLogging ENABLED
Done
> set dns parameter -recursion enABLED
Done
> add nameserver 1.1.1.100 -local dnsProfileName dnsprofile1
Done
<!--NeedCopy-->
Configure policy based logging for DNS
Policy based logging enables you to specify a format for log messages. The contents of a log message are defined by using an Advanced policy expression. When the message action specified in the policy is performed, the NetScaler appliance constructs the log message from the expression and writes the message to the log file. You can configure the appliance to log only when a particular DNS policy evaluates to True.
Note
If you have set a DNS policy with a DNS profile for the request side, the NetScaler appliance logs only the query.
To configure policy based logging for a DNS policy, you must first configure an audit message action. For more information about configuring an audit message action, see Configure the NetScaler appliance for audit logging. After configuring the audit message action, specify the message action in a DNS policy.
Configure policy based logging for a DNS policy by using the CLI
At the command prompt, type the following commands to configure policy based logging for a DNS policy and verify the configuration:
- add dns action <actionName> <actionType> [-IPAddress <ip_addr|ipv6_addr> ... | -viewName <string> | -preferredLocList <string> ...] [-TTL <secs>] [-dnsProfileName <string>]
- set dns policy <name> [<rule>] [-actionName <string>] [-logAction <string>]
- show dns policy [<name>]
<!--NeedCopy-->
Example 1:
In a GSLB deployment, if you want to respond with different IP addresses to the client requests coming from a particular subnet, instead of responding with IP addresses used for general purposes (such as the IP addresses of internal users), you can configure a DNS policy with the action type as DNS view. In this case, you can configure DNS logging on the specified DNS action such that you can log the specific responses.
> add dns profile dns_prof1 -dnsqueryLogging enABLED -dnsanswerSecLogging enABLED
Done
> add dns view dns_view1
Done
> add dns action dns_act1 viewName -view dns_view1 –dnsprofilename dns_prof1
Done
> add dns policy dns_pol1 "CLIENT.IP.SRC.APPLY_MASK(255.255.255.0).EQ(100.100.100.0)”
dns_act1
Done
> bind dns global dns_pol1 100 -gotoPriorityExpression END -type REQ_DEFAULT
Done
> bind gslb service site_1_svc -viewName dns_view1 123.1.1.1
Done
> bind gslb service site_5_svc -view dns_view1 132.1.1.1
Done
<!--NeedCopy-->
Note:
In the preceding configuration, if you query for the domain configured on a GSLB virtual server, for example, sampletest.com, all the internal users of subnet 100.100.100.0/24 are served with the DNS view IP addresses, and the responses are logged. Client requests for other subnets are not logged.
Example 2:
If you want to log only the queries for the domain example.com, you can create a DNS profile with query logging enabled and set the DNS profile to a DNS action with the action type NOOP, and then create a DNS policy and set the DNS action. For example:
>add dns profile query_logging -dnsqueryLogging ENABLED
Done
>add dns action dns_act1 NOOP -dnsprofileName query_logging
Done
>add dns policy dns_pol1 DNS.REQ.QUESTION.DOMAIN.EQ("example.com") dns_act1
Done
<!--NeedCopy-->
Configure log action for the DNS policy to log client IP address
Logging action can be used to log the source IPs for the DNS queries using the following expression and use it as part of the log action in the DNS policy.
> add audit messageaction log_act_custom INFORMATIONAL "\"ClientIP:\"CLIENT.IP.SRC\" ECS IP:\"+((DNS.REQ.OPT.ECS.IP).typecast_text_t ALT \"NONE\")"
Done
<!--NeedCopy-->
The earlier expression captures both the source IP as in the IP header and the ECS IP from the DNS ECS option, and either of it can be excluded as required.
Sample DNS logging configuration for a NetScaler appliance to log client IP address
If you want to sample the logging of the DNS queries, it can be done using the following expression. This logs one out of 10 queries.
> add audit messageaction log_action_srcip_1of10 INFORMATIONAL "\"OneOf10: Source IP : \"+client.ip.src"
Done
> add responder policy logsrcip_1of10 "sys.random.mul(10).lt(1)" NOOP -logAction log_action_srcip_1of10
Done
<!--NeedCopy-->
Share
Share
In this article
- DNS profiles
- Understand the NetScaler syslog log message format
- Understand the record logging format
- Limitations of DNS logging
- Configuring DNS logging
- Sample DNS logging configuration for NetScaler appliance configured as DNS proxy
- Sample DNS logging configuration for NetScaler appliance configured as ADNS
- Sample DNS logging configuration for NetScaler appliance configured as a forwarder
- Sample DNS logging configuration for a NetScaler appliance configured as a resolver
- Configure policy based logging for DNS
- Configure log action for the DNS policy to log client IP address
- Sample DNS logging configuration for a NetScaler appliance to log client IP address
This Preview product documentation is Cloud Software Group Confidential.
You agree to hold this documentation confidential pursuant to the terms of your Cloud Software Group Beta/Tech Preview Agreement.
The development, release and timing of any features or functionality described in the Preview documentation remains at our sole discretion and are subject to change without notice or consultation.
The documentation is for informational purposes only and is not a commitment, promise or legal obligation to deliver any material, code or functionality and should not be relied upon in making Cloud Software Group product purchase decisions.
If you do not agree, select I DO NOT AGREE to exit.