DNS Host Health Check

In Cisco Prime Network Registrar 9.0 and earlier, DNS replies to A/AAAA queries with the RRs in its authoritative configuration regardless of whether or not the destination addresses are reachable. The returned IP address may or may not be reachable at the time when the DNS query is made. This outage may not be known to the DNS servers, or to the DNS client. In Cisco Prime Network Registrar 9.1 and later, an authoritative DNS server can periodically check the availability of a host or set of hosts for which it operates as the DNS authority, by pinging the addresses using ICMP echo messages (ping). In Cisco Prime Network Registrar 10.0 and later, DNS host health check supports the GTP-C protocol echo message using UDP v4 and UDP v6 to find out host availability. Hosts which are identified as unavailable are not sent in the query reply. The server responds with all RRs in the RR Set for the first query, with TTL set as hhc-max-init-ttl. The DNS server sends the pings (ICMP ping or GTP-C echo ping) for RRs in an RR Set only after receiving a query for that RR, and then the subsequent A/AAAA queries will respond with the reachable RRs. Starting from Cisco Prime Network Registrar 11.1, you can enable host health check on SRV records to automatically health check their corresponding A/AAAA records.


Note


All RRs which have host-health-check attribute set to ping or gtp-echo are monitored periodically. Monitoring will start only after receiving the first query for RR with host-health-check set to ping or gtp-echo. When host-health-check is set to ping, ICMP protocol will be used for monitoring.

To make the feature work effectively, the pinged systems should have default security settings that allow ping response. When host-health-check is set to gtp-echo, GTP-C v2 protocol (GTP-C Echo request and response) will be used for monitoring.


DNS Host Health Check Configuration Settings

DNS Host Health Check comes with preconfigured settings, and is disabled by default on the DNS server.

Use the following DNS server level attributes to enable DNS Host Health Check:
Table 1. DNS Server Level Attributes

Attribute

Description

Host Health Check (host-health-check)

Enables or disables DNS Host Health Check in the DNS server. When Host Health Check is enabled, DNS server sends hhc-max-ttl as TTL in query reply for active RRs. When DNSSEC is enabled, DNS server will add RRs which are not active at the end of RR list in the query reply. When DNSSEC is not enabled, DNS server will not add RRs which are not active in RR list in the query reply.

host-health-check is disabled on the DNS server by default. Reload the DNS server after enabling host-health-check.

Host Health Check Interval (hhc-interval)

Specifies the time interval (in seconds) to check RR Sets for reachability.

Max TTL (hhc-max-ttl)

Specifies the maximum TTL (in seconds) to send in query reply when RR health status is up. By default the hhc-interval value will be used.

Note

 

If the RR Set has a TTL less than hhc-interval or hhc-max-ttl, the RR Set's TTL will be used in the response.

Max Initial TTL (hhc-max-init-ttl)

Specifies the maximum initial TTL (in seconds) to send in query reply when Host Health Check RR is queried for the first time.

Note

 

If the RR Set has a TTL less than hhc-max-init-ttl, the RR Set's TTL will be used in the response.

Enabling Host Health Check

To enable DNS Host Health Check, do the following:

Local Advanced Web UI

Procedure


Step 1

On the Manage DNS Authoritative Server page, under the Host Health Check section, select the enabled option for the host-health-check attribute.

Step 2

Click Save to save the changes and reload the Authoritative DNS server.


CLI Commands

Use the dns enable host-health-check to enable host health check and use dns reload to restart the DNS server.


Note


Restart the DNS server to apply the configuration changes successfully.


Host Health Check RR Set Settings

Local Advanced Web UI

From the Design menu, choose Forward Zones under the Auth DNS submenu to open the List/Add Forward Zones page and click the Resource Records tab. Click the RR name. Under the RR Set Settings section, select the value as ping from the host-health-check drop down list. This attribute change on the RR Set does not require a reload.

Note


If DNSSEC is enabled on the zone, DNS server will add the RRs which are not active at the end of the RR list in the query reply.


CLI Commands

The rrSet command sets/unsets the host-health-check flag on resource records for the rr-name. When this flag is set, the A and AAAA record's health will be monitored.

zone name rrSet rr-name [set <host-health-check=off/ping/gtp-echo>] [get <host-health-check>] [unset <host-health-check>] [show]


Note


DNS server supports Global Unicast Address for IPv6 host health monitoring.


Viewing DNS Host Health Check Statistics

You can view the DNS Host Health Check statistics in the following ways:

Local Advanced Web UI

On the Manage DNS Authoritative Server page, click the Statistics tab to view the Server Statistics page. The DNS Host Health Check statistics appear under the Host Health Check Statistics section of both the Total Statistics and Sample Statistics categories.

Table 2. DNS Host Health Check Statistics Attributes

Attribute

Description

hhc-domains

Reports the number of domains checked for ping and gtp-echo Host Health Check.

hhc-domains-failed

Reports the number of domains check failed for ping and gtp-echo Host Health Check. When all the RRs in the RR set are down, this stat is incremented.

hhc-domains-passed

Reports the number of domains check passed for ping and gtp-echo Host Health Check. When any A/AAAA RR in the RR set is up, this stat is incremented.

hhc-rrs

Reports the number of RRs checked for ping and gtp-echo Host Health Check.

hhc-rrs-passed

Reports the number of RRs that have passed ping and gtp-echo health check.

hhc-rrs-failed

Reports the number of RRs that have failed ping and gtp-echo health check.

hhc-ping-domains

Reports the number of domains checked for ping Host Health Check.

hhc-ping-domains-failed

Reports the number of domains check failed for ping Host Health Check. When all the RRs in the RR set are down, this stat is incremented.

hhc-ping-domains-passed

Reports the number of domains check passed for ping Host Health Check. When any RR in the RR set is up, this stat is incremented.

hhc-ping-rrs

Reports the number of RRs checked for ping Host Health Check.

hhc-ping-rrs-failed

Reports the number of RRs that have failed ping Host Health Check.

hhc-ping-rrs-passed

Reports the number of RRs that have passed ping Host Health Check.

hhc-gtp-echo-domains

Reports the number of domains checked for gtp-echo Host Health Check.

hhc-gtp-echo-domains-failed

Reports the number of domains check failed for gtp-echo Host Health Check. When all the RRs in the RR set are down, this stat is incremented.

hhc-gtp-echo-domains-passed

Reports the number of domains check passed for gtp-echo Host Health Check. When any RR in the RR set is up, this stat is incremented.

hhc-gtp-echo-rrs

Reports the number of RRs checked for gtp-echo Host Health Check.

hhc-gtp-echo-rrs-passed

Reports the number of RRs that have passed gtp-echo Host Health Check.

hhc-gtp-echo-rrs-failed

Reports the number of RRs that have failed gtp-echo Host Health Check.

DNS Host Health Check statistics can also be logged in the server by enabling the host-health-check option present in the Activity Summary Settings section of the Edit Local DNS Server page.

CLI Commands

Use dns getStats dns-hhc total to view the host health check Total statistics and dns getStats dns-hhc sample to view the sampled counters statistics.


Note


Restart the DNS Server to apply the configuration changes successfully.


Host Health Check for SRV Records

You can enable DNS host health check on SRV records to automatically health check their corresponding A/AAAA records. If multiple SRV records pointing to the same A/AAAA record have different host health check settings, then the server chooses the host health check settings based on the first record queried. If A/AAAA records are already enabled for host health check, then the setting on the A/AAAA is used and the SRV record setting is ignored. When the DNS server looks up A/AAAA that do not have host health check explicitly configured, the server checks the hash to see if it is implicitly configured via the SRV records. When the host health check is disabled on an SRV record, then the authoritative DNS server continues to monitor the A/AAAA records that have host health check explicitly set. When all the A/AAAA records are down, SRV lookups use hhc-failed-domain-response when responding to clients.