DNS Automation: Adjusting domain controls for internet breakout and SD-WAN

BY Ben Ball

All the modular layers of today’s networks – clouds, data centers, branch office connections, and SD-WAN controllers – have their role to play in delivering a functional network.  Yet navigating applications and services through this jumble of environments can be extremely difficult. 

Traffic steering through DNS

The uniquely designed traffic steering functions of DNS Edge can cut through some of this complexity.  DNS Edge acts as the device facing response layer or “first hop” connection.  Network administrators can use DNS Edge to optimize access to outside services, either through direct connections (an “internet breakout”) or by routing the query back to a home office data center. 

This intelligent DNS functionality has a particularly compelling use case for organizations that want to steer service connections away from costly MPLS backhauls through an “internet breakout”. This offers a more elegant solution to the use of deep packet inspection in SDWAN to direct traffic out to the internet.

Administrators can set up routing rules in DNS Edge to resolve directly to trusted external services such as Office 365, Salesforce, or Dropbox.  Rules are also available for internal services as well, routing queries either back to a central datacenter or to regional nodes.  All of these routing controls coordinate with SD-WAN controllers to resolve trusted traffic directly to service providers.

Keeping track of trusted connections

There is one slight operational hitch which needs to be accounted for.  The domains used by cloud services are rarely static.  As the underlying domains are updated, load balanced, and taken offline for maintenance, DNS must adjust so queries resolve and SDWAN routes correctly. 

To avoid outages and maintain direct connections to trusted cloud services, DNS Edge receives automatic updates as the underlying domains are changed.  Doing this manually would be a significant headache.  Office 365 alone uses over 100 constantly shifting domains.  It would also require constant real-time vigilance, as service providers often switch up domains on the fly with little to no advance notice.

Automation to the rescue

Enter Absorbaroo, an automation workflow designed by BlueCat to maintain direct connections to trusted cloud services.  Here’s how it works:

  • Absorbaroo maintains a constant watch on third party sites for domain change notifications, checking at intervals defined by the network administrator.
  • When services post a notification, Absorbaroo downloads the new domain list automatically
  • The domain list is pushed through a DNS Edge whitelist into the SDWAN system, updating the resolution data for all of the client devices covered by that DNS Edge service point.
  • SDWAN sees the resolution on a mutually held white list and allows the connection to be routed directly out to the trusted service.

The example workflow posted on our BlueCat Labs GitHub repository uses Office 365 and Cisco Meraki SD-WAN controllers, but the framework can be adjusted for use with any third-party service.

Want to learn more about how DNS Edge enables traffic steering?  Check out our intelligent DNS video.

Ben Ball

Ben Ball is a Government Market Manager at BlueCat, handling business development and marketing outreach in the Federal, State, and local government markets. Ben served for ten years as a Federal employee, with three tours as a Foreign Service Officer (Saudi Arabia, Turkey, Jordan), and five years at the Department of Homeland Security, where he focused on immigration issues. A graduate of the Fletcher School of Law and Diplomacy and Pitzer College, Ben lives in the San Francisco Bay Area.

View more articles by Ben Ball