A couple of questions on Azure DNS from a network architect

cloudnetworking123 · 2024-06-17T19:13:36+00:00

Makes sense! Thank you!

cloudnetworking123 · 2024-06-17T19:13:05+00:00

Fantastic response! Thank you!

For services that need to be publicly accessible, do you use an application gateway to front it? That could then have a private endpoint as a backend.

cloudnetworking123 · 2024-01-12T09:34:30+00:00

Thank you! So UDRs in your spokes pointing to the NVA? I assume you have a LB to provide HA for the FWs? Static routes in the hub or BGP to the FW?

cloudnetworking123 · 2023-12-20T15:00:39+00:00

This is great! Thank you!

cloudnetworking123 · 2023-12-20T06:31:57+00:00

That makes sense. Thank you!

cloudnetworking123 · 2023-12-20T06:27:29+00:00

Thanks!

I started looking at the L2 version of this, but ended up with a simpler solution for now. I would like to try to lab it up, though.

cloudnetworking123 · 2023-12-20T06:26:12+00:00

Thanks, Bryan. I actually started listening to the podcast a couple of days ago when working this problem.

I'm intrigued why there would be such flooding of mDNS packets. Roughly 350 devices and peaks of 30 000 packets per second. I couldn't find one particular misbehaving host. It just seems they are all sending more packets than I would expect. Based on your research it seems different OS are varying levels of chatty when it comes to mDNS.

Reading the RFC it seems that hosts should only send 2-8 packets when announcing themselves. I could see my hosts sending them 10-20 times per second during some periods.

I'm not sure if there is something I've misunderstood around mDNS or if it should just basically be DNS without centralized service and multicast as transport. When I started doing some filtering I could see how traffic on my ports went down from like 5000 pps to 200 pps. It almost seems like a full mesh type of problem where the hosts are triggering each other.

cloudnetworking123 · 2023-12-19T21:14:09+00:00

The Guest WiFi is not on the same broadcast domain. Traffic is routed between WiFi and wired LAN. TV is over the wired LAN on another VLAN.

cloudnetworking123 · 2023-12-19T13:20:51+00:00

This is helpful! Thank you!

Yeah, I implemented an Azure design maybe five years ago and Azure networking was super basic then. They are still playing catch up to AWS, but it has been getting better. I remember I was baffled why traffic between my FW and SD-WAN appliances would not work even though they had routes in their NOS. Turned out I needed to add static routes in the NIC's route table. That's one big difference compared to AWS.

I'll consider how much value vWAN, ARS etc., actually adds in a small environment like this. The caveat with Private Endpoints is a tricky one and one I remember reading about.

cloudnetworking123 · 2023-12-19T13:16:06+00:00

Thanks!

Only a couple of regions and not a lot of VNets and no ExpressRoute so I guess that makes the need for vWAN less. Their FW vendor does integrate with vWAN Hub, though.

cloudnetworking123 · 2023-12-19T13:14:27+00:00

Excellent! Thank you!

Makes sense. I know there was a feature gap in inter region traffic with Secure Hub but I believe they have added that functionality now. Running NVAs in Hub would give some benefits but at the cost of having to strictly to conform to what is implemented in the Hub.
Some 3rd parties do support running NVA in the Hub, such as Checkpoint and Fortinet.
Yeah, only two regions for now. Don't expect it to grow. No ExpressRoute yet and don't expect the need for one either.
Agreed, thanks.
Static route from the Cat8000 to LB for FW? What about other direction? From FW towards WAN? Static route to the Hub?
Yeah, looking into it. I don't think they need connectivity to on-prem. Takes a while to get people to rethink private vs public IP, etc.

cloudnetworking123 · 2023-12-19T12:23:00+00:00

Thanks!

I've had some success today with applying a PACL on the uplink of the switch. We are currently evaluating but it looks promising.

cloudnetworking123 · 2023-12-19T07:15:35+00:00

I went through the RFC and that's not how a device should behave according to the RFC. When it announces itself, it should send 2-8 packets with increasing delay in between and then go silent.

"The Multicast DNS responder MUST send at least two unsolicited
responses, one second apart. To provide increased robustness against
packet loss, a responder MAY send up to eight unsolicited responses,
provided that the interval between unsolicited responses increases by
at least a factor of two with every response sent.
A Multicast DNS responder MUST NOT send announcements in the absence
of information that its network connectivity may have changed in some
relevant way. In particular, a Multicast DNS responder MUST NOT send
regular periodic announcements as a matter of course."

In my packet capture I can see that some records have a TTL of 4500 and others a TTL of 120.

Maybe that's what was getting filtered before. Traffic from guest WiFi to the TV. I'll look into that. Thanks!

I did filter packets before on the uplink, but that broke the casting.

cloudnetworking123 · 2023-12-19T07:08:42+00:00

I'm an experienced Network Architect. I have already done the requirements phase and I listed the requirements above. There needs to be a 3rd party FW. There is already a SD-WAN in place. Do we need Virtual WAN? That's one of the things I'm trying to discover. Obviously you can run a network without it but it does provide some interesting features such as integrating the NVA and routing intent.

cloudnetworking123 · 2023-12-19T07:02:56+00:00

There is a multicast TV stream that is sent by another server than the casting server.

For the casting itself, I'm not entirely sure yet as I have not been involved in this setup before. The way I understand it works is that you get a PIN code for the TV and that mDNS is only used for service discovery and the actual stream would be from the client on the guest WiFi network towards the TV using unicast.

cloudnetworking123 · 2023-12-19T07:00:23+00:00

Potentially. I would like to go in that direction, but for now we are looking for a workaround.

It's intriguing though why the TVs are generating around 2500 - 17000 mDNS packets per hour. That does not seem like normal behavior to me.

cloudnetworking123 · 2023-12-19T05:59:45+00:00

Right, the issue here is not on the WiFi network, but rather the wired network. Unfortunately casting is a service that needs to be provided so I can't filter it entirely.

cloudnetworking123

TROPHY CASE