Discovering Endpoints > Configuring DNS Service Record Discovery
Configuring DNS Service Record Discovery
When DNS service record discovery is used, endpoints poll the DNS server for information about the MC (i.e., the EBM/EM) to which they should connect only if the DHCP server does not have a DHCP option containing the MC's IP address or FQDN.
If an endpoint has already retrieved a DNS record before the DNS server is configured with MC information, it does not poll the DNS server again until the record's Time-To-Live expires (or the endpoint is rebooted). If the DHCP server does provide an option for the MC address but the endpoint fails to connect for any reason (e.g., because of a certificate verification failure or the MC address is not reachable), DNS record lookup will not occur.
Note: Please do not configure DHCP options if you want to use DNS record discovery. Endpoints always prefer the MC address or fingerprint that is specified in the DHCP options over that specified in the DNS record. If you provide the MC address both as DHCP option and also as the DNS record, the endpoint will only use the MC address found in the DHCP option.
DNS service record discovery requires you to have a DNS server in your network that is configured with the following DNS records:
- An address record (A record) that specifies the FQDN and IP address of the MC. This record may be automatically created by the DHCP server.
Note: If you are configuring a DNS TXT record containing the certificate fingerprint (see below), a DNS PTR record that maps the MC's IP address to its host name is also required in order for the endpoint to find the DNS TXT record. Typically, the DHCP server talks to the DNS server to create the forward and reverse lookup records. Depending on the DHCP/DNS server configuration, however, the reverse lookup record may not get created automatically. Also, if the DNS forward lookup was created manually and the "Create associated pointer (PTR) record" checkbox was not enabled, the DNS reverse lookup record will not get created. If you experience any problems with your DNS configuration, see Appendix A: Troubleshooting DNS for the steps to perform to ensure that DNS is configured correctly for the MC.
- A service location record (SRV record) that associates information such as the MC's TCP/IP service and the port the MC listens on with the MC's domain and host name. The MC's TCP/IP service is called _pcoip-bootstrap, as shown in the example below.
- A DNS TXT record that contains the MC certificate SHA-256 fingerprint is also required if you have not installed the MC's trusted root CA certificate (the MC chain certificate) in the endpoint's certificate store and you want to use automatic discovery. The record's name must be the host name of the MC offering the service. In the example below, this record is called pcoip-mc38719. The domain is appended automatically. If you configure a DNS TXT record, a DNS PTR record is also required. See the above note for details.
Note: The endpoint only picks up the fingerprint from the DNS TXT record if the MC address is specified in a DNS SRV record. For example, if the MC address is specified as a DHCP option but the fingerprint is provided as a DNS TXT record, the endpoint will not retrieve the fingerprint information in the DNS server. You should configure MC information using either DHCP options or DNS records, but not both.
Before You Begin
Before beginning, you should have the following information handy:
- The MC's FQDN
- The MC's certificate fingerprint (i.e., the certificate's digital signature). If provided, this fingerprint is only used when the endpoint's security level is set to Low Security Environment and certificate verification has failed. It is ignored when the security level is set to Medium Security Environment or High Security Environment.
You can locate the MC's fingerprint as follows:
- Use Firefox to log in to the MC web interface.
- Click the padlock icon in the browser's address bar.
- Click More Information.
- Click View Certificate.
- In the Fingerprints section, copy and paste the SHA-256 fingerprint into a text editor.
Note: The examples in this section use Windows Server 2012 R2. The instructions may vary with other systems.
Adding the DNS SRV Record
To add the MC DNS SRV record to DNS server:
- Log in to your Windows Server and select DNS.
- Right-click on your DNS server in the SERVERS pane and select DNS Manager from the context menu.
- In Forward Lookup Zones, right-click on your domain and select Other New Records from the context menu.
- In the Resource Record Type dialog, select Service Location (SRV) from the list and click Create Record.
- Fill in the entries as shown in the example below. Set Service to _pcoip-bootstrap, protocol to _tcp, and Port number to 5172, the MC's default listening port. For Host offering this service, enter the MC's FQDN.
Note: The MC's FQDN must be entered because the DNS specification does not allow an IP address in SRV records.
- Click OK.
- If you are not adding an optional DNS TXT record (see below) and have finished configuring your DNS server, power cycle your endpoints or put them online to allow them to make the connection to the MC. You must also upload the MC's root CA certificate to the endpoint's certificate store.
- Refresh the
Adding a DNS TXT Record
If your endpoints do not have the MC's root CA certificate installed in their certificate store, you must configure your DNS server with a DNS TXT record containing the MC certificate SHA-256 fingerprint.
- In Forward Lookup Zones, right-click on your domain and select Other New Records from the context menu.
- In the Resource Record Type dialog, select Text (TXT) from the list and click Create Record.
- Fill in the entries as follows:
- In the Record name field, enter the host name of the MC offering the service (this example uses pcoip-mc38719). The FQDN field will be automatically populated for you. This should match the FQDN of the MC.
- In the Text field, type pcoip-bootstrap-cert= and then paste the MC certificate SHA-256 fingerprint you obtained above immediately after this prefix, as shown in the example below.
- Click OK.
- When you have finished configuring your DNS server, power cycle your endpoints or put them online to allow them to make the connection to the MC.
Note: You can configure the MC to automatically name endpoints and place them in a specific group when they are discovered. See Auto Naming Endpoints and Auto Configuring Endpoints for details.
See Appendix A: Troubleshooting DNS to verify that your DNS server is configured correctly for the MC.