HEC DNS Integration scenarios

Customer version

Mario Benndorf, SAP

INTERNAL
Focus

This Document is intended to give SAP HEC Customers a Guideline to choose and setup an DNS Integration
Scenario to access SAP HEC Services over:

Virtual Private Networks (VPN)

Multiprotocol Label Switching (MPLS)
Cloud Connector

If you directly access your SAP HEC Applications using the public Internet only e.g. “*.hec.ondemand.com” this Document will not fit.
Table of Contents

DNS Integration Scenarios – an Overview

Which DNS Zones / DNS Domains needs to be integrated in the Customers DNS

DNS Zone Transfer is the Default and preferred by SAP HEC

• Advantages and why we prefer
• Firewall Configuration
®
• How to configure using UNIX or LINUX DNS
• How to configure using MS® Windows DNS

Conditional DNS Forward

• Advantages Disadvantages against DNS Zone Transfer
• Firewall Configuration
®
• How to configure using UNIX or LINUX DNS
®
• How to configure using MS Windows DNS

DNS Domain Delegation

®
• How to configure using MS Windows DNS

Special Features and Requirements

• DNSSEC
• DNS TSIG
• DNS6
• DNS Views and Network Address Translation

© 2018 SAP SE or an SAP affiliate company. All rights reserved. ǀ INTERNAL 3

DNS Integration Scenarios – an Overview

The Client Computers on Customers End are configured in almost all cases to use the Customers internal DNS
Servers as DNS Resolvers. This internal DNS Servers must provide DNS Information for internal Resouces -
the Intranet, mostly for the Internet and also for external Resouces such as for SAP HEC. This will require the
internal DNS Servers to have dynamic Access to DNS Data of SAP HEC. In general SAP HEC supports 3
different Techniques to provide the SAP HEC DNS Data to the Customers internal DNS Servers:

1. DNS Zone Transfer (using Master and Slave Zones)

2. Conditional DNS Forward
3. DNS Domain Delegation

Depending on the Customers internal DNS Design one of the above Scenarios should fit.

SAP HEC recommends and prefer to get DNS Zone Transfer set up on this point. It is the most reliable and
safe Solution. SAP HEC can provide only for DNS Zone Transfer a 99,5% Service Level (SLA).

A conditional DNS Forward is perhaps a good alternative Choice if the Customers Firewall doesn’t allow
Inbound Connections from SAP HEC to the Customers internal DNS Servers, which is necessary for DNS Zone
Transfer to receive DNS Notifiers from SAP HEC DNS Servers. But it has the disadvantage to do Caching and
hence it has a Time Delay, depending on the Time to Live (TTL) of the SAP HEC DNS Data which is 1 hour as
per Default. For an Disaster Recovery Scenario using two independent SAP HEC Datacenters it may led to an
more or less huge Delay in a DR Failover situation to get the secondary SAP HEC Systems back available in
Customers internal DNS.

DNS Domain Delegation is probably the best Choice if the Customer has tens or hundreds of internal DNS
Servers and no internal Upstream DNS “Resolver” Servers where DNS Zone Transfers or conditional DNS
Forward are configured for external DNS Resources such as SAP HEC.
It wouldn’t make sense to configure and maintain DNS Zone Transfer or conditional DNS Forward towards SAP
HEC on each of numerous DNS Servers. Instead it is possible to configure a DNS Domain Delegation on a
single point in the Active Directory to have the DNS Delegation Information present on all internal DNS Servers.
In the Case of a DNS Domain Delegation the internal DNS Servers only hold the information which SAP HEC
DNS Server will provide DNS Resolution for the SAP HEC delegated DNS Zones/Domains. The Disadvantage
is that every Server or Client Computer on customers End would need to direct communicate to SAP HEC DNS
Servers

–or-

to your internal on premise DNS Servers if we configure them in the HEC DNS Zones as secondary
Nameservers but this is an Extra and not the SAP HEC Default.
Which DNS Zones / DNS Domains needs to be integrated in the Customers DNS

To enable the Computers on Customers End to use SAP HEC Applications over private Connection
(VPN or MPLS) it is necessary that the Client Computer has an additional DNS Resolution for a
Minimum of 3 SAP HEC DNS Domains, where SAP HEC has the Authority – the Master Zones, also
called as “delegated zones” :

The SAP HEC Customers Top Level Domain (TLD):

<hec or sap>.customer.corp

Where “customer.corp” is assumed here in the example as the Customers internal DNS Domain or Customers End TLD.
“hec.customer.corp” is the Domain where the SAP HEC Application Entry points are located in general.
SAP HEC Application Entry point DNS Names and hence this DNS Domain must be HEC Datacenter independent.
No IP-Addresses or DNS hostnames here in general, only DNS Aliases (CNAME) are possible in this DNS Domain
In the case of a DR Failover only the Target of this Aliases will be switched from primary HEC DC to
secondary HEC DC – or to an HA System in the same HEC DC for example.
The DNS Domainname “hec.customer.corp” can be also “sap.ourcompany.local” for example. This Name is to understand as
a template - but it must start with “hec” or “sap”. A maximum of two such Customer TLD’s are
possible per SAP HEC Customer. This Domain will be used forSSL Certificates.

The SAP HEC “Datacenter dependent” DNS Domain(-s):

<SAP HEC Datacenter/Tier Short>. <hec or sap>.customer.corp

DNS Hostnames, IP-Addresses (and perhaps also DNS Aliases) are here. But Client Computers should never use this DNS
Hostnames or DNS Aliases in this DNS Domain directly – as Application Entry point, URL or “Target”.
Again, <SAP HEC Datacenter Short>.sap.anothercompany.local or any would be valid. But SAP HEC need a hierarchical
order in the delegatd DNS Domain Names.
Domain Names in a different Order like “sap.<SAP HEC Datacenter Short>.company.corp” are invalid.
Only one DNS Domain can be assigned to a single SAP HEC Network Segment in general.
If a “Multi Tier” Setup is wanted – SAP HEC need at least one a Network Segment per Tier – for example:
With a maximum of two TLD’s = sap.customer.corp and sap.customer.com
<SAP HEC Datacenter Short>.dev.sap.customer.corp for SAP HEC Dev Network 192.168.110.0/24
<SAP HEC Datacenter Short>.qas.sap.customer.corp for SAP HEC QA Network 10.10.200.0/24
<SAP HEC Datacenter Short>.sap.customer.com for SAP HEC Production Network 10.10.100.0/23

The DNS reverse Domain(-s) where the DNS Pointers (PTR-Records) are located. For example:

110.168.192.in-addr.arpa

If the IP-Range of the SAP HEC Customers Network would be 192.168.110.0/24.

If we have 192.168.110.0/23 Network IP-Range we have two reverse Domains:
110.168.192.in-addr.arpa and 111.168.192.in-addr.arpa
For 192.168.110.0/22 IP-Range on SAP HEC we would have four reverse Domains (110,111,112,113) and so on.
DNS reverse Zones like 168.192.in-addr.arpa for a /16 or 10.in-addr.arpa for a /8 Network Mask are not possible.

Each of the above forward and reverse DNS Zones is “independent” – SAP HEC don’t support Sub Domain or Stub Configurations.
DNS Zone Transfer is the Default and preferred by SAP HEC

Advantages and why SAP HEC prefer:

• No Delay or Caching for DNS Updates.

• Provides redundancy and allow to have the full 99,5% Service Level (SLA),
especially for SAP HEC Disaster Recovery Scenarios.
• SAP HEC and Customer can establish Status Monitoring

Disadvantages :

• Incomming Connection from HEC DNS Servers to on-premise DNS Servers

necessary for DNS Notifiers (otherwise we have the full DNS TTL Delay)
®
How to configure using UNIX or LINUX DNS

Configuration Example on BIND/named DNS - on premis DNS Servers:

zone “customer.corp" in {
type master;
….
};

zone “hec.customer.corp" in {
type slave;
file "slave/hec.customer.corp.zone";
masters { 192.168.100.252; 192.168.100.253; };
};

zone “primdc.hec.customer.corp“…type slave…

zone “secdc.hec.customer.corp“…type slave…
zone “100.168.192.in-addr.arpa“ … type slave…
zone “101.168.192.in-addr.arpa“ … type slave…
DNS Zone Transfer (single Datacenter)

Firewall Configuration

© 2018 SAP SE or an SAP affiliate company. All rights reserved. ǀ INTERNAL 7

DNS Zone Transfer - single DC with Forward back to Customers DNS

Firewall Configuration

© 2018 SAP SE or an SAP affiliate company. All rights reserved. ǀ INTERNAL 8

 Neccessary for Notifier

© 2018 SAP SE or an SAP affiliate company. All rights reserved. ǀ INTERNAL 9

© 2018 SAP SE or an SAP affiliate company. All rights reserved. ǀ INTERNAL 10
How to configure using MS® Windows DNS

on-premise Server

© 2018 SAP SE or an SAP affiliate company. All rights reserved. ǀ INTERNAL 11

© 2018 SAP SE or an SAP affiliate company. All rights reserved. ǀ INTERNAL 12
© 2018 SAP SE or an SAP affiliate company. All rights reserved. ǀ INTERNAL 13
© 2018 SAP SE or an SAP affiliate company. All rights reserved. ǀ INTERNAL 14
© 2018 SAP SE or an SAP affiliate company. All rights reserved. ǀ INTERNAL 15
DNS conditional Forward

Advantages :
• No incoming Connections from HEC DNS on Customers Firewall
necessary
• This Advantage is only if no forward from HEC to Customer necessary

Disadvantages:
• Forward Cache Delay on-premise (Delay Time can be configured on Customers End)
• This is a perhaps a problem if you use HEC Disaster Recovery Scenario. A
Failover will take more time, hence SAP HEC cannot guarantee the full
Service Level (SLA).
• Only limited Status Monitoring
®
How to configure using UNIX or LINUX DNS

Configuration Example on BIND/named DNS - on premis DNS Servers:

zone “customer.corp" in {
type master;
….
};

zone “hec.customer.corp" in {
type forward;
forward only;
forwarders { 192.168.100.252; 192.168.100.253; };
};

zone “primdc.hec.customer.corp“…type forward…

zone “secdc.hec.customer.corp“…type forward…
zone “100.168.192.in-addr.arpa“ … type forward…
zone “101.168.192.in-addr.arpa“ … type forward…
© 2018 SAP SE or an SAP affiliate company. All rights reserved. ǀ INTERNAL 17
© 2018 SAP SE or an SAP affiliate company. All rights reserved. ǀ INTERNAL 18
© 2018 SAP SE or an SAP affiliate company. All rights reserved. ǀ INTERNAL 19
© 2018 SAP SE or an SAP affiliate company. All rights reserved. ǀ INTERNAL 20
© 2018 SAP SE or an SAP affiliate company. All rights reserved. ǀ INTERNAL 21
© 2018 SAP SE or an SAP affiliate company. All rights reserved. ǀ INTERNAL 22
DNS Domain Delegation

Advantages:
• You can administer your HEC DNS Delegation on a single point for the all your Company DNS Servers.

Disadvantages:
• Each of your DNS Servers and your Client Computers need Connectivity to SAP HEC Customer DNS.
• This may result in a Lot of DNS Traffic towards the HEC Customer DNS Servers and hence slower
Responsibility for all your SAP HEC Environment.
• The DNS Cache TTL Delay is long here. This is a perhaps a problem if you use HEC Disaster Recovery
Scenario. A Failover will take more time, hence SAP HEC cannot guarantee the full Service Level (SLA).
• The Number of DNS Clients is limited to 1000 on each HEC Customer DNS Server as per Default.

For Help howto configure in your Windows DNS Environment please refer to:
http://technet.microsoft.com/en-us/library/cc771640.aspx

You also can find a Howto Video for DNS Delegation in Windows Environment here :
https://www.windows-server-2012-r2.com/dns-zone-delegation.html

Domain delegation is also possible in UNIX® or Linux DNS Environment on Customers End. Just create the
Zones you want to delegate to SAP HEC as primary/Master DNS Zones and place the HEC Customer DNS
Servers as NS Records. You also have to place this HEC Customer DNS Servers as A-Records in your
internal Top Level DNS Domain.

SAP HEC don’t recommend DNS Domain Delegation on Customers End for SAP HEC Environment.

© 2018 SAP SE or an SAP affiliate company. All rights reserved. ǀ INTERNAL 23

Special DNS Features and Requirements

DNSSEC:
SAP HEC can provide DNSSEC to secure the DNS Traffic. But this is not a Standard Feature in the SAP
HEC Product Portfolio. If you have a VPN Connection to SAP HEC please keep in Mind this Traffic is already
encypted and secured.

DNS TSIG:
SAP HEC can provide DNS TSIG to secure the DNS Traffic. But this is not a Standard Feature in the SAP
HEC Product Portfolio. If you have a VPN Connection to SAP HEC please keep in Mind this Traffic is already
encypted and secured. DNS TSIG is not compatible to MS® Windows DNS.

DNS6:
SAP HEC does not provide DNS6 for IPv6.

DNS Views and Network Address Translation (NAT):

SAP HEC is able to setup manual maintained DNS Views for her Customers. But this is not a Standard
Feature in the SAP HEC Product Portfolio. This seems sometimes necessary if we have NAT between
Customers DNS and SAP HEC Customer DNS. But most NAT Devices provide this Functionality internally -
to translate the DNS Traffic too, which makes it not necessary to setup special DNS Views at SAP HEC and
on Customers End. Perhaps DNS Zone Transfer is difficult to achieve over NAT in all cases, but to use DNS
conditional Forward using multiple DNS Views is possible under the most circumstances.

© 2018 SAP SE or an SAP affiliate company. All rights reserved. ǀ INTERNAL 24