Active/DR DNS Deploy | Best practice

Question

We are planning the integration between two F5 DNS in an Active/DR environment. The DNS of the active site is fully built, on the DR site there is no Primary DNS and no active DNS module in F5.

I understand that for domains/zones delegated to F5, IP resolutions for DNS query is not a problem because I can count on several balancing methods (Global Availability/Ratio/Virtual Server Score and etc...).

However, the vast majority of zones/domains are on a primary BIND nameserver, which will also be built into the DR datacenter to allow queries through its nameserver.

The DR datacenter should not receive any kind of DNS traffic while the active datacenter is available (including queries to the nameservers), and the reverse is also valid.

For this type of deploy, I would like to understand best practices to prevent the Primary DNS hosted in the DR datacenter from receiving DNS queries while the Active datacenter is operational.

I've considered conditional firewall rule creations for both sites, but I'm not sure it's the most elegant solution, and also know if when the nameserver query is rejected/dropped, the next available nameserver will be consulted (if the dns query goes to the Primary DNS DR and then got dropped will also go to the next nameserver available Primary DNS Active)

whisperer · Answer

Why don't you use BIND as an authoritative stealth name server, and then xfer the DNS zones into the F5 GTMs using DNS Express. The F5s will respond to the queries and hide the master. If you have both GTMs part of the same sync group, the. both Prod and DR will have the same records and be ready for use.

escman · Answer

Hello&nbsp;whisperer,Thanks for your reply, but transfer the zones to the F5 DNS&nbsp;is not at&nbsp;play&nbsp;right&nbsp;now so I have to use the same conditions that I already has at the active site..

whisperer · Answer

Just to be clear, are you lord balancing DNS using LTM module, or using DNS module for GSLB and DNS screening or hosting? I will give some guidance for both scenarios:

- LTM: Just keep the respective VS or pool members disabled. Manually bring them up.

- GTM: Easiest way is upstream DNS records. Delegate to only Production GTM listener, and if you need to failover, the. modify this configuration to delegate to DR instead. Although, think you mention the DR F5 doesn't have the GTM/DNS module provisioned?

Finally, remember GTM uses a component of LTM under the hood. If you want to delegate to BOTH, but just receive responses from Production, then just manually down the LTM VIP used as the GTM/DNS listener. You can always enable it during DR recovery procedure.

escman · Answer

My main question is about building the Primary DNS (which contains the authority for most zones and is not an F5) on the DR site. When the Primary DNS nameserver that will be positioned on the DR site is registered as a nameserver for zones not delegated to F5, it will receive queries that I would not like to happen because the prerequisite is not to send any traffic to the DR site while the active site is operational.

whisperer · Answer

So in DR the F5 is not in play. The DNS server in question is external to the F5. You could block with firewall or switch level ACLs, you can put the DNS server behind the F5 and control access via up/down the associated Virtual Server you create, or just architect this more cleanly. Really sounds like Production and DR are configured way differently.You may need to provide an architectural diagram if we are still not understanding your use case.

Forum Discussion

Active/DR DNS Deploy | Best practice

Recent Discussions

ip x-forwarding

ports are showing open on online scanning tool

Upgrade F5 BIGIP

DNS HM Probe issue

Is XFF a must for ASM WAF DoS

Related Content

AS3 Best Practice

Re: Deploying F5 Distributed Cloud WAAP on Kubernetes

F5 Certified Practice Exams

Deploying F5 Distributed Cloud Customer Edge in Red Hat OpenShift Virtualization

Cipher Suite Practices and Pitfalls

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS