Forum Discussion

escman's avatar
Icon for Cirrus rankCirrus
Jun 06, 2023

Active/DR DNS Deploy | Best practice

We are planning the integration between two F5 DNS in an Active/DR environment. The DNS of the active site is fully built, on the DR site there is no Primary DNS  and no active DNS module in F5.

I understand that for domains/zones delegated to F5, IP resolutions for DNS query is not a problem because I can count on several balancing methods (Global Availability/Ratio/Virtual Server Score and etc...).

However, the vast majority of zones/domains are on a primary BIND nameserver, which will also be built into the DR datacenter to allow queries through its nameserver.

The DR datacenter should not receive any kind of DNS traffic while the active datacenter is available (including queries to the nameservers), and the reverse is also valid.

For this type of deploy, I would like to understand best practices to prevent the Primary DNS hosted in the DR datacenter from receiving DNS queries while the Active datacenter is operational.

I've considered conditional firewall rule creations for both sites, but I'm not sure it's the most elegant solution, and also know if when the nameserver query is rejected/dropped, the next available nameserver will be consulted (if the dns query goes to the Primary DNS DR and then got dropped will  also go to the next nameserver available Primary DNS Active)

6 Replies

  • Why don't you use BIND as an authoritative stealth name server, and then xfer the DNS zones into the F5 GTMs using DNS Express. The F5s will respond to the queries and hide the master. If you have both GTMs part of the same sync group, the. both Prod and DR will have the same records and be ready for use.

    • escman's avatar
      Icon for Cirrus rankCirrus

      Hello whisperer,

      Thanks for your reply, but transfer the zones to the F5 DNS is not at play right now so I have to use the same conditions that I already has at the active site..

      • Just to be clear, are you lord balancing DNS using LTM module, or using DNS module for GSLB and DNS screening or hosting? I will give some guidance for both scenarios:

        - LTM: Just keep the respective VS or pool members disabled. Manually bring them up.

        - GTM: Easiest way is upstream DNS records. Delegate to only Production GTM listener, and if you need to failover, the. modify this configuration to delegate to DR instead. Although, think you mention the DR F5 doesn't have the GTM/DNS module provisioned? 

        Finally, remember GTM uses a component of LTM under the hood. If you want to delegate to BOTH, but just receive responses from Production, then just manually down the LTM VIP used as the GTM/DNS listener. You can always enable it during DR recovery procedure.