Forum Discussion
CirrusActive/DR DNS Deploy | Best practice
CirrusHello whisperer,
Thanks for your reply, but transfer the zones to the F5 DNS is not at play right now so I have to use the same conditions that I already has at the active site..
MVPJust to be clear, are you lord balancing DNS using LTM module, or using DNS module for GSLB and DNS screening or hosting? I will give some guidance for both scenarios:
- LTM: Just keep the respective VS or pool members disabled. Manually bring them up.
- GTM: Easiest way is upstream DNS records. Delegate to only Production GTM listener, and if you need to failover, the. modify this configuration to delegate to DR instead. Although, think you mention the DR F5 doesn't have the GTM/DNS module provisioned?
Finally, remember GTM uses a component of LTM under the hood. If you want to delegate to BOTH, but just receive responses from Production, then just manually down the LTM VIP used as the GTM/DNS listener. You can always enable it during DR recovery procedure.
- escman
My main question is about building the Primary DNS (which contains the authority for most zones and is not an F5) on the DR site. When the Primary DNS nameserver that will be positioned on the DR site is registered as a nameserver for zones not delegated to F5, it will receive queries that I would not like to happen because the prerequisite is not to send any traffic to the DR site while the active site is operational.
- whisperer
So in DR the F5 is not in play. The DNS server in question is external to the F5. You could block with firewall or switch level ACLs, you can put the DNS server behind the F5 and control access via up/down the associated Virtual Server you create, or just architect this more cleanly. Really sounds like Production and DR are configured way differently.
You may need to provide an architectural diagram if we are still not understanding your use case.
- escman
When I dig a domain, I got these nameservers:
dig @8.8.8.8 www.abc.com ns
; <<>> DiG 9.11.36 <<>> @8.8.8.8 www.abc.com ns
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42510
;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;www.abc.com. IN NS;; ANSWER SECTION:
www.abc.com. 300 IN CNAME d2iwv1xxkqpmiz.cloudfront.net.
d2iwv1xxkqpmiz.cloudfront.net. 21600 IN NS ns-1231.awsdns-25.org.
d2iwv1xxkqpmiz.cloudfront.net. 21600 IN NS ns-1630.awsdns-11.co.uk.
d2iwv1xxkqpmiz.cloudfront.net. 21600 IN NS ns-194.awsdns-24.com.
d2iwv1xxkqpmiz.cloudfront.net. 21600 IN NS ns-760.awsdns-31.net.So I got 4 nameservers that can answer as authoritative for www.abc.com
As far I understand, the OS will pick up an random nameserver (could be the DR primary DNS) and then try to get the IP for the requested domain, and I want to avoid it. So I want to disable or force the nameservers hosted at the DR site to no reply as authoritative while the Active site is up.
