Forum Discussion

escman's avatar
escman
Icon for Cirrus rankCirrus
Jun 06, 2023

Active/DR DNS Deploy | Best practice

We are planning the integration between two F5 DNS in an Active/DR environment. The DNS of the active site is fully built, on the DR site there is no Primary DNS  and no active DNS module in F5. I u...
application delivery
cloud
dns
gtm
escman's avatar
escman
Icon for Cirrus rankCirrus

Hello whisperer,

Thanks for your reply, but transfer the zones to the F5 DNS is not at play right now so I have to use the same conditions that I already has at the active site..

whisperer's avatar
whisperer
Icon for MVP rankMVP
Jun 07, 2023

Just to be clear, are you lord balancing DNS using LTM module, or using DNS module for GSLB and DNS screening or hosting? I will give some guidance for both scenarios:

- LTM: Just keep the respective VS or pool members disabled. Manually bring them up.

- GTM: Easiest way is upstream DNS records. Delegate to only Production GTM listener, and if you need to failover, the. modify this configuration to delegate to DR instead. Although, think you mention the DR F5 doesn't have the GTM/DNS module provisioned? 

Finally, remember GTM uses a component of LTM under the hood. If you want to delegate to BOTH, but just receive responses from Production, then just manually down the LTM VIP used as the GTM/DNS listener. You can always enable it during DR recovery procedure.

  • escman's avatar
    escman
    Icon for Cirrus rankCirrus
    Jun 07, 2023

    My main question is about building the Primary DNS (which contains the authority for most zones and is not an F5) on the DR site. When the Primary DNS nameserver that will be positioned on the DR site is registered as a nameserver for zones not delegated to F5, it will receive queries that I would not like to happen because the prerequisite is not to send any traffic to the DR site while the active site is operational.

    • whisperer's avatar
      whisperer
      Icon for MVP rankMVP
      Jun 07, 2023

      So in DR the F5 is not in play. The DNS server in question is external to the F5. You could block with firewall or switch level ACLs, you can put the DNS server behind the F5 and control access via up/down the associated Virtual Server you create, or just architect this more cleanly. Really sounds like Production and DR are configured way differently.

      You may need to provide an architectural diagram if we are still not understanding your use case.

    • escman's avatar
      escman
      Icon for Cirrus rankCirrus
      Jun 07, 2023

      When I dig a domain, I got these nameservers:

      dig @8.8.8.8 www.abc.com ns

      ; <<>> DiG 9.11.36 <<>> @8.8.8.8 www.abc.com ns
      ; (1 server found)
      ;; global options: +cmd
      ;; Got answer:
      ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42510
      ;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1

      ;; OPT PSEUDOSECTION:
      ; EDNS: version: 0, flags:; udp: 512
      ;; QUESTION SECTION:
      ;www.abc.com. IN NS

      ;; ANSWER SECTION:
      www.abc.com. 300 IN CNAME d2iwv1xxkqpmiz.cloudfront.net.
      d2iwv1xxkqpmiz.cloudfront.net. 21600 IN NS ns-1231.awsdns-25.org.
      d2iwv1xxkqpmiz.cloudfront.net. 21600 IN NS ns-1630.awsdns-11.co.uk.
      d2iwv1xxkqpmiz.cloudfront.net. 21600 IN NS ns-194.awsdns-24.com.
      d2iwv1xxkqpmiz.cloudfront.net. 21600 IN NS ns-760.awsdns-31.net.

      So I got 4 nameservers that can answer as authoritative for www.abc.com

      As far I understand, the OS will pick up an random nameserver (could be the DR primary DNS) and then try to get the IP for the requested domain, and I want to avoid it. So I want to disable or force the nameservers hosted at the DR site to no reply as authoritative while the Active site is up.