Forum Discussion

Moonlit's avatar
Moonlit
Icon for Cirrus rankCirrus
Jul 15, 2024

Any way to do DNS loadbalancing without BIG-IP DNS module?

Hi, In our environment we have a number of domain controllers which act as DNS servers for everything internally. Now, we have one specific type of client that is only able to be configured with ...
dns
LTM VE
monitors
  • Moonlit's avatar
    Moonlit
    Jul 17, 2024

    So yes, there was a L3 problem - which was that I chose the wrong interface on the BIG-IP VE to monitor traffic. Turned out the monitor packets were sent on the management interface because of a routing thing I just happened to remember.

    Anyway: PROBLEM SOLVED. In order to monitor a DNS server by sending a query and checking for a correct response, I did it the hard way by hand-crafting the packets sent to replicate the bytestring as seen when doing a manual DNS lookup, through dumping the packet.

    In the "Send string" field you can enter individual bytes by prefixing the hex value with "\x", so I copied the DNS header (including transaction id, query number etc) plus the actual query, converted it to \x format and put it in the Send string field.
    In the Receive string field I entered just the ASCII IP address which I knew the correct query would result in if the server is healthy.

     

Moonlit's avatar
Moonlit
Icon for Cirrus rankCirrus

Thank you for replying! Yes, I've added the built-in "gateway_icmp" monitor and it works fine.
I'm thinking that the "dns" type of a Monitor object is not meant for monitoring just any node but that it might instead be a part of the GTM/DNS module, which we have not provisioned (and we don't want to). 

We did manage to set up a new VS (Fast/Performance L4) and pool by reading an archived guide and following the section for "Basic Stateful UDP traffic management":
https://www.f5.com/pdf/deployment-guides/dns-load-balancing-dg.pdf

The only thing lacking now is a monitor that can actually test DNS functionality. It's probably possible to set it up by using a UDP monitor and entering the request/response strings necessary, but something about that seems a bit off to me.

I'd like to know if a monitor of type "DNS" is supposed to be used to monitor just any node that is configured with port 53/udp and, if so, why the BIG-IP VE doesn't send any DNS udp packets to the pool members but instead just flags the nodes as Down.

EDIT: I now learned that the default "udp" monitor (with no strings configured) is able to tell if a server is listening on 53/udp or not, so I'm using that instead of "gateway_icmp". That should be good enough for our purposes.

zamroni777's avatar
zamroni777
Icon for Nacreous rankNacreous
Jul 16, 2024

the dns monitor doesnt have such limitation.

you should try udp monitor with any send string.
if you dont see the trafic in the tcpdump, then very likely there is L3/L4 config problem.

  • Moonlit's avatar
    Moonlit
    Icon for Cirrus rankCirrus
    Jul 17, 2024

    So yes, there was a L3 problem - which was that I chose the wrong interface on the BIG-IP VE to monitor traffic. Turned out the monitor packets were sent on the management interface because of a routing thing I just happened to remember.

    Anyway: PROBLEM SOLVED. In order to monitor a DNS server by sending a query and checking for a correct response, I did it the hard way by hand-crafting the packets sent to replicate the bytestring as seen when doing a manual DNS lookup, through dumping the packet.

    In the "Send string" field you can enter individual bytes by prefixing the hex value with "\x", so I copied the DNS header (including transaction id, query number etc) plus the actual query, converted it to \x format and put it in the Send string field.
    In the Receive string field I entered just the ASCII IP address which I knew the correct query would result in if the server is healthy.

     

    • JoseLabra's avatar
      JoseLabra
      Icon for MVP rankMVP
      Jul 17, 2024

      Hiii how r u?

      Thx for provide the solution for the issue.

      Regards!