Forum Discussion

Moonlit's avatar
Moonlit
Icon for Cirrus rankCirrus
Jul 15, 2024

Any way to do DNS loadbalancing without BIG-IP DNS module?

Hi,


In our environment we have a number of domain controllers which act as DNS servers for everything internally.
Now, we have one specific type of client that is only able to be configured with a single IP address for its DNS server and this causes problems when a DNS server is down for maintenance.

We run BIG-IP VE v16.1.4 with LTM, but not DNS, provisioned.

I'd like to solve this without provisioning the BIG-IP DNS module in this particular instance, by doing this:
1. Creating a new Stateless VS to receive DNS queries on port 53/udp
2. Assign a UDP protocol profile with "datagram" enabled (so it LBs every single packet) to the VS

3. Create a pool of DNS-servers

4. Create an internal DNS record that will be used to check that a DNS server responds with the correct RR.

5. Assign a "DNS" monitor to the pool and configure it to check service status by sending a DNS query for the RR I created the and seeing if the response is correct.

However, the "DNS" monitor puts every server in the DOWN state. By using tcpdump on the BIG-IP VE I can see that the BIG-IP does not send any DNS query packets from this monitor to the DNS servers in the pool. 
I see a lot of other DNS queries from the BIG-IP (the servers in question is also the DNS servers for the BIG-IP).

SO - should it even be possible to create a normal LTM pool containing DNS servers and having the BIG-IP monitor the service state of each member using the "DNS" monitor?

  • Moonlit's avatar
    Moonlit
    Jul 17, 2024

    So yes, there was a L3 problem - which was that I chose the wrong interface on the BIG-IP VE to monitor traffic. Turned out the monitor packets were sent on the management interface because of a routing thing I just happened to remember.

    Anyway: PROBLEM SOLVED. In order to monitor a DNS server by sending a query and checking for a correct response, I did it the hard way by hand-crafting the packets sent to replicate the bytestring as seen when doing a manual DNS lookup, through dumping the packet.

    In the "Send string" field you can enter individual bytes by prefixing the hex value with "\x", so I copied the DNS header (including transaction id, query number etc) plus the actual query, converted it to \x format and put it in the Send string field.
    In the Receive string field I entered just the ASCII IP address which I knew the correct query would result in if the server is healthy.

     

  • you probably has network layer problem.

    have you tried other monitor type such as udp or icmp/ping to ensure there is no network layer problem?

    • Moonlit's avatar
      Moonlit
      Icon for Cirrus rankCirrus

      Thank you for replying! Yes, I've added the built-in "gateway_icmp" monitor and it works fine.
      I'm thinking that the "dns" type of a Monitor object is not meant for monitoring just any node but that it might instead be a part of the GTM/DNS module, which we have not provisioned (and we don't want to). 

      We did manage to set up a new VS (Fast/Performance L4) and pool by reading an archived guide and following the section for "Basic Stateful UDP traffic management":
      https://www.f5.com/pdf/deployment-guides/dns-load-balancing-dg.pdf

      The only thing lacking now is a monitor that can actually test DNS functionality. It's probably possible to set it up by using a UDP monitor and entering the request/response strings necessary, but something about that seems a bit off to me.

      I'd like to know if a monitor of type "DNS" is supposed to be used to monitor just any node that is configured with port 53/udp and, if so, why the BIG-IP VE doesn't send any DNS udp packets to the pool members but instead just flags the nodes as Down.

      EDIT: I now learned that the default "udp" monitor (with no strings configured) is able to tell if a server is listening on 53/udp or not, so I'm using that instead of "gateway_icmp". That should be good enough for our purposes.

      • zamroni777's avatar
        zamroni777
        Icon for Nacreous rankNacreous

        the dns monitor doesnt have such limitation.

        you should try udp monitor with any send string.
        if you dont see the trafic in the tcpdump, then very likely there is L3/L4 config problem.