i have GTMs set up for authoritative screening for internal DNS queries. clients have the pri and sec dns settings pointing to GTM listeners. Problem encountered is when a client joins the AD domain. It can not. If I change client dns to ad\dns servers, client can join domain without issue. the zone exists on the GTM. trying to determine if a srv record needs to be created. am i missing a step here?

In your GTM pool config, are your members the actual AD servers or virtual servers on an LTM that load balances across your AD servers? When you say the zone exists on the GTM, does that mean you created the zone within ZoneRunner? Or created a DNSSEC zone for it? Or both?

yes there is a pool to LB the dns queries that aren't matched by a WIP. yes in zonerunner the zone exists. not using dnssec.

You may not need the pool at all. If the zone that you define within ZoneRunner is a forward zone, and you specify the two AD server IP addresses as the forwarders, then any non-wide IP queries for that zone should be forwarded to the AD servers.

when the WIP is created it creates the zone as master. I would have to delete and re-create the zone as a forwarder. However per the deployment guide for screening the creation of a pool to LB non WIP queries is created and assigned to the listener. So I have to think this is best practice.... the stats indicate queries are getting to sent to the servers.

I'd recommend running a tcpdump on your GTM to help isolate what the problem may be. If the setup is working properly, you'll see GTM sending DNS queries to your pool members. Could be that responses aren't coming back for whatever reason.

Authoritative Screening

22 Replies

steve_88008
Nimbostratus
Sep 08, 2014
i see a response from the GTM back to the client with the SRV records.
Cory_50405
Noctilucent
Sep 08, 2014
But the client isn't receiving the response? This could be due to some device in between performing DNS packet inspection and dropping the response if the packet size exceeds a certain value, or not allowing certain query types. Any firewalls in the data path between your GTM and the client?
steve_88008
Nimbostratus
Sep 08, 2014
i thought that at first as well. I fired up wireshark and reviewed. wireshark showed the response being returned to the client as well.

the odd thing is if I back up one level SRV records are returned. its only with there is sub domain.

returns SRV records nslookup ->set type=all ->_ldap._tcp.dc._msdcs.abc123.local

returns no srv records, nslookup ->set type=all ->_ldap._tcp.dc._msdcs.test.abc123.local
- Cory_50405
  Noctilucent
  Sep 08, 2014
  But these test.abc123.local queries directly against AD are working? When looking at a tcpdump on the GTM, do you notice any difference between responses returned to the client for _ldap._tcp.dc._msdcs.abc123.local vs. _ldap._tcp.dc._msdcs.test.abc123.local?
steve_88008
Nimbostratus
Sep 08, 2014
yes against AD they work. no difference in captures between domains via the GTM...
Cory_50405
Noctilucent
Sep 08, 2014
If you run a Wireshark capture on the client, do you notice any difference in the queries there?
steve_88008
Nimbostratus
Sep 08, 2014
nope.
Cory_50405
Noctilucent
Sep 08, 2014
So the communications appear to be working as intended (client to GTM, GTM to AD) as far I can tell. The unspecified error is being presented by which application?
steve_88008
Nimbostratus
Sep 08, 2014
this was discovered when joining a host to the domain. nslookup was used to discover srv were not being returned...
steve_88008
Nimbostratus
Sep 11, 2014
so... two things..

someone changed the dns profile i had assigned to the listeners
source address was not enabled on the dns TCP VIP
steve_88008
Nimbostratus
Sep 11, 2014
its resolved..

Forum Discussion

Authoritative Screening

22 Replies

F5 Academy at AppWorld 2026

Aswin MK - November 2025 Featured Member

Introducing the F5 AI Assistant for BIG-IP

Recent Discussions

CVE mitigation on F5 XC vs classic F5 WAF

Could not communicate with the system. Try to reload page.

F5 XC 503 upstream_reset_before_response_started{protocol_error}

UCS Encryption Question

BIG-IP VE: 40G Throughput from 4x10G physical NICs

Related Content

dns transparent cache as authoritative?

Directed DDoS Attacks as Screens

GTM as Authoritative DNS

BIG-IP DNS - Response to SRV request in Authoritative screening mode?

Windows APM 7.2.2 - blue screens?

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS