Forum Discussion

kridsana's avatar
kridsana
Icon for Cirrocumulus rankCirrocumulus
Oct 31, 2024

Can BIG-IP DNS recursion only my domain?

Hi

We are using F5 DNS as DNS server and have many CNAME record.

We want to query those CNAME record and then get IP as a result too. (Which solved by Enable "recursion yes; in named configuration)

But we found problem that our F5 DNS perform recursion on EVERY domain client asking. (eg. f5.com, nginx.com., etc.)

 

We want F5 DNS to answer query on only domain we handle (many domain in zonerunner and gslb)

How can we do that?

 

Is it possible to do that? because "recursion yes;" is config on named configuration. I think it's global configuration. and "allow-recursion {}" is only check for client IP address (it's not check on domain we handle)

Thank you

application delivery
cname
devops
dns
gslb
gtm
recursion
recursive dns
security
  • kridsana's avatar
    kridsana
    Icon for Cirrocumulus rankCirrocumulus
    Oct 31, 2024

    Is there a way to create iRule to check if DNS query is our handle zone or not?

    If it our zone > use dns profile which allow recursion Process Recursion Desired is enabled (by default)

    If it not our zone > use dns profile which allow recursion Process Recursion Desired is disabled 

     

    But problem is many CNAME is resolve to cloud (for example www.ourzone.com IN CNAME abcw123s.cloudflare.com. )


    When we query www.ourzone.com, F5 will use dns profile which recursion is enabled. But

    When F5 try to recursion to see IP of that CNAME (abcw123s.cloudflare.com.) , What dns profile it will used?

  • zamroni777's avatar
    zamroni777
    Icon for Nacreous rankNacreous
    Nov 01, 2024

    as you set f5 dns as client's DNS server, it is common/usual behavior that such intranet DNS servers does recursion.
    if not, then each client will have to query internet name servers.
    dns servers also caches dns response according to the ttl
    so recursion by such intranet dns server makes your network creates much less dns requests to internet name servers

    • kridsana's avatar
      kridsana
      Icon for Cirrocumulus rankCirrocumulus
      Nov 02, 2024

      Yeah, for our client in intranet, F5 act as intranet DNS server which allow recursion on all domain. 
      -
      Problem is our F5 DNS act as GSLB which is external DNS server too.
      .
      If we allow-recursion only on intranet client IP, when external customer resolve CNAME record of our domain, They will not get IP address.
      -
      If we allow-recursion on all client IP, Everyone can resolve all record in the world from our F5 DNS which shouldn't be like that (F5 will be subject of DNS attack amplification).
      -
      That's why we need to allow-recursion on only our domain.
      -
      Problem is how can we do it? Is it possible?