Forum Discussion
kridsana
Cirrocumulus
CirrocumulusCan BIG-IP DNS recursion only my domain?
Hi
We are using F5 DNS as DNS server and have many CNAME record.
We want to query those CNAME record and then get IP as a result too. (Which solved by Enable "recursion yes; in named configuration)
But we found problem that our F5 DNS perform recursion on EVERY domain client asking. (eg. f5.com, nginx.com., etc.)
We want F5 DNS to answer query on only domain we handle (many domain in zonerunner and gslb)
How can we do that?
Is it possible to do that? because "recursion yes;" is config on named configuration. I think it's global configuration. and "allow-recursion {}" is only check for client IP address (it's not check on domain we handle)
Thank you
- zamroni777
Nacreous
as you set f5 dns as client's DNS server, it is common/usual behavior that such intranet DNS servers does recursion.
if not, then each client will have to query internet name servers.
dns servers also caches dns response according to the ttl
so recursion by such intranet dns server makes your network creates much less dns requests to internet name servers
kridsanaYeah, for our client in intranet, F5 act as intranet DNS server which allow recursion on all domain.
-
Problem is our F5 DNS act as GSLB which is external DNS server too.
.
If we allow-recursion only on intranet client IP, when external customer resolve CNAME record of our domain, They will not get IP address.
-
If we allow-recursion on all client IP, Everyone can resolve all record in the world from our F5 DNS which shouldn't be like that (F5 will be subject of DNS attack amplification).
-
That's why we need to allow-recursion on only our domain.
-
Problem is how can we do it? Is it possible?
- kridsana
Is there a way to create iRule to check if DNS query is our handle zone or not?
If it our zone > use dns profile which allow recursion Process Recursion Desired is enabled (by default)
If it not our zone > use dns profile which allow recursion Process Recursion Desired is disabled
But problem is many CNAME is resolve to cloud (for example www.ourzone.com IN CNAME abcw123s.cloudflare.com. )
When we query www.ourzone.com, F5 will use dns profile which recursion is enabled. ButWhen F5 try to recursion to see IP of that CNAME (abcw123s.cloudflare.com.) , What dns profile it will used?
