Forum Discussion

Altocumulus

Feb 18, 2022

Configuring listener IP for TCP

Hay folks! I am preparing for the 302 exam and I ran into this " DNS zone transfers use TCP port 53. If you do not configure a listener for TCP the client might receive the error: connection refuse...

application delivery

cloud

Daniel_Wolf
Feb 18, 2022
Hi Khaled_HA,

UPD is limited to 512 bytes. Some of the newer record types might contain messages that exceed the 512 byte limit and use TCP as fallback.

See: RFC 5966 - DNS Transport over TCP - Implementation Requirements

And also: K91537308: Overview of the truncating rule when DNS response size is over 512 Bytes

I never tried to pass the 302 exam. However, I am 100% it is for BIG-IP 12.1. You are looking at an article that is relevant for 14.1 to 16.1. Make sure you are looking the relevant sources (K29900360: F5 certification | Exams and blueprints).

KR
Daniel
Daniel_Wolf
Feb 20, 2022
I will try to answer your second question too:

This solution (K14510: Overview of DNS query processing on BIG-IP systems) explains in which order the BIG-IP processes DNS requests and how to configure Unhandled Query Actions. One setting for unhandled queries is Reject.

Use the Reject setting to return a REFUSED status for the DNS query.

DISCLAIMER: I admit that I am not an expert for BIG-IP DNS. Maybe this is not the only correct answer to your question.

Khaled_HA

Altocumulus

Hay Daniel_Wolf,

Thanks for bringing that to my mand.

Regarding my second question; what are the setuations where big-ip DNS would refuse the connection ?

If the big-ip DNS recieved a query for a domain that it is not authoritative for, will the big-ip DNS refuse the query ?

Daniel_Wolf

MVP

Feb 20, 2022

I will try to answer your second question too:

This solution (K14510: Overview of DNS query processing on BIG-IP systems) explains in which order the BIG-IP processes DNS requests and how to configure Unhandled Query Actions. One setting for unhandled queries is Reject.

Use the Reject setting to return a REFUSED status for the DNS query.

DISCLAIMER: I admit that I am not an expert for BIG-IP DNS. Maybe this is not the only correct answer to your question.

Recent Discussions

Under Attack? F5 Will Help You.
Contacting F5 Support?

DevCentral Quicklinks

* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com

Discover DevCentral Connects

* Podcasts
* Social Channels
* Video Streaming

Forum Discussion

Configuring listener IP for TCP

Recent Discussions

VIP needed for many UDP ports

Creating Policy using Terraform

Unable to get Internet in server using SWG forward Proxy.

ASM don't block attack XSS

AWAF ADD-ON MODULE

Related Content

F5 Distributed Cloud - Listener Logic

How to listen to the DevCentral Podcasts

UDP DNS listener doesn't resolve DNS query but TCP DNS listener can

Multiple Ways to Configure Usage Reporting in NGINX

Disable vip that is listening on different ports

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS