Forum Discussion

kva_178637's avatar
kva_178637
Icon for Nimbostratus rankNimbostratus
Jan 20, 2015

DNS Express and CNAMES to AWS servers

For internal DNS we sync our GTMs' DNS Express with AD Integrated DNS that is managed by another team. By default, CNAMES that point to the names of servers in AWS are not being resolved to an IP by DNS Express (in contrast to the behavior of the AD integrated DNS). I know that this is the expected behavior. Would there be some way to allow these to be resolved, besides using Irules or Wide IPs? (Thinking along the lines of some Notify Action setting or an unhandled query action) I am looking for something that would not require us to touch DNS entries after they are added to AD integrated DNS by the server team, but still be able to use the great performance boost of DNS Express. Thank you for any thoughts.

 

  • You are looking for a way for DNS express to return authoritative IP addresses for a CNAME? What zone holds the A records for the corresponding CNAME records?

     

  • Hi Brad, we need to reference multiple Amazon EC2 servers by name since their IPs may be changing. We do not host the zone that has the A records. Currently we are using an irule, but then need to manually maintain a dgl list. Since multiple teams are involved this introduces potential for errors.

     

    • Brad_Parker's avatar
      Brad_Parker
      Icon for Cirrus rankCirrus
      Do you not trust Amazon's name servers to perform as well as your GTM? or are you attempting to shroud the response so the end user is getting the CNAME back suggesting it is hosted by Amazon? The only way I see to do this would be to possibly use an iRule that gathers the IP from Amazon's name servers and cache the record according to the TTL their record sends back. I don't think that would perform any faster than allowing the lookup to go to Amazon's name servers.
  • kva,

     

    How did you end up resolving this? I'm having the same issue.

     

    Thanks, Mike

     

  • JG's avatar
    JG
    Icon for Cumulonimbus rankCumulonimbus

    It seems to me that your DNS Express deployment should be an authoritative published master to handle queries from the external world only, which is really the purpose of DNS Express, while your internal users should configure their DNS resolver to point the AD, the hidden master. I would even want to have a dedicated Linux box hosting a BIND server to handle internal queries to resolve external domains, in which case you configure the AD to forward such queries to the BIND server.

     

  • The F5 actually already has a BIND backend running, and one work-around is create a separate listener IP with it enabled but DNS express disabled, then use that as the DNS server that the clients point to.

     

    Before undertaking anything, I found this was a useful doc to better understand the services and how they sometimes overlap:

     

    K14510: Overview of DNS query processing on BIG-IP systems

     

    • Patricia_Gonzal's avatar
      Patricia_Gonzal
      Icon for Nimbostratus rankNimbostratus

      We were able to do this with an Irule that disabled DNS Express for CNAME records in DNS Express Zones. We had to enable Bind on the GTM with forwarding resolvers.