Forum Discussion
DNS Express for CNAME Record Non-authoritative
Hi Lyndon,
This is basically by design because DNS-Express doesn't do any further recursion for that cname. So, your question is maybe targeting using F5 DNS as LDNS via DNS-Express right?
Basically, when a user does a DNS request on his dial-up for instance he will ask first its LDNS (local ISP DNS server) which does ask for a specific A-record (based on DNS iteration) the corresponding authoritative DNS server for the requested RR. If the authoritative DNS server is a BIG-IP with DNS-Express enabled for that zone, it will answer with the particular A-record.
In case the users DNS A-record request would point at the end to a non-authoritative cname on DNS-Express we will just respond with the cname RR only and the LDNS (local ISP DNS for that dial-up) would do the recursion.
I hope it's clear so far.
Now, there many way's to configure the box doing this.
Answer: Layered Virtual
One which does work is, configure an external listener with a "resolver cache" profile (the BIG-IP in that case does recursion to the root-hits by default or as you define). Then define within the cache the "Forward Zones" and point the zone to a second listener (which is internally available only!) and define for that listener a profile which has DNS-Express enabled on it. Done.
It is very simple. We are just acting with the external listener as the LDNS (local ISP DNS server) in front of the internal DNS-Express listener. Finally, we are able to do the recursion for that stuff ;-).
Cheerio, Andrea
- Peter_BaumannAug 02, 2017Cirrostratus
Thank you Andrea for this explanation. I just had the same problem on a already productive installation with DNS-Express. We had to disable DNS-Express since it seems not to support CNAME recursion. The layered VS setup would be easy to solve the problem, but we cannot do more experiments on this productive systems.
According to this: https://devcentral.f5.com/questions/dns-express-and-cnames-to-aws-servers Using just the BIND backend performed well.
So DNS-Express only seems to be usefull for an authoritative DNS only, and not for a LDNS for clients 😞
Thanks! Peter
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com