For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Lyndon_J's avatar
Lyndon_J
Icon for Nimbostratus rankNimbostratus
Aug 10, 2015

DNS Express for CNAME Record Non-authoritative

Hi,   In DNS Express, we have a CNAME that points to a record in a zone that we're non-authoritative. When querying this record CNAME record from a client, DNS Express does not return the A recor...
BIG-IP DNS
deployment
Andrea_Arquint's avatar
Andrea_Arquint
Icon for Nimbostratus rankNimbostratus
May 12, 2016

Hi Lyndon,

 

This is basically by design because DNS-Express doesn't do any further recursion for that cname. So, your question is maybe targeting using F5 DNS as LDNS via DNS-Express right?

 

Basically, when a user does a DNS request on his dial-up for instance he will ask first its LDNS (local ISP DNS server) which does ask for a specific A-record (based on DNS iteration) the corresponding authoritative DNS server for the requested RR. If the authoritative DNS server is a BIG-IP with DNS-Express enabled for that zone, it will answer with the particular A-record.

 

In case the users DNS A-record request would point at the end to a non-authoritative cname on DNS-Express we will just respond with the cname RR only and the LDNS (local ISP DNS for that dial-up) would do the recursion.

 

I hope it's clear so far.

 

Now, there many way's to configure the box doing this.

 

Answer: Layered Virtual

 

One which does work is, configure an external listener with a "resolver cache" profile (the BIG-IP in that case does recursion to the root-hits by default or as you define). Then define within the cache the "Forward Zones" and point the zone to a second listener (which is internally available only!) and define for that listener a profile which has DNS-Express enabled on it. Done.

 

It is very simple. We are just acting with the external listener as the LDNS (local ISP DNS server) in front of the internal DNS-Express listener. Finally, we are able to do the recursion for that stuff ;-).

 

Cheerio, Andrea

 

Peter_Baumann's avatar
Peter_Baumann
Icon for Cirrostratus rankCirrostratus
Aug 02, 2017

Thank you Andrea for this explanation. I just had the same problem on a already productive installation with DNS-Express. We had to disable DNS-Express since it seems not to support CNAME recursion. The layered VS setup would be easy to solve the problem, but we cannot do more experiments on this productive systems.

 

According to this: https://devcentral.f5.com/questions/dns-express-and-cnames-to-aws-servers Using just the BIND backend performed well.

 

So DNS-Express only seems to be usefull for an authoritative DNS only, and not for a LDNS for clients 😞

 

Thanks! Peter