F5 is upgrading its customer support chat feature on My.F5.com. Chat support will be unavailable from 6am-10am PST on 1/20/26. Refer to K000159584 for details.

Forum Discussion

Gordon_Bailey-M's avatar
Gordon_Bailey-M
Historic F5 Account
Jul 13, 2016

DNS Express Query Refused

I have a strange one. I have a DNS Express zone which has been transferred successfully. I can see the zones if I performa dnsxdump on the GTM. I have a DNS profile with DNS Express enabled; BIND/...
application delivery
BIG-IP DNS
IanB's avatar
IanB
Icon for Employee rankEmployee
Jul 15, 2016

So if I understand that correctly..

 

  1. You have a listener with a pool attached, and a dns profile on it that enables DNS Express. DNS Express is set up to act as a slave for your internal zones.

     

  2. You can see the internal zone data using dnsxdump

     

  3. When you send queries for external zones to the listener, they do not match any zones DNS express knows of, and so the packet is forwarded on to the pool (in this case, 8.8.8.8).

     

  4. When you send queries for your internal zones to it, (which you would expect DNS Express to respond to), you instead get a REFUSED response.

     

  5. If you disable DNS express, the query is sent to the pool, as expected.

     

If that's all correct.. then.. I'm very puzzled. I've tried a bunch of misconfigurations in my lab (12.0.0) to see if I can replicate this, but have been unsuccessful. I'm thinking maybe local bind is somehow getting the query and responding with REFUSED, since it isn't authoritative for it, but I haven't found any way to get the query to fall through to local bind without it first going to the pool.

 

Can you confirm it really is being refused by DNS express ? Have a look at the DNS profile stats on the listener statistics page, or use 'tmsh show ltm profile dns ' and see which counter is incrementing.