So if I understand that correctly..
-
You have a listener with a pool attached, and a dns profile on it that enables DNS Express. DNS Express is set up to act as a slave for your internal zones.
-
You can see the internal zone data using dnsxdump
-
When you send queries for external zones to the listener, they do not match any zones DNS express knows of, and so the packet is forwarded on to the pool (in this case, 8.8.8.8).
-
When you send queries for your internal zones to it, (which you would expect DNS Express to respond to), you instead get a REFUSED response.
-
If you disable DNS express, the query is sent to the pool, as expected.
If that's all correct.. then.. I'm very puzzled. I've tried a bunch of misconfigurations in my lab (12.0.0) to see if I can replicate this, but have been unsuccessful. I'm thinking maybe local bind is somehow getting the query and responding with REFUSED, since it isn't authoritative for it, but I haven't found any way to get the query to fall through to local bind without it first going to the pool.
Can you confirm it really is being refused by DNS express ? Have a look at the DNS profile stats on the listener statistics page, or use 'tmsh show ltm profile dns ' and see which counter is incrementing.