Forum Discussion
NimbostratusDNS Query Flow
Hi Everyone,
I have a small query realted to DNS query and how GTM works.
I have GTM configured with 2 ISP links and acts as DNS. Now i need to know the following
1) A client makes a query for www.company.com , the LDNS of the client does not have the IP for this domain so it will perform the DNS process.
2) After receiving the reply from the GTM the client LDNS will save the IP of www.company.com i.e. it will be cashed. Lets say this IP is from ISP1.
3) Another client makes a request via the same LDNS for www.company.com so the LDNS will return the cashed IP of company.com .
4) Now if the 3rd user comes and queries for the same domain and the LDNS returns the same cashed IP Address, but at this moment ISP1 link goes down so the website will become unavaliable to this 3rd user.
5) What will happen during this situation.
Do I have any mis understanding in this explanation.
Regards,
19 Replies
TechgeeegHey guys someone answer please.....
Cory_50405Noctilucent
DNS doesn't really have much impact on your situation. It only provides name resolution for whatever FQDN is being queried for. Since you have multiple ISPs, network traffic should just use the secondary ISP if your primary ISP fails. DNS response is independent of ISP. Your concern seems to be more of a routing issue.Techgeeeg,
Step number 2 you mentioned should not happen because by default, the TTL returned when you configure a Wide IP is set to 0. Therefore, the LDNS should not cache the entry. Instead, it should send a DNS request to your GTM for each client's request (which means, possibly multiple times for the same client, if the client also honors the TTL).
You can verify the TTL in ZoneRunner or by sending DNS requests with dig, for example.
- Edit: the default TTL is not 0 but 30s. So the record should be cached for 30s.
Gregory_ThiellEmployee
Techgeeeg,
Step number 2 you mentioned should not happen because by default, the TTL returned when you configure a Wide IP is set to 0. Therefore, the LDNS should not cache the entry. Instead, it should send a DNS request to your GTM for each client's request (which means, possibly multiple times for the same client, if the client also honors the TTL).
You can verify the TTL in ZoneRunner or by sending DNS requests with dig, for example.
- Gregory_ThiellEdit: the default TTL is not 0 but 30s. So the record should be cached for 30s.
- Techgeeeg
Hi Gregory,
Thanks for the reply so in this case my internet pipe will be consumed a lot if I have a public portal as the DNS query will be sent for every client every time.
Regards,
- Gregory_Thiell
Hi Techgeeeg,
My bad, the TTL value we can see in ZoneRunner doesn't seem to show what is actually sent by GTM: the default TTL is not 0 but 30s. So the record should be cached by the LDNS for 30s. This value can be changed in the advanced properties of the Wide IP Pool, and tested with dig.
In any cases, we are talking about DNS requests and responses, which are very light because using UDP.
- Techgeeeg
Hi Gregory,
Yes you are right the DNS query is less but we are well aware of DNS DDos attack... so if my DNS is not allowing the requesting DNS to cache anything and i have a public portal which is use country wide of world wide heavily than in this case my internet pipe will consume good amount of bandwidth for DNS query answering. Do you agree on this point??
Regards,
- Gregory_Thiell
No, in comparison to the actual traffic (processed by LTM for your public portal), DNS requests will be negligible.
A DNS DDoS attack is a very different thing to consider. GTM offers protections against it. Search for "DNS" in the following article: https://f5.com/resources/white-papers/mitigating-ddos-attacks-with-f5-technology
- Techgeeeg_28888
Hi Gregory,
Thanks for the input i do agree to your point that the traffic processed by LTM is far more than what is processed by GTM but in my above question I am only talking about GTM not LTM..... as per my understanding BIG-IP with only GTM module is not going to offer any protection against DDos it needs to have the AFM module and/or ASM module to be more robust towards providing the security layer against DDOs. So BIG-IP with only GTM module will get under attack for sure... unless we are playing with irule but even for that we have limit it can't be dynamic.
Regards,
- Gregory_ThiellTechgeeeg, You should treat legitimate traffic and bad traffic separately. You just jumped from one topic (controlling the TTL) to another (being attacked). These are two unrelated things. You understand that changing the TTL will not prevent you from being attacked. For the legitimate traffic, you might have a good reason not to compare LTM and GTM traffic while evaluating the bandwidth. For example, one connection is dedicated to DNS requests and there is no other traffic on the link (never seen that before, but why not). In all other cases, because you know that DNS will always be a tiny percentage of your actual traffic (HTTP), you don't need to worry about it too much. Now if you prefer, you can calculate the maximum number of DNS responses your bandwidth could handle... Take the average DNS packet size (it's usually about 100 Bytes = 800 bits). If your bandwidth is only 10 Mb/s, 10,000,000/800 = 12,500 DNS responses per second. If that's not enough, it means you need a bigger bandwidth. Regarding bad traffic, implementing only the GTM module can already help you protect against DDoS attacks. Implementing DNS Express is a good example (DNS Express is a GTM feature that is also available with LTM). Now if you want more control then yes, you should provision and configure AFM. As for ASM, it doesn't do anything with DNS in its current version.
- Techgeeeg
Hi Gregory,
Thanks for the input i do agree to your point that the traffic processed by LTM is far more than what is processed by GTM but in my above question I am only talking about GTM not LTM..... as per my understanding BIG-IP with only GTM module is not going to offer any protection against DDos it needs to have the AFM module and/or ASM module to be more robust towards providing the security layer against DDOs. So BIG-IP with only GTM module will get under attack for sure... unless we are playing with irule but even for that we have limit it can't be dynamic.
Regards,
- Gregory_ThiellTechgeeeg, You should treat legitimate traffic and bad traffic separately. You just jumped from one topic (controlling the TTL) to another (being attacked). These are two unrelated things. You understand that changing the TTL will not prevent you from being attacked. For the legitimate traffic, you might have a good reason not to compare LTM and GTM traffic while evaluating the bandwidth. For example, one connection is dedicated to DNS requests and there is no other traffic on the link (never seen that before, but why not). In all other cases, because you know that DNS will always be a tiny percentage of your actual traffic (HTTP), you don't need to worry about it too much. Now if you prefer, you can calculate the maximum number of DNS responses your bandwidth could handle... Take the average DNS packet size (it's usually about 100 Bytes = 800 bits). If your bandwidth is only 10 Mb/s, 10,000,000/800 = 12,500 DNS responses per second. If that's not enough, it means you need a bigger bandwidth. Regarding bad traffic, implementing only the GTM module can already help you protect against DDoS attacks. Implementing DNS Express is a good example (DNS Express is a GTM feature that is also available with LTM). Now if you want more control then yes, you should provision and configure AFM. As for ASM, it doesn't do anything with DNS in its current version.
