Forum Discussion

jesusangel's avatar
jesusangel
Icon for Altostratus rankAltostratus
Nov 16, 2022

DNS: reply from unexpected source

Hi, Firstly, I must say that I am a complete newbie when it comes to BIG-IP products. On the other hand, the load balancer was configured by experts, so I am pretty confident that they made a reason...
application delivery
DNS
snat
Kevin_Stewart's avatar
Kevin_Stewart
Icon for Employee rankEmployee
Nov 16, 2022

Maybe the first thing to clear up is that the BIG-IP does not SNAT to the client. SNAT is a server side function where the BIG-IP changes the packet source address to its own to aid in return routing. Let's use an example.

  • Client is 1.1.1.1
  • BIG-IP DNS VIP is 2.2.2.2
  • BIG-IP server side self-IP is 3.3.3.3
  • DNS server is 3.3.3.4
  • DNS server is configured to GW back through 3.3.3.3
  • There's no SNAT on the BIG-IP VIP

So then packet flow through the BIG-IP VIP looks like this:

  • Client 1.1.1.1 reaches the BIG-IP VIP 2.2.2.2
  • BIG-IP VIP load balances to 3.3.3.4
  • The DNS server sees traffic from 1.1.1.1 (no SNAT) and routes its response back through 3.3.3.3 (self-IP)
  • The client sees a DNS response from 2.2.2.2 (BIG-IP VIP)

If the client goes directly to the DNS server:

  • Client 1.1.1.1 reaches the DNS server (3.3.3.4) directly
  • The DNS server sees traffic from 1.1.1.1 and routes its response back through 3.3.3.3 (self-IP)
  • The client sees a DNS response from 2.2.2.2 (BIG-IP VIP)

So it's not that the BIG-IP is SNAT'ing the traffic to the client, but that the client is intentionally talking to the BIG-IP to get a DNS response in one flow, and incorrectly getting a response from the BIG-IP VIP (instead of the DNS server directly) in the other flow. The easiest option here would just be to enable SNAT on the BIG-IP (to the DNS servers), and remove the BIG-IP gateway route. That way DNS through the BIG-IP will look like it's coming from the BIG-IP and will return that way. DNS directly from the client will go around the BIG-IP.