Forum Discussion
DNS: reply from unexpected source
Maybe the first thing to clear up is that the BIG-IP does not SNAT to the client. SNAT is a server side function where the BIG-IP changes the packet source address to its own to aid in return routing. Let's use an example.
- Client is 1.1.1.1
- BIG-IP DNS VIP is 2.2.2.2
- BIG-IP server side self-IP is 3.3.3.3
- DNS server is 3.3.3.4
- DNS server is configured to GW back through 3.3.3.3
- There's no SNAT on the BIG-IP VIP
So then packet flow through the BIG-IP VIP looks like this:
- Client 1.1.1.1 reaches the BIG-IP VIP 2.2.2.2
- BIG-IP VIP load balances to 3.3.3.4
- The DNS server sees traffic from 1.1.1.1 (no SNAT) and routes its response back through 3.3.3.3 (self-IP)
- The client sees a DNS response from 2.2.2.2 (BIG-IP VIP)
If the client goes directly to the DNS server:
- Client 1.1.1.1 reaches the DNS server (3.3.3.4) directly
- The DNS server sees traffic from 1.1.1.1 and routes its response back through 3.3.3.3 (self-IP)
- The client sees a DNS response from 2.2.2.2 (BIG-IP VIP)
So it's not that the BIG-IP is SNAT'ing the traffic to the client, but that the client is intentionally talking to the BIG-IP to get a DNS response in one flow, and incorrectly getting a response from the BIG-IP VIP (instead of the DNS server directly) in the other flow. The easiest option here would just be to enable SNAT on the BIG-IP (to the DNS servers), and remove the BIG-IP gateway route. That way DNS through the BIG-IP will look like it's coming from the BIG-IP and will return that way. DNS directly from the client will go around the BIG-IP.
- jesusangelNov 17, 2022Altostratus
Dear Kevin,
I do appreciate your answer. However, I would prefer not to enable SNAT on the BIG-IP to the DNS servers as I need to log in the DNS servers the client's IP. Should I enable SNAT con the BIG-IP (to the DNS servers), then all DNS queries comming from the BIG-IP system would have the BIG-IP server side self-IP (3.3.3.3).
Moreover, the thing is that when a client goes directly to the DNS server, the vast majority of the responses arrive to the client with the DNS server IP (3.3.3.4). There are just a handful of them that arrive with the BIG-IP VIP (2.2.2.2). That is what I can not wrap my head around to. I thought that BIG-IP somehow tracks queries that come throught it and does SNAT to the client when it is appropiate.
Regards,
Jesús Ángel.
- Kevin_StewartNov 17, 2022Employee
So to be clear, some clients will get DNS by making a request to a BIG-IP VIP (2.2.2.2), and other clients will go directly to the DNS server (3.3.3.4), by going around the BIG-IP? And as the DNS server uses a BIG-IP self-IP as its gateway, you would expect all return traffic to return through the BIG-IP?
Is there more than one DNS server, and is there any chance that one of those servers has a static route applied for some client IP subnet that doesn't pass back through the BIG-IP?
- jesusangelNov 17, 2022Altostratus
So to be clear, some clients will get DNS by making a request to a BIG-IP VIP (2.2.2.2), and other clients will go directly to the DNS server (3.3.3.4), by going around the BIG-IP? And as the DNS server uses a BIG-IP self-IP as its gateway, you would expect all return traffic to return through the BIG-IP?
Exactly!
Is there more than one DNS server, and is there any chance that one of those servers has a static route applied for some client IP subnet that doesn't pass back through the BIG-IP?
I think there are not static routes, but I am not 100% sure about it. I will double check it and I will get back yo you.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com