For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

jesusangel's avatar
jesusangel
Icon for Altostratus rankAltostratus
Nov 16, 2022

DNS: reply from unexpected source

Hi, Firstly, I must say that I am a complete newbie when it comes to BIG-IP products. On the other hand, the load balancer was configured by experts, so I am pretty confident that they made a reason...
application delivery
dns
snat
jesusangel's avatar
jesusangel
Icon for Altostratus rankAltostratus
Nov 17, 2022

Dear Kevin,

I do appreciate your answer. However, I would prefer not to enable SNAT on the BIG-IP to the DNS servers as I need to log in the DNS servers the client's IP. Should I enable SNAT con the BIG-IP (to the DNS servers), then all DNS queries comming from the BIG-IP system would have the BIG-IP server side self-IP (3.3.3.3).

Moreover, the thing is that when a client goes directly to the DNS server, the vast majority of the responses arrive to the client with the DNS server IP (3.3.3.4). There are just a handful of them that arrive with the BIG-IP VIP (2.2.2.2). That is what I can not wrap my head around to. I thought that BIG-IP somehow tracks queries that come throught it and does SNAT to the client when it is appropiate.

 

Regards,

Jesús Ángel.

Kevin_Stewart's avatar
Kevin_Stewart
Icon for Employee rankEmployee
Nov 17, 2022

So to be clear, some clients will get DNS by making a request to a BIG-IP VIP (2.2.2.2), and other clients will go directly to the DNS server (3.3.3.4), by going around the BIG-IP? And as the DNS server uses a BIG-IP self-IP as its gateway, you would expect all return traffic to return through the BIG-IP?

Is there more than one DNS server, and is there any chance that one of those servers has a static route applied for some client IP subnet that doesn't pass back through the BIG-IP?

  • jesusangel's avatar
    jesusangel
    Icon for Altostratus rankAltostratus
    Nov 17, 2022

    So to be clear, some clients will get DNS by making a request to a BIG-IP VIP (2.2.2.2), and other clients will go directly to the DNS server (3.3.3.4), by going around the BIG-IP? And as the DNS server uses a BIG-IP self-IP as its gateway, you would expect all return traffic to return through the BIG-IP?

    Exactly!

    Is there more than one DNS server, and is there any chance that one of those servers has a static route applied for some client IP subnet that doesn't pass back through the BIG-IP?

    I think there are not static routes, but I am not 100% sure about it. I will double check it and I will get back yo you.

    • jesusangel's avatar
      jesusangel
      Icon for Altostratus rankAltostratus
      Nov 18, 2022

      So to be clear, some clients will get DNS by making a request to a BIG-IP VIP (2.2.2.2), and other clients will go directly to the DNS server (3.3.3.4), by going around the BIG-IP? And as the DNS server uses a BIG-IP self-IP as its gateway, you would expect all return traffic to return through the BIG-IP?

      Exactly!

      Is there more than one DNS server, and is there any chance that one of those servers has a static route applied for some client IP subnet that doesn't pass back through the BIG-IP?

      There are two DNS servers, lets say that they are 3.3.3.4 and 3.3.3.5. Both of them just have as their default gateway the BIG-IP (3.3.3.3). There are not any static routes.

      • jesusangel's avatar
        jesusangel
        Icon for Altostratus rankAltostratus
        Nov 21, 2022

        Hello Kevin_Stewart ,

        Did you find any hint to solve this problem?

        Regards,

         

  • jesusangel's avatar
    jesusangel
    Icon for Altostratus rankAltostratus
    Nov 17, 2022

    Sorry, I forgot to mention that there are two DNS servers (3.3.3.4 and 3.3.3.5).