Forum Discussion

travelerZ's avatar
travelerZ
Icon for Altostratus rankAltostratus
Jul 29, 2024

External and Internal DNS on same appliance

Hello F5 experts,

Is it possible to somehow logically divide our current F5 DNS F5s so that they have external and internal DNS records without security risks? How it could/couldn't be done, do you have experience with it? Any brainstorming is highly appreciated :) .

We have primary BIND servers that delegate a couple of DNS zones to F5s. However, internal services that translate to internal IPs also started to appear, while we want to use GSLB on our 2 data centers, but we clearly do not want these internal IPs to be visible from the Internet.

I was thinking about creating a new DNS zone for internal services for which we want to use GSLB and delegate the zone from our primary DNS servers to our F5 DNS, where I would create a new DNS listener (that is, there will be different NS records on primary DNS servers for internal than for external services) on which I would put an ACL only for private IPs. But both the zone and the Wide IPs for internal services will be available on the F5, and I can't create/block it only for a specific listener, as far as I know. Which means that if someone from the Internet directly tries to resolve the internal services and asks the IP addresses of external listeners, F5 will provide them right... 

At the moment, I have iRule on a Wide IP for the internal services, which only allows private IPs, but I consider this to be only a temporary workaround and we need full solution as internal services will grow.

  • You might take a look at the following article.

    https://community.f5.com/kb/codeshare/gslb-split-dns-by-irule/301865

  • You might take a look at the following article.

    https://community.f5.com/kb/codeshare/gslb-split-dns-by-irule/301865

  • if the topology method in article mentioned by Paulius above is not feasible,
    you can try multiple cname-wideip method as i write in link below.

    gtm split dns using multiple cname-wideip

    btw, the topology mechanism that selects dns pool actually still checks for the pool health monitor.
    so the pool will not be use if its health monitor is down

     

    • travelerZ's avatar
      travelerZ
      Icon for Altostratus rankAltostratus

      Hi LiefZimmerman , there is no option to mark multiple answers as solution, which in this case I would like to do actually :)

      • LiefZimmerman's avatar
        LiefZimmerman
        Icon for Admin rankAdmin

        Hm, you are quite right. This is a change I wasn't aware of.

        I'll see if I can remediate that. Thanks for letting me know.

  • Thank you for your suggestions I appreciate it. My concern was to not provide internal IP address to the external users. Now I see that there is no reason to create new listener because when I want to protect the records I need to do it with iRule on WideIP as per Paulius solution for Split DNS, and as I do not need Split DNS I am using simpler iRule to allow DNS response only to private IP addresses. And for the discussion how to organize this internal only records and still use GSLB is your solution zamroni777 very nice and we will consider it, in our case we can create cname records on internal DNS servers and no records on external servers, and to combine this 2 solutions for better protection apply also iRule on the internal only WideIPs on F5.