Forum Discussion
External and Internal DNS on same appliance
Hello F5 experts,
Is it possible to somehow logically divide our current F5 DNS F5s so that they have external and internal DNS records without security risks? How it could/couldn't be done, do you have experience with it? Any brainstorming is highly appreciated :) .
We have primary BIND servers that delegate a couple of DNS zones to F5s. However, internal services that translate to internal IPs also started to appear, while we want to use GSLB on our 2 data centers, but we clearly do not want these internal IPs to be visible from the Internet.
I was thinking about creating a new DNS zone for internal services for which we want to use GSLB and delegate the zone from our primary DNS servers to our F5 DNS, where I would create a new DNS listener (that is, there will be different NS records on primary DNS servers for internal than for external services) on which I would put an ACL only for private IPs. But both the zone and the Wide IPs for internal services will be available on the F5, and I can't create/block it only for a specific listener, as far as I know. Which means that if someone from the Internet directly tries to resolve the internal services and asks the IP addresses of external listeners, F5 will provide them right...
At the moment, I have iRule on a Wide IP for the internal services, which only allows private IPs, but I consider this to be only a temporary workaround and we need full solution as internal services will grow.
You might take a look at the following article.
https://community.f5.com/kb/codeshare/gslb-split-dns-by-irule/301865
- travelerZAltostratus
Thank you for your suggestions I appreciate it. My concern was to not provide internal IP address to the external users. Now I see that there is no reason to create new listener because when I want to protect the records I need to do it with iRule on WideIP as per Paulius solution for Split DNS, and as I do not need Split DNS I am using simpler iRule to allow DNS response only to private IP addresses. And for the discussion how to organize this internal only records and still use GSLB is your solution zamroni777 very nice and we will consider it, in our case we can create cname records on internal DNS servers and no records on external servers, and to combine this 2 solutions for better protection apply also iRule on the internal only WideIPs on F5.
travelerZ - please consider marking either (or multiple) answers as solution if they helped to resolve your question.
Thanks!
- travelerZAltostratus
Hi LiefZimmerman , there is no option to mark multiple answers as solution, which in this case I would like to do actually :)
Hm, you are quite right. This is a change I wasn't aware of.
I'll see if I can remediate that. Thanks for letting me know.
- zamroni777Nacreous
if the topology method in article mentioned by Paulius above is not feasible,
you can try multiple cname-wideip method as i write in link below.gtm split dns using multiple cname-wideip
btw, the topology mechanism that selects dns pool actually still checks for the pool health monitor.
so the pool will not be use if its health monitor is down You might take a look at the following article.
https://community.f5.com/kb/codeshare/gslb-split-dns-by-irule/301865
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com