For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Shaun_81936's avatar
Shaun_81936
Icon for Nimbostratus rankNimbostratus
Mar 03, 2009

External GTMs - load balance Internal DNS name

We currently use two GTMs (sync set located in DMZ) to load balance external DNS names and would like to utilize them to load balance a critical internal DNS name.

 

I'm not sure what the correct procedure would be to accomplish this - I was thinking that I need to setup an interal view and add this to the options:

 

match-clients {

 

10.0.0.0/8;

 

"zrd-acl-000-002";

 

};

 

Then add a zone to the internal view for this domain name and create an entry for this critical DNS name.

 

Modify the named - add these entries:

 

options {

 

listen-on port 53 {

 

127.0.0.1;

 

"zrd-acl-000-000";

 

"zrd-acl-000-002";

 

};

 

acl "zrd-acl-000-002" {

 

127.10.0.2;

 

};

 

On my internal windows DNS servers for this Domain zone - add my GTMs as name servers.

 

Is this the best method to accomplish this? Is anyone else doing this - what method are you using?

 

Thank you,

 

Shaun
config
design

5 Replies

  • semperfiguy_759's avatar
    semperfiguy_759
    Icon for Nimbostratus rankNimbostratus
    Mar 20, 2009
    Shaun,

     

     

    I have used the BIND Views feature on GTM to do this and it works well. I also looked at doing this with Topology Regions in GTM, but Views seemed to make more sense.

     

     

    One thing to look out for:

     

    When you create the “internal” Wide IP, make sure you have an “internal” view A record in Zone runner and “external” has an “external”. By default it creates on A record, but GTM does not know which one.

     

     

    -Bob

     

  • Shaun_81936's avatar
    Shaun_81936
    Icon for Nimbostratus rankNimbostratus
    Apr 07, 2009
    Bob,

     

     

    Thanks for the reply - I have a question regarding the configuration of your internal windows DNS server configuration for this same domain.

     

     

    I have my GTM configured for this Wide IP - example.abc.com and I have a abc.com zone setup on it.

     

     

    abc.com is may internal domain name and I cannot get my Windows DNS server to look to the GTM for the Wide IP dns name example.abc.com when it does not find the record in its abc.com zone - how did you configure your Windows DNS server to accomplish this?

     

     

    Thanks again,

     

     

    Shaun
  • semperfiguy_759's avatar
    semperfiguy_759
    Icon for Nimbostratus rankNimbostratus
    Jun 12, 2009
    Hey Shaun,

     

    Sorry for the LATE reply. You can create A records in the Windows forward lookup zone for the DNS listener on each GTM. After that create NS records for the subdomain or host you wish to delegate to GTM.

     

     

    A gtm1.abc.com1.1.1.1

     

    A gtm2.abc.com2.2.2.2

     

     

    NS example.abc.comgtm1.abc.com gtm2.abc.com

     

  • rajesh1's avatar
    rajesh1
    Icon for Nimbostratus rankNimbostratus
    Jul 13, 2010
    HI Rob,

     

     

    I am looking for bind view configuration on the GTM

     

     

    Can you share the sample bind view configuration on the GTM's ?

     

     

    Regds,

     

    Raj
  • BA_Rossmeisl_77's avatar
    BA_Rossmeisl_77
    Historic F5 Account
    May 18, 2012
    If you are running v11.0 you can always attach an LTM iRule to the GTM listeners with something like this if you have a per-determined TLD like .local for your internal dns structure.

    when DNS_RESPONSE {
if { ([DNS::question name] ends_with ".local") and !([IP::addr [IP::remote_addr] equals 10.0.0.0/8] or [IP::addr [IP::remote_addr] equals 172.16.0.0/12] or [IP::addr [IP::remote_addr] equals 192.168.0.0/16]) } {
DNS::drop
}
}