F5 gtm last resort pool DNS Record problem

Hi GrazianoSommariva​ ,

The issue occurs because F5 BIG-IP DNS (GTM) sometimes returns an empty or inconsistent DNS response when using a last resort pool (e.g., NOERROR with no A record).

When this response goes through Microsoft DNS Server, it may be interpreted as a negative response and cached as NXDOMAIN (per RFC 2308 behavior).

Because GTM responses are not always consistent (sometimes valid IP, sometimes empty), Microsoft DNS alternates between caching valid and negative results—causing the intermittent “1 in 3 NXDOMAIN” issue.

Direct queries to GTM work fine because there’s no intermediate caching or reinterpretation.

Make GTM responses consistent (always return an IP).

That eliminates Microsoft DNS misinterpretation and stops intermittent NXDOMAIN completely.

I always Ensure GTM always returns an IP (best fix)

Avoid empty answers by forcing fallback behavior.

tmsh modify gtm pool <pool_name> fallback-mode fallback-ip

Try to Test the following quick checks to Confirm what is causing the issue

Run from a client machine:

1. Query Microsoft DNS

nslookup yourdomain.com <MS-DNS-IP>

2. Query F5 directly

nslookup yourdomain.com <GTM-IP>

Compare:

Answer section

Authority section (SOA?)

Response code (NOERROR vs NXDOMAIN)

3. Check if GTM ever returns empty answers

dig @<GTM-IP> yourdomain.com +noall +answer +authority

If you sometimes see:

No A record

Only SOA

That’s the trigger.

Please let me know for more discussion.