Forum Discussion
F5_324021
Cirrus
CirrusGTM Design For External DNS Queries
Hello,
I'm a little bit confused here as I'm setting up my upcoming project design which includes 2 boxes with GTM and LTM modules each, and each box will be located in a site (SITE A, SITEB),GTM will be handling the external DNS queries for a specific domain name (),
First is it possible configure a private IP on the GTM and NAT it with a public IP on our firewall,
So the DNS flow for my design is as the following:-
Internet Client --->External DNS (ISP DNS)-->Firewall--->GTM--->LTM--->VS
What should be done from the external DNS side, should the ISP just delegate the DNS queries matching the to the public IP configured on our firewall which will traverse all the DNS queries to our GTM,
Waiting for your recommendations
Thanks :)
Hello,
what about the A record ip address of the Ns gtm1 is it the ip address of the listener configured on the GTM or is it the self ip address of the GTM?
Also i have another question when doing the same delegation from the external DNS (Internet side) the delegation configuration will be as you stated the following:-
ns1.gtm.example.com A X.X.X.X wip.example.com NS ns1.gtm.example.com
Here the X.X.X.X Ip address will be the piblic ip address of the GTM to be natted on the firewall or what?regardless if its the listener or the self ip of the GTM.
Hope you can help me
Thank you..
Greetings,
The flow looks like this:Internet | Firewall | | | |<------>GTM | |<------>LTMThe GTM server object's Address is the Firewall IP address (basic TCP connectivity), while the Translation IP address is the internal LTM IP address (this address is learned via iquery).
K14707: Configuring BIG-IP DNS server objects for BIG-IP devices that reside behind a firewall NAT
https://support.f5.com/csp/article/K14707
Kevin
F5_324021Hello Kevin,
What about the external DNS configuration?DNS delegation from the ISP side is enough for the GTM to receive all the DNS queries from the internet?
Thank you..
Greetings, These articles are fairly short and discuss basic BIG-IP DNS (GTM) functionality with regards to DNS delegation and DNS resolution:
K277: Delegating a subdomain to a BIG-IP DNS or BIG-IP Link Controller system from another DNS server
https://support.f5.com/csp/article/K277
Replacing a DNS Server with BIG-IP DNS
K14421: Achieving split DNS behavior through BIG-IP DNS wide IPs
https://support.f5.com/csp/article/K14421
Hope this is helpful!
Kevin
- F5_324021
Hello Kevim,
Seems split DNS configuration do the job , however from the DNS server even the Local DNS or the external DNS what should be done from that side to forward all DNS queries to the GTM.
Thank you..
- F5_324021
Hello,
what about the A record ip address of the Ns gtm1 is it the ip address of the listener configured on the GTM or is it the self ip address of the GTM?
Also i have another question when doing the same delegation from the external DNS (Internet side) the delegation configuration will be as you stated the following:-
ns1.gtm.example.com A X.X.X.X wip.example.com NS ns1.gtm.example.com
Here the X.X.X.X Ip address will be the piblic ip address of the GTM to be natted on the firewall or what?regardless if its the listener or the self ip of the GTM.
Hope you can help me
Thank you..
Greetings,
"what about the A record ip address of the Ns gtm1 is it the ip address of the listener configured on the GTM or is it the self ip address of the GTM?"
This would be the listener address (or the IP address that receives and processes DNS queries)."Here the X.X.X.X Ip address will be the piblic ip address of the GTM to be natted on the firewall or what?"
Yes, this would be the external IP address that the firewall offers to the world.Hope this is helpful!
Kevin- F5_324021
Hello Kevin,
Thats great,
So once the DNS request reaches the GTM and pick the VS that should hold the traffic request is the GTM going to reply with the public ip of the VS?if yes, and how it will know the public address if its configured as a private address on the LTM?
Thanks again.
Greetings,
I hope terrible ascii topology is helpful:
Internet Firewall <------+ | 11.22.33.44 | | LTM | 192.168.10.44 | GTMUsing the topology, the server object for LTM would be created as follows:
gtm server testing { addresses { 11.22.33.44 { device-name /Common/testing translation 192.168.10.44 } }GTM will connect through the firewall to the LTM. It will use the firewall IP (address) for DNS queries, while understanding that the real IP address (translation) is 192.168.10.44.
The added benefit here is that GTM is going to probe the same path as customer will, so if there's a firewall issue, GTM will detect and act accordingly (depending on configuration).
Virtual servers would follow the same IP address scheme. One Important, you can't auto-discover unfortunately. From K14707:
Important: The BIG-IP DNS system does not auto discover virtual severs on the BIG-IP LTM devices that reside behind a firewall NAT. You must manually add the BIG-IP LTM virtual servers to the BIG-IP DNS configuration.
my_vip_one { destination 11.22.33.45:http enabled monitor none translation-address 192.168.10.45 translation-port any }This article will give all of the necessary background to understand more if you are curious:
https://support.f5.com/csp/article/K14707
Thanks!
Kevin
