Forum Discussion
MetaGawd_156909
Jun 26, 2014Nimbostratus
GTM query regarding Internal and external zone views.
(EDITED 7-1)
Relatively new (a returnee of sorts ) to F5 products.
We have an implementation of GTM (a redundant pair of instances with one at two different physical locations) that we are ...
John_Heyer_1508
Cirrostratus
I was able to get this working finally, but there are a few tricks to doing so. Namely, the GTM always takes the first view match if the source IP is allowed, so "internal" needs to be listed ahead of "external" in DNS -> Zones -> ZoneRunner -> View List.
The other gotcha is each view has its own loopback IP address. This IP will be 127.10.0.X, so be sure to include that IP by itself for each view, otherwise the GTM will not be able to query itself. Here's what the named.conf file would look like when all said and done:
acl "zrd-acl-000-001" {
127.10.0.1;
};
acl "zrd-acl-000-002" {
127.10.0.2;
};
acl "rfc_1918" {
10.0.0.0/8;
172.16.0.0/12;
192.168.0.0/16;
};
view "internal" {
match-clients {
"zrd-acl-000-001";
"rfc_1918";
};
allow-transfer {
"zrd-acl-000-001";
};
};
view "external" {
match-clients {
"zrd-acl-000-002";
"any";
};
allow-transfer {
"zrd-acl-000-002";
};
};
Marvin
Feb 28, 2016Cirrocumulus
Nice one John works great, changing the internal listener (ACLs) and the view list did the trick indeed! If I do a netstat -an | grep 127.10 I see that the Big IP is listening internally for DNS requests on 127.10.0.0 and 127.10.0.1 and also 127.0.0.1.
@Darren if I change both ACL to the same IP 127.0.0.0 than I am not able to access the zones anymore, so it seems it is needed to have two listeners. I believe these are only for ACL functionality internally within BIND, because the real listener in the named conf is 127.0.0.1
listen-on port 53 {
127.0.0.1;
"zrd-acl-000-001";
"zrd-acl-000-000";
};
listen-on-v6 port 53 {
::1;
};
acl "zrd-acl-000-000" {
127.10.0.0;
};
acl "zrd-acl-000-001" {
127.10.0.1;
};
Recent Discussions
Related Content
DevCentral Quicklinks
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com
Discover DevCentral Connects