Forum Discussion
GTM query regarding Internal and external zone views.
(EDITED 7-1)
Relatively new (a returnee of sorts ) to F5 products.
We have an implementation of GTM (a redundant pair of instances with one at two different physical locations) that we are trying to ready for production that is intended to replace our internal DMZ nameservers and external authoritative DNS name servers. The thought was to create an internal and external view utilizing one set of DNS servers
After setting up wideIPs, we proceeded to migrate our external zones to GTM using the external view. This seemed successful. In the Zone RUnner GUI we then created a internal zone using one of our domains. We then discovered that it seemed populated with the external records even though it was defined as db.internal.(domain).com.
Via CLI I was able to confirm that the db.internal.(domain).com. did NOT have these external records, and proceeded to manually enter internal records. I then reloaded the zrd process after validating the BIND files
I'm assuming that there must be some misconfiguration in the GTM instance itself as it appears that BIND is properly configured in terms of the views but in the GUI ZoneRunner does not see any internal view domain that shares a domain name with an external view zone.
To sum up:
-From the GTM GUI if I create a zone as internal only when I attempt to view the zone details I get this error:
01150b21:3: RCODE returned from query: 'NOTAUTH'.
-If I attempt to create a record for the internal only zone in the GUI get this error:
115040a:3: Zone not authoritative during update.
-From the CLI I can create the internal view zones, check them and successfully add them to the named.conf. named.conf correctly has both views defined and the correct zones assigned. The internal view and external views zones all have the correct information. The permissions all appear to be correct (belonging to the named process).
Any ideas on what I may be doing wrong?
- MarvinCirrocumulus
Nice one John works great, changing the internal listener (ACLs) and the view list did the trick indeed! If I do a netstat -an | grep 127.10 I see that the Big IP is listening internally for DNS requests on 127.10.0.0 and 127.10.0.1 and also 127.0.0.1.
Darren if I change both ACL to the same IP 127.0.0.0 than I am not able to access the zones anymore, so it seems it is needed to have two listeners. I believe these are only for ACL functionality internally within BIND, because the real listener in the named conf is 127.0.0.1
listen-on port 53 { 127.0.0.1; "zrd-acl-000-001"; "zrd-acl-000-000"; }; listen-on-v6 port 53 { ::1; }; acl "zrd-acl-000-000" { 127.10.0.0; }; acl "zrd-acl-000-001" { 127.10.0.1; }; [root@F5:Active:In Sync] namedb netstat -an | grep :53 tcp 0 0 **127.10.0.1:53** 0.0.0.0:* LISTEN tcp 0 0 **127.10.0.0:53** 0.0.0.0:* LISTEN tcp 0 0 **127.0.0.1:53** 0.0.0.0:* LISTEN tcp 0 0 ::1:53 :::* LISTEN udp 0 0 **127.10.0.1:53** 0.0.0.0:* udp 0 0 **127.10.0.0:53** 0.0.0.0:* udp 0 0 **127.0.0.1:53** 0.0.0.0:* udp 0 0 ::1:53 :::* udp 0 0 ::1:5353 :::*
- John_Heyer_1508Cirrostratus
I was able to get this working finally, but there are a few tricks to doing so. Namely, the GTM always takes the first view match if the source IP is allowed, so "internal" needs to be listed ahead of "external" in DNS -> Zones -> ZoneRunner -> View List.
The other gotcha is each view has its own loopback IP address. This IP will be 127.10.0.X, so be sure to include that IP by itself for each view, otherwise the GTM will not be able to query itself. Here's what the named.conf file would look like when all said and done:
acl "zrd-acl-000-001" { 127.10.0.1; }; acl "zrd-acl-000-002" { 127.10.0.2; }; acl "rfc_1918" { 10.0.0.0/8; 172.16.0.0/12; 192.168.0.0/16; }; view "internal" { match-clients { "zrd-acl-000-001"; "rfc_1918"; }; allow-transfer { "zrd-acl-000-001"; }; }; view "external" { match-clients { "zrd-acl-000-002"; "any"; }; allow-transfer { "zrd-acl-000-002"; }; };
- MarvinCirrocumulusNice one John works great, changing the internal listener (ACLs) and the view list did the trick indeed! If I do a netstat -an | grep 127.10 I see that the Big IP is listening internally for DNS requests on 127.10.0.0 and 127.10.0.1 and also 127.0.0.1. @Darren if I change both ACL to the same IP 127.0.0.0 than I am not able to access the zones anymore, so it seems it is needed to have two listeners. I believe these are only for ACL functionality internally within BIND, because the real listener in the named conf is 127.0.0.1 listen-on port 53 { 127.0.0.1; "zrd-acl-000-001"; "zrd-acl-000-000"; }; listen-on-v6 port 53 { ::1; }; acl "zrd-acl-000-000" { 127.10.0.0; }; acl "zrd-acl-000-001" { 127.10.0.1; };
- darren_19980NimbostratusJohn, it is possible to use the same loopback IP for both internal and external view? and where did you define those loopback IPs?
- John_Heyer_1508Cirrostratus
Were you ever able to find a solution? I created a view called 'internal' with 'match-clients' and 'allow-transfer' both set to 'any'. But when attempting to view the RRs I get 01150b21:3: RCODE returned from query: 'NOTAUTH'
Changing the view to 'external' and everything behaves exactly as configured.
- Cory_50405Noctilucent
My only other thought would be file permissions which you say you've verified. Anything under /var/named should be owned by named. From bash, if you run 'ls -lR', do you see anything not owned by named?
- MetaGawd_156909Nimbostratus
Thanks for your reply Cory.
I can confirm that the behavior happens whether or not the Create Reverse record box is checked (and if there is a reverse zone present or not).
In regards to the latter, I did add an ACL for the internal view to the named.conf. I've tried this with and without that ACL in place, and the issue continues. I opened a support case; just waiting to hear back from the engineer.
Thanks again!
- Cory_50405Noctilucent
The 'Zone not authoritative during update' message could be because you have the 'Create Reverse Record' checkbox enabled and the reverse zone isn't authoritative (or even created) within ZoneRunner.
It sounds like the NOTAUTH issue could be related to permissions within named.conf. Have you changed any controls or ACLs within your named.conf file?
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com