Forum Discussion
CirrostratusGTM: SERVFAIL when looking up Internet hostnames
I need our GTMs to be able to resolve Internet hostnames. I've followed all the required steps, such as setting up '.' has a hint zone, downloading the named.root file, enabling recursion, and even rebooting. But no joy. It seems to be refusing the queries.
The internal listener is working fine and resolving internal hostnames:
$ nslookup 192.168.10.10
Server: 192.168.10.10
Address: 192.168.10.1053
Name:
Address: 192.168.100.200
But for general internet hostnames I always see a SERVFAIL
$ nslookup 192.168.10.10
Server: 192.168.10.10
Address: 192.168.10.1053
** server can't find SERVFAIL
Tcpdump shows the query is making it to the GTM, but being immediately rejected:
11:14:22.580698 IP 192.168.10.101.46457 > 192.168.10.10.domain: 64230+ A? (32)
11:14:22.581140 IP 192.168.10.10.domain > 192.168.10.101.46457: 64230 ServFail 0/0/0 (32)
4 Replies
Mike_Sullivan_2Nimbostratus
Is your sytax valid? try
nslookup www.google.com 192.168.10.10Mike
John_Heyer_1508You get the same result.
- Mike_Sullivan_2
The way I have it setup is w/ the DNS Express feature (11.5.1). I have a pool of external resolvers. I have a DNS profile that is setup for caching and allows Unhandled Queries (so that the external resolver pool gets used). Finally I have a gtm vip tying it together.
I used this document to set it up: https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/tmos-implementations-11-1-0/6.html
Cheers, Mike
- John_Heyer_1508
That's an interesting approach. Never see this recommended by F5 but something I'll consider. DNS express should offer better performance vs. the standard BIND backend.
Anyway, I was able to figure out the problem - I needed to have an "allow-recursion" statement in the configuration. This can be done in the options of the named.conf file, or within the applicable view, i.e.
options { recursion yes; } acl "rfc_1918" { 10.0.0.0/8; 172.16.0.0/12; 192.168.0.0/16; }; view "internal" { allow-recursion { "rfc_1918"; }; };
