For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Daniel_55334's avatar
Daniel_55334
Icon for Altostratus rankAltostratus
Jul 06, 2015

GTM to replace LDNS

We are going to replace LDNS servers with a pair of GTM. They will serve queries from Internet only.   We have 2 sites, with 1 GTM and a pair of LTM in each site. GTM is located in DMZ and LTM in ...
application delivery
BIG-IP DNS
deployment
LTM
Andrea_Arquint_'s avatar
Andrea_Arquint_
Historic F5 Account
Sep 21, 2015

Hi Daniel,

 

I know, 2 months ago but just for others who are sticky on that topic as well.

 

  1. You just need to configure on DNS (GTM) under GSLB -> Servers "BIG-IP System (Redundant)" with "bigip" health monitor assigned (iQuery does communicate status in both directions automatically). Bear in mind disabling "virtual server discovery" for your configuration (https://support.f5.com/kb/en-us/solutions/public/9000/100/sol9138.html)..)

     

  2. I don't know if I understood clear second question... You register a domain at your local registrar for instance "domain.jp". You host this zone somewhere (at an external DNS provider or internally on your local bind's maybe). It depends on your concept how you want to announce GSLB RR for that zone. In case that F5 DNS module (GTM GSLB) should resolve GSLB related RR only you have to configure a delegation for your GSLB RR on the SOA for domain.jp.

     

Example:

 

  • SOA (other DNS than F5 BIG-IP) is the responsible for your zone domain.jp

     

  • Configure at least two additional NS records on the SOA for domain.jp

     

  • NS records (delegation for your GTM's, they are the SOA's for third level domain gslb.domain.jp):

     

  • gslb.domain.jp (IP GTM DC A)

     

  • gslb.domain.jp (IP GTM DC B)

  • add a cname RR like (which will be delegated to your GTM's):

     

  • www which points to www.gslb.domain.jp

     

A request to www.domain.jp would resolve the cname pointing to www.gslb.domain.jp which will be forwarded to your GTM's. Your GTM's WIDE-IP www.gslb.domain.jp will response the corresponding LTM VS IP based on your preferred GSLB method and GSLB pool configuration.

 

So, this is basically the concept for GSLB but within our DNS module you would have a lot more which could help you enforcing additionally DNS security.

 

What do you actually mean by "replace LDNS"? LDNS concept includes basically recursion on WWW which is normally on provider premise for xDSL customers uplinks for instance. So, from this point of perspective you could replace an LDNS server as well with our DNS module.

 

Regards,

 

Andrea

 

  • Daniel_55334's avatar
    Daniel_55334
    Icon for Altostratus rankAltostratus
    Sep 22, 2015
    Thanks for your response Andrea. We are still pending on the implementation so it's definitely not too late. 1. OK I just add the LTM on GTM without VS auto discovery, and add the VS on GTM manually and configure public and translation addresses. In case VS1 on LTM is down and it notifies GTM about this, how does GTM relate it to the VS1 configured on itself? 2. The existing LDNS (maybe I should use the term DNS server instead) serves DNS queries from Internet about domain domain.jp. What I mean about "replace LDNS" is that GTM will serve the same purpose as this DNS server after migration and the DNS server will retire. Currently there are zone files on the DNS server. How should they be transferred to GTM so that GTM can replace the function of the DNS server?