Hey all! Happy Cupcakes! I am having an issue where some clients are having issues looking up records on the GTM. We have a basic configuration with DNS delegating to the GTM, and the GTM is NOT running BIND. So the client: Looks up the FQDN against DNS servers(host.site.com), and gets a CNAME(host.wip.site.com).Asks the DNS for the NSs for that CNAMEs domain(.wip.site.com).DNS responds with the IPs of the GTM devices as they are the NS servers for the subdomain(.wip.site.com). THIS IS WHERE I GET CONFUSED. I expect and A record query, but.... The client then makes another NS query, against the GTM, for the FQDN(host.wip.site.com).The client then makes another NS query, against the GTM, for the sub-domain(wip.site.com).Stuck here. Customer states this is breaking all resolution from their DNS servers to our subdomain. Just can't seem to figure out why the dependency on the NS record exists? DNS security feature of some sort? So my question are: 1. Has anyone seen this, what appears to be NS lookup dependent resolution. Where an NS response must be before an A Record response? 2. Any good ideas on how to fix this, outside of enabling BIND on my external GTM devices? so you know,.. the DNS servers are behind LTMs, so the solution can be implemented there too. Maybe an iRule that responds to all NS queries with our records at the LTM DNS VIP? Any input/ideas/comments are appreciated!!! Thanks in advance!!! ~David

The server cannot compel the client query behavior, so whether it is DNSExpress or BIND responding shouldn't alter directly what the client asks for. Something is a bit unclear to me. You say that when the client asks for the NS set of wip.site.com, it receives back A records. Normally, it should receive an NS set with a set of glue A records in the Additional section. Is that what's happening, or is it really just getting A records? If it receives just A records, the delegating nameserver should be changed to provide an NS set with glue records. I assume you ran a packet capture on the client? If so, can you provide the output of tcpdump against that capture? If you captured the entire length for each packet and support -s0 to tcpdump, then the output stream should show the DNS questions and responses.

"You say that when the client asks for the NS set of wip.site.com, it receives back A records. Normally, it should receive an NS set with a set of glue A records in the Additional section. Is that what's happening, or is it really just getting A records?" Thanks for the response! Yes, the response has three NS records in it, AND the three related IP addresses. Which are the IP addresses of the GTM. Glue, yes. This is when the client discovers the GTM IPs. We do not do recursion, so the next query after this is directly to the GTM. I expect this be an A Record Query against the GTM for the host FQDN (host.wip.site.com). However, it is another NS lookup for that full name, just now against the GTM. When this times out, The client then tries NS lookups for (.wip.site.com). When this times out, The client then tries NS lookups for (host.wip.site.com), and stays stuck there in a loop, looking for these two NS records on the GTM. It appears to ignore any TTL that came with the successful NS lookup against the DNS servers. It seems to want a successful, or maybe autorative, NS response from GTM before proceeding to looking up and A Record. Thanks for the response!!! D

As you say, the client is behaving oddly. It's unclear when it "thinks" it has finished following the delegation chain if it is proactively requesting NS records. But, assuming it wants the delegatee NS records to match the delegator NS records, then you can use ZoneRunner to insert or modify the NS set on the BIG-IP for the zone in question to match those provided by the parent.

Yeah, I was hoping someone could explain that DNS "odd" behavior. Something I noted today was that the original CNAME the DNS server gives for host.site.com to host.wip.site.com, also has the NS servers AND their IPs in it. We are thinking now that the CNAME containing that info is causing the odd client behavior. I hope to not run BIND(zonerunner) on the boxes if possible. Thanks again. David

Forum Discussion

David__Pasch

Altostratus

Feb 16, 2016

GTM w/o BIND and NS Records

Hey all! Happy Cupcakes!

I am having an issue where some clients are having issues looking up records on the GTM. We have a basic configuration with DNS delegating to the GTM, and the GTM is NOT running BIND.

So the client:

Looks up the FQDN against DNS servers(host.site.com), and gets a CNAME(host.wip.site.com).
Asks the DNS for the NSs for that CNAMEs domain(.wip.site.com).
DNS responds with the IPs of the GTM devices as they are the NS servers for the subdomain(.wip.site.com).

THIS IS WHERE I GET CONFUSED. I expect and A record query, but....

The client then makes another NS query, against the GTM, for the FQDN(host.wip.site.com).
The client then makes another NS query, against the GTM, for the sub-domain(wip.site.com).
Stuck here.

Customer states this is breaking all resolution from their DNS servers to our subdomain. Just can't seem to figure out why the dependency on the NS record exists? DNS security feature of some sort?

So my question are: 1. Has anyone seen this, what appears to be NS lookup dependent resolution. Where an NS response must be before an A Record response? 2. Any good ideas on how to fix this, outside of enabling BIND on my external GTM devices? so you know,.. the DNS servers are behind LTMs, so the solution can be implemented there too. Maybe an iRule that responds to all NS queries with our records at the LTM DNS VIP?

Any input/ideas/comments are appreciated!!!

Thanks in advance!!!

~David

13 Replies

Josh_41258
Nimbostratus
Mar 31, 2016
A bit off-topic maybe, but let's consider this scenario:

BIND disabled in the DNS profile associated with the GTM listener
Sub-domain gtm.example.com delegated from LDNS to GTM
WIP named 'test.gtm.example.com' created on GTM
CNAME 'www.example.com' -> 'test.gtm.example.com' created in LDNS

Should the 'gtm.example.com' zone be defined on the BIG-IP at all, or should I just create a WIP? If it should be defined, should it be defined in ZoneRunner or in Local Traffic -> DNX Express Zones?
VernonWells
Employee
Mar 31, 2016
When you create a WideIP, the BIG-IP automatically creates the associated host record in the record store, and if the zone to which it belongs does not exist, it automatically creates that, too. As I mentioned above, even if you turn off BIND in the profile, BIND is still running. No matter what, BIG-IP uses BIND for zone management, even if BIND is not answering queries. The zone and hostname creation inserts records into local BIND. Any records in local BIND are loaded into the BIG-IP caching system (which is separate from BIND's caching mechanism), and available from there for use by the GSLB engine, DNS Cache, DNSExpress.

Said differently, when you disable BIND in the profile, you are telling BIG-IP that BIND cannot be used to resolve queries. That's generally a good idea (BIND is much slower than DNS Cache and DNSExpress and it is generally substantially more vulnerable). However, BIND continues to run so that it can manage zones for the GSLB engine, DNS Cache and DNSExpress.

DNSExpress is most commonly used to slave zones. The zone list for DNSExpress is a list of zones which it should slave, and the associated hosts from which the zones should be transferred. So, it's unrelated to the things you modify with ZoneRunner, because those are zones and records for which the BIG-IP is master.
VernonWells
Employee
Mar 31, 2016
Yes, to prevent BIND from answering queries off-box, disable it in the profile, just as you say.

In your case, DNSExpress is only providing answers to things defined locally, which means, zones for which the BIG-IP is master and authoritative. That's completely fine. There is no need to manually create the zones associated with WideIPs. When you create a WideIP, the zone is automatically created. You would add DNSExpress Zones only if you also wanted to slave from elsewhere (which you don't).

In short: you're doing the Right Thing to achieve what you're after. :)