Hey all! Happy Cupcakes! I am having an issue where some clients are having issues looking up records on the GTM. We have a basic configuration with DNS delegating to the GTM, and the GTM is NOT running BIND. So the client: Looks up the FQDN against DNS servers(host.site.com), and gets a CNAME(host.wip.site.com).Asks the DNS for the NSs for that CNAMEs domain(.wip.site.com).DNS responds with the IPs of the GTM devices as they are the NS servers for the subdomain(.wip.site.com). THIS IS WHERE I GET CONFUSED. I expect and A record query, but.... The client then makes another NS query, against the GTM, for the FQDN(host.wip.site.com).The client then makes another NS query, against the GTM, for the sub-domain(wip.site.com).Stuck here. Customer states this is breaking all resolution from their DNS servers to our subdomain. Just can't seem to figure out why the dependency on the NS record exists? DNS security feature of some sort? So my question are: 1. Has anyone seen this, what appears to be NS lookup dependent resolution. Where an NS response must be before an A Record response? 2. Any good ideas on how to fix this, outside of enabling BIND on my external GTM devices? so you know,.. the DNS servers are behind LTMs, so the solution can be implemented there too. Maybe an iRule that responds to all NS queries with our records at the LTM DNS VIP? Any input/ideas/comments are appreciated!!! Thanks in advance!!! ~David

The server cannot compel the client query behavior, so whether it is DNSExpress or BIND responding shouldn't alter directly what the client asks for. Something is a bit unclear to me. You say that when the client asks for the NS set of wip.site.com, it receives back A records. Normally, it should receive an NS set with a set of glue A records in the Additional section. Is that what's happening, or is it really just getting A records? If it receives just A records, the delegating nameserver should be changed to provide an NS set with glue records. I assume you ran a packet capture on the client? If so, can you provide the output of tcpdump against that capture? If you captured the entire length for each packet and support -s0 to tcpdump, then the output stream should show the DNS questions and responses.

"You say that when the client asks for the NS set of wip.site.com, it receives back A records. Normally, it should receive an NS set with a set of glue A records in the Additional section. Is that what's happening, or is it really just getting A records?" Thanks for the response! Yes, the response has three NS records in it, AND the three related IP addresses. Which are the IP addresses of the GTM. Glue, yes. This is when the client discovers the GTM IPs. We do not do recursion, so the next query after this is directly to the GTM. I expect this be an A Record Query against the GTM for the host FQDN (host.wip.site.com). However, it is another NS lookup for that full name, just now against the GTM. When this times out, The client then tries NS lookups for (.wip.site.com). When this times out, The client then tries NS lookups for (host.wip.site.com), and stays stuck there in a loop, looking for these two NS records on the GTM. It appears to ignore any TTL that came with the successful NS lookup against the DNS servers. It seems to want a successful, or maybe autorative, NS response from GTM before proceeding to looking up and A Record. Thanks for the response!!! D

As you say, the client is behaving oddly. It's unclear when it "thinks" it has finished following the delegation chain if it is proactively requesting NS records. But, assuming it wants the delegatee NS records to match the delegator NS records, then you can use ZoneRunner to insert or modify the NS set on the BIG-IP for the zone in question to match those provided by the parent.

Yeah, I was hoping someone could explain that DNS "odd" behavior. Something I noted today was that the original CNAME the DNS server gives for host.site.com to host.wip.site.com, also has the NS servers AND their IPs in it. We are thinking now that the CNAME containing that info is causing the odd client behavior. I hope to not run BIND(zonerunner) on the boxes if possible. Thanks again. David

David__Pasch

Altostratus

Feb 16, 2016

GTM w/o BIND and NS Records

Hey all! Happy Cupcakes!

I am having an issue where some clients are having issues looking up records on the GTM. We have a basic configuration with DNS delegating to the GTM, and the GTM is NOT running BIND.

So the client:

Looks up the FQDN against DNS servers(host.site.com), and gets a CNAME(host.wip.site.com).
Asks the DNS for the NSs for that CNAMEs domain(.wip.site.com).
DNS responds with the IPs of the GTM devices as they are the NS servers for the subdomain(.wip.site.com).

THIS IS WHERE I GET CONFUSED. I expect and A record query, but....

The client then makes another NS query, against the GTM, for the FQDN(host.wip.site.com).
The client then makes another NS query, against the GTM, for the sub-domain(wip.site.com).
Stuck here.

Customer states this is breaking all resolution from their DNS servers to our subdomain. Just can't seem to figure out why the dependency on the NS record exists? DNS security feature of some sort?

So my question are: 1. Has anyone seen this, what appears to be NS lookup dependent resolution. Where an NS response must be before an A Record response? 2. Any good ideas on how to fix this, outside of enabling BIND on my external GTM devices? so you know,.. the DNS servers are behind LTMs, so the solution can be implemented there too. Maybe an iRule that responds to all NS queries with our records at the LTM DNS VIP?

Any input/ideas/comments are appreciated!!!

Thanks in advance!!!

~David

13 Replies

VernonWells
Employee
Feb 17, 2016
The server cannot compel the client query behavior, so whether it is DNSExpress or BIND responding shouldn't alter directly what the client asks for.

Something is a bit unclear to me. You say that when the client asks for the NS set of wip.site.com, it receives back A records. Normally, it should receive an NS set with a set of glue A records in the Additional section. Is that what's happening, or is it really just getting A records? If it receives just A records, the delegating nameserver should be changed to provide an NS set with glue records.

I assume you ran a packet capture on the client? If so, can you provide the output of tcpdump against that capture? If you captured the entire length for each packet and support -s0 to
tcpdump
, then the output stream should show the DNS questions and responses.
VernonWells
Employee
Feb 17, 2016
The server cannot compel the client query behavior, so whether it is DNSExpress or BIND responding shouldn't alter directly what the client asks for.

Something is a bit unclear to me. You say that when the client asks for the NS set of wip.site.com, it receives back A records. Normally, it should receive an NS set with a set of glue A records in the Additional section. Is that what's happening, or is it really just getting A records? If it receives just A records, the delegating nameserver should be changed to provide an NS set with glue records.

I assume you ran a packet capture on the client? If so, can you provide the output of tcpdump against that capture? If you captured the entire length for each packet and support -s0 to
tcpdump
, then the output stream should show the DNS questions and responses.
David__Pasch
Altostratus
Feb 17, 2016
"You say that when the client asks for the NS set of wip.site.com, it receives back A records. Normally, it should receive an NS set with a set of glue A records in the Additional section. Is that what's happening, or is it really just getting A records?"

Thanks for the response! Yes, the response has three NS records in it, AND the three related IP addresses. Which are the IP addresses of the GTM. Glue, yes. This is when the client discovers the GTM IPs. We do not do recursion, so the next query after this is directly to the GTM. I expect this be an A Record Query against the GTM for the host FQDN (host.wip.site.com). However, it is another NS lookup for that full name, just now against the GTM. When this times out, The client then tries NS lookups for (.wip.site.com). When this times out, The client then tries NS lookups for (host.wip.site.com), and stays stuck there in a loop, looking for these two NS records on the GTM. It appears to ignore any TTL that came with the successful NS lookup against the DNS servers. It seems to want a successful, or maybe autorative, NS response from GTM before proceeding to looking up and A Record.

Thanks for the response!!!

D
VernonWells
Employee
Feb 17, 2016
As you say, the client is behaving oddly. It's unclear when it "thinks" it has finished following the delegation chain if it is proactively requesting NS records. But, assuming it wants the delegatee NS records to match the delegator NS records, then you can use ZoneRunner to insert or modify the NS set on the BIG-IP for the zone in question to match those provided by the parent.
David__Pasch
Altostratus
Feb 17, 2016
Yeah, I was hoping someone could explain that DNS "odd" behavior. Something I noted today was that the original CNAME the DNS server gives for host.site.com to host.wip.site.com, also has the NS servers AND their IPs in it. We are thinking now that the CNAME containing that info is causing the odd client behavior.

I hope to not run BIND(zonerunner) on the boxes if possible.

Thanks again.

David
VernonWells
Employee
Feb 17, 2016
A point of clarification is important here: ZoneRunner is not BIND, but rather a tool for managing zones. If you disable BIND for service delivery (and in general, it's a good idea to do so) you can, for example, opt to use DNS Express to provide authoritative answers for hostnames that are not WideIPs. In this case, ZoneRunner is still used to manage the zones which are not slaved.
VernonWells
Employee
Feb 17, 2016
Oh, and for what it's worth, it is not legal for a hostname that has an associated CNAME RR to have any other RRs (except those relating to DNSSEC) associated with it. See rfc2181 section 10.1, so I'm guessing you've hit on the right underlying cause.
David__Pasch
Altostratus
Feb 18, 2016
Vernon, To your first point, are you saying that I can leave BIND disabled, and use DNSExpress to answer other DNS query types, without doing any DNS exchanges with the DNS servers? Just manage it as a local DNS server, that isn't BIND based OR tied into the DNS mesh, just the sync group? That would be great, I was under the impression that Zonerunner was simply the configuration interface for BIND on the GTM.

To your second point, yes we are considering how the CNAME is set up, and addressing that first.

Thanks again!

D
VernonWells
Employee
Feb 18, 2016
Yes, you can use ZoneRunner to manage zones for which the BIG-IP is master and authoritative. To be completely pedantic, BIND will still be running on the system (and really provides the zone management data store) but it is not BIND that will answer queries, when BIND is disabled and DNSExpress is enabled.
David__Pasch
Altostratus
Feb 18, 2016
Great info, Vernon!

Thanks again!!

Forum Discussion

GTM w/o BIND and NS Records

13 Replies

F5 Academy at AppWorld 2026

Introducing the F5 AI Assistant for BIG-IP

Recent Discussions

iRule causing requests to be duplicated (sometimes)

SSL Bridging and FQDN rewrite Policy

How can I get started with iCall

Checking for X-Forwarded-For against an Address Data-Group

After upgrading from PeopleTools 8.59.11 to 8.61.11 F5 APM is not rewriting the internal URLs

Related Content

Obfuscate GTM's BIND Version

how we can MX record on F5 GTM

BIG-IP DNS Resource Record Types: Architecture, Design and Configuration

Managing ZoneRunner Resource Records with Bigsuds

LTM Monitoring IIS and Webserver Binding

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS