For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

daboochmeister's avatar
daboochmeister
Icon for Cirrus rankCirrus
Sep 25, 2017

GTM/DNS - separate listeners for internal vs. external DNS requests recommended?

Have had our GTMs setup for internal gslb for a bit now - going to expose the GTMs for public DNS access as well. An external firewall will NAT the incoming traffic to the GTM's listener (which is a private IP).

 

In such a scenario, is it recommended to have a separate listener for the public traffic? Or what are the considerations that would decide on reusing the internal listener vs. establishing a separate one?

 

thx

 

application delivery
BIG-IP DNS

2 Replies

  • Vijay_E's avatar
    Vijay_E
    Icon for Cirrus rankCirrus
    Sep 26, 2017

    There is really no need to have 2 separate WIPs for internal and external DNS requests.

     

    There is one thing that you may want to consider - DNS tends to get DoS'd quite frequently with brute force/flood of requests. Can the firewall in front of the GTM handle flood of traffic ? If the firewall also filters non-DNS traffic for other applications, you can remove the firewall and use a standalone GTM with public IP address in order to prevent other services from going down because of a DNS DoS attack.

     

  • Stanislas_Piro2's avatar
    Stanislas_Piro2
    Icon for Cumulonimbus rankCumulonimbus
    Sep 26, 2017

    Hi,

     

    Creating 2 different listeners won’t change gtm behavior.

     

    The only benefit to create a second listener is to apply an irule on it to rewrite request value. Then, gtm will handle différents wideip for internal and external listeners