Forum Discussion
How does Network >> DNS resolver work?
Hi i've been trying to configure SOCKS proxy profile, which uses network DNS resolver (not DNS resolver configured under DNS module settings). I would like the SOCKs proxy to be able to resolve fqdn's of traffic within the socks tunnel. From my testing so far it only works if i forward each FDQN trying to be resolved to an external DNS server within our network. What i would like it to do is resolve or forward all (*) domains rather than having a separate forwarder for each FQDN.
How does the network >> DNS resolver, lookup names which aren't in the cache?
- PeteWhiteEmployee
add a forward zone for . ( to forward all requests ) or the required zone and set the appropriate server to be the nameserver. Turn it on in the DNS profile Simples!
- PeteWhiteEmployee
add a forward zone for . ( to forward all requests ) or the required zone and set the appropriate server to be the nameserver. Turn it on in the DNS profile Simples!
sorry but need to bump - i can't get this to resolve other than explicitly forwarding a known FQDN to a DNS server set within the resolver config e.g forward google.com to our caching DNS server. But thats only usable if you know the FQDN to forward, so not a workable solution. I've tried setting a wildcard of * to forward all, but the config is not accepted and seems limited to FQDN, it does allow com, net, org etc so i could forward each top level domain as a workaround, but that is not far from ideal. I'm unsure how this DNS resolver is supposed to work, i've set a BIND forwarder in system >> DNS, but that has not affect.
Any help or insight would be appreciated.
if you have simple setup for me to build and test i can try and see what i can find out, else i will advise you to contact support if this is important for you.
- arpydaysNimbostratus
in the forward zone use a dot '.' to forward all requests,
cheers
Thanks guys - using . was what i was looking for.
But i'm still interested in how it works, for example if you don't forward zones how does DNSresolver resolve the names if it's not in the cache (or how does it build it's cache in the first place). Is it supposed to use the local bind installation on F5? because that didn't seem to work (although i had to set it to forward requests to our DNS servers, the F5 device doesn't have internet connectivity for DNS so can't do lookups itself).
@ boneyard - also thanks - i'd been talking to our FSE but didn't think it was worth a support case just yet.
my setup for socks (note i've added forward zone . as Pete suggested):
net dns-resolver DNSrevolver { forward-zones { . { nameservers { 192.168.1.50:domain { } } } } route-domain 0 use-ipv6 no use-tcp no }
ltm profile socks my-socks { app-service none default-connect-handling allow defaults-from socks dns-resolver DNSrevolver protocol-versions { socks4 socks4a socks5 } route-domain 0 tunnel-name socks-tunnel }
ltm virtual my-sock-proxy { description "SOCKS forward proxy" destination 10.0.0.1:socks ip-protocol tcp mask 255.255.255.255 pool ext-router profiles { my-socks { } tcp { } } source 0.0.0.0/0 source-address-translation { type automap } translate-address enabled translate-port enabled vlans { vlan-int } vlans-enabled vs-index 3 }
ltm pool ext-router { description "external router nexthop" members { ext-router:any { address 192.168.1.1 session monitor-enabled state up } } monitor gateway_icmp }
network is simple.
windows-client --> router-internal -->int F5 ext --> router-external --> ssh-server
F5 [internal interface]--> DNS or F5 [mgmt interface] --> DNS
to test SOCKs i used putty client and set SOCKs server as the VS VIP 10.0.0.1:1080. told Putty to resolve DNS on proxy end. the ssh-server has a DNS entry of ssh-server.ourdomain.net. Use that real hostname in putty. It's proxied via F5 and forwarded to ssh-server - F5 should do the resolution of ssh-server.ourdomain.net. The same principle with browser traffic (i just happened to use putty).
Thanks both again.
Kind regards Adrian
- PeteWhiteEmployee
Hi Adrian,
The short answer about how the cache works is that it has the root nameservers configured and it will act as a caching resolver. Obviously this means that it needs the routing and firewalling to access the Internet and it will use the tmm interfaces. It will synchronise the cache across tmms. Pete
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com