Forum Discussion
Girma_Tefera
Altocumulus
AltocumulusIssue on Windows DNS forwarding to F5 DNS
We have an issue with our F5 DNS, some users encountered session timeout messages in the middle of service, and some users can't access their accounts because the login page of the web server doesn't...
Mike757
MVP
MVPHi, Girma_Tefera
So your Windows DNS server is recursive, and tries to resolve whatever name the original client asked for, by making a new request to F5. But this I did not understand: the Windows DNS sends *only* a AAAA query? If you don't have AAAA records, for sure there will be no AAAA responses.
It is normal for a DNS client to make A & AAAA queries when trying to resolve a name. Questions:
- Can you collect a traffic capture on your Windows machine as well?
- Are there A queries as well?
- Are there A records?
- If you force the DNS queries from the F5 box to itself, do you get different or similar results?
/Mike
Girma_TeferaHi Mike757
I appreciate your comments. I was take tcpdump on F5 and Microsoft DNS.
##If you force the DNS queries from the F5 box to itself, do you get different or similar results? yes, I have got A queries.
FQDN is corebanking.cbe.com.et
F5 DNS (listner) 10.1.226.253, 10.1.226.254, 10.3.226.253, 10.3.226.254
microsoft DNS server is 10.1.11.13, 10.1.11.16, 10.3.11.13, 10.3.11.16
-----------------------------------------------------------------------------------------------------------------------------------------------------------------
from Microsoft DNS
DNS Server log file creation at 3/15/2023 3:35:30 PM
Log file wrap at 3/15/2023 3:35:30 PMMessage logging key (for packets - other items use a subset of these fields):
Field # Information Values
------- ----------- ------
1 Date
2 Time
3 Thread ID
4 Context
5 Internal packet identifier
6 UDP/TCP indicator
7 Send/Receive indicator
8 Remote IP
9 Xid (hex)
10 Query/Response R = Response
blank = Query
11 Opcode Q = Standard Query
N = Notify
U = Update
? = Unknown
12 [ Flags (hex)
13 Flags (char codes) A = Authoritative Answer
T = Truncated Response
D = Recursion Desired
R = Recursion Available
14 ResponseCode ]
15 Question Type
16 Question Name3/15/2023 3:35:31 PM 1F94 PACKET Response packet 0000024623F61FD0 does not match any outstanding query
3/15/2023 3:35:31 PM 1F80 PACKET Response packet 00000246345C2920 does not match any outstanding query
3/15/2023 3:35:32 PM 11D8 PACKET 00000246AF5AF380 UDP Snd 10.1.226.253 0de4 Q [0000 NOERROR] AAAA (11)corebanking(3)cbe(3)com(2)et(0)
UDP question info at 00000246AF5AF380
Socket = 19512
Remote addr 10.1.226.253, port 53
Time Query=0, Queued=0, Expire=0
Buf length = 0x0fa0 (4000)
Msg length = 0x0028 (40)
Message:
XID 0x0de4
Flags 0x0000
QR 0 (QUESTION)
OPCODE 0 (QUERY)
AA 0
TC 0
RD 0
RA 0
Z 0
CD 0
AD 0
RCODE 0 (NOERROR)
QCOUNT 1
ACOUNT 0
NSCOUNT 0
ARCOUNT 0
QUESTION SECTION:
Offset = 0x000c, RR count = 0
QTYPE AAAA (28)
QCLASS 1
ANSWER SECTION:
empty
AUTHORITY SECTION:
empty
ADDITIONAL SECTION:
empty3/15/2023 3:35:32 PM 1FB8 PACKET 00000246E3FB8170 UDP Snd 10.1.226.253 8771 Q [0000 NOERROR] ALL (11)corebanking(3)cbe(3)com(2)et(0)
UDP question info at 00000246E3FB8170
Socket = 6316
Remote addr 10.1.226.253, port 53
Time Query=0, Queued=0, Expire=0
Buf length = 0x0fa0 (4000)
Msg length = 0x0028 (40)
Message:
XID 0x8771
Flags 0x0000
QR 0 (QUESTION)
OPCODE 0 (QUERY)
AA 0
TC 0
RD 0
RA 0
Z 0
CD 0
AD 0
RCODE 0 (NOERROR)
QCOUNT 1
ACOUNT 0
NSCOUNT 0
ARCOUNT 0
QUESTION SECTION:
Offset = 0x000c, RR count = 0
QTYPE ALL (255)
QCLASS 1
ANSWER SECTION:
empty
AUTHORITY SECTION:
empty
ADDITIONAL SECTION:
empty3/15/2023 3:35:33 PM 1F4C PACKET Response packet 0000024666E688E0 does not match any outstanding query
3/15/2023 3:35:33 PM 1F4C PACKET Response packet 0000024648EFDFC0 does not match any outstanding query
3/15/2023 3:35:34 PM 1F94 PACKET Response packet 000002461F6BF0F0 does not match any outstanding query
3/15/2023 3:35:34 PM 11D8 PACKET 0000024609E411A0 UDP Snd 10.3.226.253 f4ba Q [0000 NOERROR] AAAA (11)corebanking(3)cbe(3)com(2)et(0)
UDP question info at 0000024609E411A0
Socket = 11600
Remote addr 10.3.226.253, port 53
Time Query=0, Queued=0, Expire=0
Buf length = 0x0fa0 (4000)
Msg length = 0x0028 (40)
Message:
XID 0xf4ba
Flags 0x0000
QR 0 (QUESTION)
OPCODE 0 (QUERY)
AA 0
TC 0
RD 0
RA 0
Z 0
CD 0
AD 0
RCODE 0 (NOERROR)
QCOUNT 1
ACOUNT 0
NSCOUNT 0
ARCOUNT 0
QUESTION SECTION:
Offset = 0x000c, RR count = 0
QTYPE AAAA (28)
QCLASS 1
ANSWER SECTION:
empty
AUTHORITY SECTION:
empty
ADDITIONAL SECTION:
empty3/15/2023 3:35:34 PM 11D8 PACKET 0000024609E411A0 UDP Snd 10.1.226.254 f4ba Q [0000 NOERROR] AAAA (11)corebanking(3)cbe(3)com(2)et(0)
UDP question info at 0000024609E411A0
Socket = 11600
Remote addr 10.1.226.254, port 53
Time Query=0, Queued=0, Expire=0
Buf length = 0x0fa0 (4000)
Msg length = 0x0028 (40)
Message:
XID 0xf4ba
Flags 0x0000
QR 0 (QUESTION)
OPCODE 0 (QUERY)
AA 0
TC 0
RD 0
RA 0
Z 0
CD 0
AD 0
RCODE 0 (NOERROR)
QCOUNT 1
ACOUNT 0
NSCOUNT 0
ARCOUNT 0
QUESTION SECTION:
Offset = 0x000c, RR count = 0
QTYPE AAAA (28)
QCLASS 1
ANSWER SECTION:
empty
AUTHORITY SECTION:
empty
ADDITIONAL SECTION:
empty3/15/2023 3:35:34 PM 1F4C PACKET 00000246FDB75D40 UDP Snd 10.3.226.253 0552 Q [0000 NOERROR] AAAA (11)corebanking(3)cbe(3)com(2)et(0)
UDP question info at 00000246FDB75D40
Socket = 2468
Remote addr 10.3.226.253, port 53
Time Query=0, Queued=0, Expire=0
Buf length = 0x0fa0 (4000)
Msg length = 0x0028 (40)
Message:
XID 0x0552
Flags 0x0000
QR 0 (QUESTION)
OPCODE 0 (QUERY)
AA 0
TC 0
RD 0
RA 0
Z 0
CD 0
AD 0
RCODE 0 (NOERROR)
QCOUNT 1
ACOUNT 0
NSCOUNT 0
ARCOUNT 0
QUESTION SECTION:
Offset = 0x000c, RR count = 0
QTYPE AAAA (28)
QCLASS 1
ANSWER SECTION:
empty
AUTHORITY SECTION:
empty
ADDITIONAL SECTION:
empty3/15/2023 3:35:35 PM 1F80 PACKET Response packet 0000024610333EF0 does not match any outstanding query
3/15/2023 3:35:36 PM 1F80 PACKET Response packet 000002469BB66630 does not match any outstanding query
3/15/2023 3:35:36 PM 1F44 PACKET Response packet 0000024606D21950 does not match any outstanding query
3/15/2023 3:35:36 PM 1F80 PACKET Response packet 0000024608C63D00 does not match any outstanding query
3/15/2023 3:35:36 PM 1F44 PACKET Response packet 00000246415E5370 does not match any outstanding query
3/15/2023 3:35:36 PM 1F80 PACKET Response packet 00000246D2BF9B90 does not match any outstanding query
3/15/2023 3:35:36 PM 1F80 PACKET Response packet 00000246C42723A0 does not match any outstanding query
3/15/2023 3:35:36 PM 1F80 PACKET Response packet 00000246B5FFCA20 does not match any outstanding query
3/15/2023 3:35:36 PM 1F4C PACKET Response packet 0000024675FBA950 does not match any outstanding query
3/15/2023 3:35:36 PM 1F80 PACKET Response packet 000002466F9E54E0 does not match any outstanding query
3/15/2023 3:35:36 PM 1F80 PACKET Response packet 00000246360508E0 does not match any outstanding query
3/15/2023 3:35:36 PM 1F80 PACKET Response packet 000002460CA056E0 does not match any outstanding query
3/15/2023 3:35:36 PM 1F80 PACKET Response packet 0000024672A18CE0 does not match any outstanding query
3/15/2023 3:35:36 PM 1F80 PACKET Response packet 00000246988939E0 does not match any outstanding query
3/15/2023 3:35:36 PM 1F80 PACKET Response packet 00000246F2FDB880 does not match any outstanding query
3/15/2023 3:35:36 PM 11D8 PACKET 00000246E3FB8170 UDP Snd 10.3.226.253 8771 Q [0000 NOERROR] ALL (11)corebanking(3)cbe(3)com(2)et(0)
UDP question info at 00000246E3FB8170
Socket = 6316
Remote addr 10.3.226.253, port 53
Time Query=0, Queued=0, Expire=0
Buf length = 0x0fa0 (4000)
Msg length = 0x0028 (40)
Message:
XID 0x8771
Flags 0x0000
QR 0 (QUESTION)
OPCODE 0 (QUERY)
AA 0
TC 0
RD 0
RA 0
Z 0
CD 0
AD 0
RCODE 0 (NOERROR)
QCOUNT 1
ACOUNT 0
NSCOUNT 0
ARCOUNT 0
QUESTION SECTION:
Offset = 0x000c, RR count = 0
QTYPE ALL (255)
QCLASS 1
ANSWER SECTION:
empty
AUTHORITY SECTION:
empty
ADDITIONAL SECTION:
empty--------------------------------------------------------------------------------------------------------------------------------------
from F5 DNS
No. Time Source Destination Protocol Length Info
1 0.000000 00:00:00_00:00:00 00:00:00_00:00:00 FILEINFO 201 /usr/sbin/tcpdump -envi 0.0:nnn -s0 -w /var/tmp/00373033.pcap host 10.1.226.253
2 0.271461 10.1.11.13 10.1.226.253 DNS 214 IN s1/tmm1 : Standard query 0xf908 AAAA corebanking.cbe.com.et
3 0.271699 F5Networ_9b:9b:07 Broadcast ARP 178 OUT s1/tmm0 : Who has 10.1.226.253? Tell 10.1.226.6
4 0.305038 10.1.11.13 10.1.226.253 DNS 214 IN s1/tmm1 : Standard query 0xa19a AAAA corebanking.cbe.com.et
5 1.148454 10.3.11.13 10.1.226.253 DNS 214 IN s1/tmm0 : Standard query 0xeb31 AAAA corebanking.cbe.com.et
6 1.271975 F5Networ_9b:9b:07 Broadcast ARP 178 OUT s1/tmm0 : Who has 10.1.226.253? Tell 10.1.226.6
7 1.534897 10.1.11.16 10.1.226.253 DNS 214 IN s1/tmm1 : Standard query 0xf4ba AAAA corebanking.cbe.com.et
8 2.271745 F5Networ_9b:9b:07 Broadcast ARP 178 OUT s1/tmm0 : Who has 10.1.226.253? Tell 10.1.226.6
9 3.271886 F5Networ_9b:9b:07 Broadcast ARP 178 OUT s1/tmm0 : Who has 10.1.226.253? Tell 10.1.226.6
10 3.283096 10.1.11.16 10.1.226.253 DNS 214 IN s1/tmm1 : Standard query 0x0de4 AAAA corebanking.cbe.com.et
11 3.490579 10.1.11.16 10.1.226.253 DNS 214 IN s1/tmm0 : Standard query 0x8771 ANY corebanking.cbe.com.et
12 4.271761 F5Networ_9b:9b:07 Broadcast ARP 178 OUT s1/tmm0 : Who has 10.1.226.253? Tell 10.1.226.6
13 4.802786 10.1.11.13 10.1.226.253 DNS 214 IN s1/tmm1 : Standard query 0x3792 ANY corebanking.cbe.com.et
14 4.862066 10.1.11.13 10.1.226.253 DNS 214 IN s1/tmm0 : Standard query 0x1f50 AAAA corebanking.cbe.com.et
15 5.272107 F5Networ_9b:9b:07 Broadcast ARP 178 OUT s1/tmm0 : Who has 10.1.226.253? Tell 10.1.226.6
16 5.679215 10.3.11.13 10.1.226.253 DNS 214 IN s1/tmm0 : Standard query 0x46cf AAAA corebanking.cbe.com.et
17 7.127693 10.3.11.16 10.1.226.253 DNS 214 IN s1/tmm1 : Standard query 0x7fa3 AAAA corebanking.cbe.com.et
18 7.128037 F5Networ_9b:9b:07 Broadcast ARP 178 OUT s1/tmm0 : Who has 10.1.226.253? Tell 10.1.226.6
19 8.111770 10.1.11.13 10.1.226.253 DNS 214 IN s1/tmm0 : Standard query 0x14a1 ANY corebanking.cbe.com.et
20 8.127953 F5Networ_9b:9b:07 Broadcast ARP 178 OUT s1/tmm0 : Who has 10.1.226.253? Tell 10.1.226.6
21 8.940237 10.3.11.16 10.1.226.253 DNS 214 IN s1/tmm0 : Standard query 0x29f5 AAAA corebanking.cbe.com.et
22 8.960955 10.3.11.16 10.1.226.253 DNS 214 IN s1/tmm1 : Standard query 0xa2fa AAAA corebanking.cbe.com.et
23 9.127997 F5Networ_9b:9b:07 Broadcast ARP 178 OUT s1/tmm0 : Who has 10.1.226.253? Tell 10.1.226.6
24 9.305662 10.3.11.13 10.1.226.253 DNS 214 IN s1/tmm0 : Standard query 0x5819 AAAA corebanking.cbe.com.et
25 9.334004 10.1.11.13 10.1.226.253 DNS 214 IN s1/tmm1 : Standard query 0x59f1 ANY corebanking.cbe.com.et
26 10.128081 F5Networ_9b:9b:07 Broadcast ARP 178 OUT s1/tmm0 : Who has 10.1.226.253? Tell 10.1.226.6
27 10.211744 10.3.11.13 10.1.226.253 DNS 214 IN s1/tmm1 : Standard query 0xb440 ANY corebanking.cbe.com.et
28 11.127648 F5Networ_9b:9b:07 Broadcast ARP 178 OUT s1/tmm0 : Who has 10.1.226.253? Tell 10.1.226.6
29 11.440514 10.1.11.16 10.1.226.253 DNS 214 IN s1/tmm1 : Standard query 0x0552 AAAA corebanking.cbe.com.et
30 12.127958 F5Networ_9b:9b:07 Broadcast ARP 178 OUT s1/tmm0 : Who has 10.1.226.253? Tell 10.1.226.6
31 12.959134 10.1.11.13 10.1.226.253 DNS 214 IN s1/tmm0 : Standard query 0xae48 AAAA corebanking.cbe.com.et
32 13.004613 10.1.11.13 10.1.226.253 DNS 214 IN s1/tmm0 : Standard query 0xeb2c AAAA corebanking.cbe.com.et
33 13.252862 10.1.11.16 10.1.226.253 DNS 214 IN s1/tmm1 : Standard query 0xc4a0 ANY corebanking.cbe.com.et
34 13.252937 F5Networ_9b:9b:07 Broadcast ARP 178 OUT s1/tmm0 : Who has 10.1.226.253? Tell 10.1.226.6
35 13.831072 10.1.11.13 10.1.226.253 DNS 214 IN s1/tmm0 : Standard query 0xfcfe ANY corebanking.cbe.com.et
36 13.831198 10.1.11.16 10.1.226.253 DNS 214 IN s1/tmm1 : Standard query 0x5f65 ANY corebanking.cbe.com.et
37 13.837319 10.3.11.13 10.1.226.253 DNS 214 IN s1/tmm0 : Standard query 0x3622 AAAA corebanking.cbe.com.et
38 14.252744 F5Networ_9b:9b:07 Broadcast ARP 178 OUT s1/tmm0 : Who has 10.1.226.253? Tell 10.1.226.6
39 14.377764 10.3.11.16 10.1.226.253 DNS 214 IN s1/tmm0 : Standard query 0xa8bc ANY corebanking.cbe.com.et
40 15.253063 F5Networ_9b:9b:07 Broadcast ARP 178 OUT s1/tmm0 : Who has 10.1.226.253? Tell 10.1.226.6
41 15.972423 10.1.11.16 10.1.226.253 DNS 214 IN s1/tmm1 : Standard query 0x2cb5 AAAA corebanking.cbe.com.et
42 16.252668 F5Networ_9b:9b:07 Broadcast ARP 178 OUT s1/tmm0 : Who has 10.1.226.253? Tell 10.1.226.6
43 16.556502 10.3.11.13 10.1.226.253 DNS 214 IN s1/tmm0 : Standard query 0x7952 ANY corebanking.cbe.com.et
44 17.252714 F5Networ_9b:9b:07 Broadcast ARP 178 OUT s1/tmm0 : Who has 10.1.226.253? Tell 10.1.226.6
45 18.252481 10.1.11.13 10.1.226.253 DNS 214 IN s1/tmm0 : Standard query 0xab64 ANY corebanking.cbe.com.et
46 18.252935 F5Networ_9b:9b:07 Broadcast ARP 178 OUT s1/tmm0 : Who has 10.1.226.253? Tell 10.1.226.6
47 18.368875 10.3.11.13 10.1.226.253 DNS 214 IN s1/tmm0 : Standard query 0x0169 AAAA corebanking.cbe.com.et
48 19.597288 10.1.11.16 10.1.226.253 DNS 214 IN s1/tmm1 : Standard query 0x63c5 AAAA corebanking.cbe.com.et
49 19.597574 F5Networ_9b:9b:07 Broadcast ARP 178 OUT s1/tmm0 : Who has 10.1.226.253? Tell 10.1.226.6
50 20.240246 10.1.11.13 10.1.226.253 DNS 214 IN s1/tmm0 : Standard query 0x5da3 AAAA corebanking.cbe.com.et
51 20.295024 10.1.11.13 10.1.226.253 DNS 214 IN s1/tmm1 : Standard query 0x3a2c AAAA corebanking.cbe.com.et
52 20.596679 F5Networ_9b:9b:07 Broadcast ARP 178 OUT s1/tmm0 : Who has 10.1.226.253? Tell 10.1.226.6
53 20.721497 10.3.11.16 10.1.226.253 DNS 214 IN s1/tmm1 : Standard query 0xeaae AAAA corebanking.cbe.com.et
54 21.596764 F5Networ_9b:9b:07 Broadcast ARP 178 OUT s1/tmm0 : Who has 10.1.226.253? Tell 10.1.226.6
55 21.994232 10.3.11.13 10.1.226.253 DNS 214 IN s1/tmm1 : Standard query 0x0d7b AAAA corebanking.cbe.com.et
56 22.271914 10.1.11.16 10.1.226.253 DNS 214 IN s1/tmm1 : Standard query 0x2d18 AAAA corebanking.cbe.com.et
57 22.596682 F5Networ_9b:9b:07 Broadcast ARP 178 OUT s1/tmm0 : Who has 10.1.226.253? Tell 10.1.226.6
58 22.959742 10.1.11.13 10.1.226.253 DNS 214 IN s1/tmm0 : Standard query 0x90a8 AAAA corebanking.cbe.com.et
59 23.596842 F5Networ_9b:9b:07 Broadcast ARP 178 OUT s1/tmm0 : Who has 10.1.226.253? Tell 10.1.226.6
60 24.129326 10.1.11.16 10.1.226.253 DNS 214 IN s1/tmm0 : Standard query 0x3df5 AAAA corebanking.cbe.com.et