Forum Discussion
LTM as balancer of pool of DNS servers
Hello all,
I would appreciate if you can point me to right direction as I'm out of ideas in this regard:
F5 LTM has VS (1.0.0.1:53) with pool of DNS servers (2.2.2.0/24), when client sends query to 1.0.0.1:53, I would like keep the originator's ip address for additional processing on DNS nodes. This does not work as nodes are answering with source IP 2.2.2.xx.
Is there any way to achieve this with F5 LTM?
On nodes, I have lots of ACL, QPS limits per ACL, DNS spoof in the case of VPN connection used which prevents me of using Source Translation - automap.
P. S. My F5 does not have licenses for DNS/GTM but for LTM/ASM.
If DNS was provisioned on the box then eDNS0 would be an option. But in order to use eDNS0 you have to have a DNS profile that requires GTM provisioned: https://clouddocs.f5.com/api/irules/DNS__edns0.html.
- David_LarsenEmployee
There is really only one way to do this from a network perspective. If you put an interface/IP on the F5 in the 2.2.2.0/24 network. Then you would have to make the default gateway of the DNS servers be the IP address created in 2.2.2.0/24. For further HA you would need 3 IP addresses in 2.2.2.0/24, one for each F5 LTM and then a floating address. The default gateway would be the floating address. This will force all the traffic going to the DNS boxes to come back through the LTM to keep the TCP Handshakes functional.
To further complicate I have done scenarios where the DNS box has multiple routes on it. The default route goes to the BIG-IP LTM but then other routes for internal clients to a different router. But to accomplish exactly what you have asked I would use above method and make the LTM the default gateway of the DNS boxes.
- PeteWhiteEmployee
What about using EDNS0 Client Subnet?
- David_LarsenEmployee
If DNS was provisioned on the box then eDNS0 would be an option. But in order to use eDNS0 you have to have a DNS profile that requires GTM provisioned: https://clouddocs.f5.com/api/irules/DNS__edns0.html.
- PeteWhiteEmployee
good point - i didn't read down that far 🐵
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com