Forum Discussion

Ian_Johnson_382's avatar
Ian_Johnson_382
Icon for Nimbostratus rankNimbostratus
Jun 16, 2010

Migration to GTM, problems with Wide IP and DNS forwarders

Hi All,

 

 

Hi All, I am currently on a project to migrate a configuration from Alteon to F5 GTM/LTM. Due to the nature of the business I cannot move the entire configuration in one hit, so I need to do this on a per web site basis. What I want to do is configure the GTM to answer only for the wideip's it has configured and anything else forward onto the Alteon devices.

 

 

To do this I created a wideip for a.ha.acme.com, and in the options section for the ha.acme.com domain I have added the forwarder options

 

 

forward first;

 

forwarders { 1.2.3.5; 1.2.4.5; };

 

 

What is happening is that the GTM will answer requests for a.ha.acme.com no problems, but a request for b.ha.acme.com is not being forwarded and instead GTM is responding with NXDomain error.

 

 

In the options for named I have turn on recursive queries.

 

 

Is this configuration legit? If not anyone have any ideas on how I could do this?

 

 

Thanks Ian
config
design
  • Nick_T_68319's avatar
    Nick_T_68319
    Icon for Nimbostratus rankNimbostratus
    Jun 16, 2010
    If the GTM is only going to serve WideIP's, why don't you keep your DNS hosted on your existing DNS servers, then delegate your sub domains to the wide IP's

     

     

    a.ha.acme.com. IN NS gtm1.blah.com.

     

    a.ha.acme.com. IN NS gtm2.blah.com.
  • JRahm's avatar
    JRahm
    Icon for Admin rankAdmin
    Jun 17, 2010
    This is the configuration I used when setting up something similar. x.x.x.x, x.x.x.y, x.x.x.z need to be swapped out with your nameserver IPs. Also, the 10/8 is internal space from standard rfc1918, but your IP space might be different, so you'll need to alter that as well.

     restrict rndc access to local machines use the key in the default place: /config/rndc.key controls { inet 127.0.0.1 port 953 allow { 127.0.0.1; }; }; logging { channel logfile { syslog daemon; severity error; print-category yes; print-severity yes; print-time yes; }; category default { logfile; }; category config { logfile; }; category notify { logfile; }; }; options { listen-on port 53 { 127.0.0.1; "zrd-acl-000-000"; }; forward only; forwarders { x.x.x.x; x.x.x.y; x.x.x.z; }; allow-query { localhost; internal; }; listen-on-v6 port 53 { ::1; }; directory "/config/namedb"; allow-transfer { localhost; }; recursion yes; }; acl "zrd-acl-000-000" { 127.10.0.0; }; acl internal { 10/8; };
  • JRahm's avatar
    JRahm
    Icon for Admin rankAdmin
    Jun 17, 2010
    So, reposting, edit doesn't seem to help: 

    
restrict rndc access to local machines
use the key in the default place: /config/rndc.key
controls {
    inet 127.0.0.1 port 953 allow {
        127.0.0.1;
    };
};
logging {
    channel logfile {
        syslog daemon;
        severity error;
        print-category yes;
        print-severity yes;
        print-time yes;
    };
    category default {
        logfile;
    };
    category config {
        logfile;
    };
    category notify {
        logfile;
    };
};
options {
    listen-on port 53 {
        127.0.0.1;
        "zrd-acl-000-000";
    };
    forward only;
    forwarders {
        x.x.x.x;
        x.x.x.y;
        x.x.x.z;
    };
    allow-query {
        localhost;
        internal;
    };
    listen-on-v6 port 53 {
        ::1;
    };
    directory "/config/namedb";
    allow-transfer {
        localhost;
    };
    recursion yes;
};
acl "zrd-acl-000-000" {
    127.10.0.0;
};
acl internal {
    10/8;
};