Forum Discussion

mcl_62703's avatar
mcl_62703
Icon for Nimbostratus rankNimbostratus
Apr 03, 2012

Missing something fundamental about DNS round-robin

I'm really new to F5, and I've read through various BigIP documents and posts, but I seem to be missing something fundamental about how to set up DNS round-robin.

 

 

As a very simple, short summary:

 

I want to have a single IP on the F5, to which all DNS queries are sent. I want the F5 to load balance those queries in a round-robin manner to 3 IPs, each IP on its own VLAN, where a nameserver will answer them.

 

 

What I've got:

 

A 3600 running 10.2.0 (intentionally; upgrading isn't an option for this project).

 

 

How I've set it up:

 

Initially, just to make sure I could get something working at all, I configured a single VLAN under "Network" (10.34.31.0/24), and then used the "Generic DNS" template under "Templates and Wizards". I gave the VS an IP of 10.34.31.202, had it create a new pool, and added a single server with the IP of 10.34.31.38. Due to a particular quirk of the nameserver I'm using, I changed the monitor to "gateway_icmp" (* I'll explain more about that quirk in a bit).

 

 

This worked fine.

 

 

So, I deleted all the stuff the template had set up, added the other two VLANs (10.34.101.0/24 and 10.34.102.0/24), and redid the template, this time adding all three server IPs (10.34.31.38, 10.34.101.10, and 10.34.102.10) and setting the load balancing to "round robin".

 

 

I verified by ssh'ing into the F5 that I can ping all three of those server IPs from the F5, so I know traffic is capable of reaching those three IPs from the F5.

 

 

But when I send DNS queries to the VS IP (10.34.31.202), only the first server IP (10.34.31.38) receives any DNS traffic. Nothing gets sent to the other two server IPs.

 

 

Puzzled, I went back to what I did first, and rather than using the 10.34.31.38 server IP, I redid the template just using 10.34.101.10, to verify that with that as the only pool member, no DNS traffic was sent on by the F5. That was indeed the case.

 

 

I tried adding an auto-map SNAT object, but that didn't help at all.

 

 

I additionally tried setting up stateless UDP with nPath routing (page 11 in Advanced DNS Traffic Management using the BigIP LTM) since Figure 2.1 looked exactly like what I was trying to do. Again, I had no luck. The behavior was the same as before.

 

 

 

I'm operating under a few constraints here: I must run 10.2.0, the three pool members must have IPs on separate VLANs, and changing the routing or loopback address on the nameserver isn't an option.

 

 

Have I missed something in my reading, or is this just not possible? If it's not possible, what would be the least disruptive change I'd have to make to get it working (where "disruptive" is defined as "changes to the configuration of the nameserver").

 

 

Thanks in advance for any help!

 

 

 

* the particular nameserver quirk I mentioned earlier:

 

the nameserver I'm using is caching-only, and I'm unable in this particular situation to guarantee a particular response to any query, which is why I used the gateway_icmp monitor instead.

 

 

  • Hamish's avatar
    Hamish
    Icon for Cirrocumulus rankCirrocumulus
    As the pool members don't appear to be on directly attached VLAN's, Do you have a tmm route to the pool members? It SOUNDS like the route to the pool members is via the management interface. but tim doesn't have access to that. So effectively the LB'ed traffic gets black holed.

     

     

    Ping (Being a management process) has access to both the management routes, AND TMM routes... So using ping by itself doesn't really give you a good indication of accessibility by the tmm micro-kernel.

     

     

    H