For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Ispone_netadmin's avatar
Ispone_netadmin
Icon for Nimbostratus rankNimbostratus
Feb 24, 2014

Need to allow only a few networks/IP blocks for DNS request

Hi,   We are trying to refine how our DNS LB is configured in F5. We are currently load balancing both TCP and UDP DNS requests between two DNS servers. Which is working fine except for- in our DN...
application delivery
devops
iRules
management
security
TMOS
TMSH
Mike_61663's avatar
Mike_61663
Icon for Cirrus rankCirrus
Feb 24, 2014

Not sure of your network topology, but remember that BIG-IP is a full proxy. So it has a client side of the connection and a server side of the connection. If you have SNAT enabled on the Virtual Server, that should only affect the server side of the proxy - you should still see the original client source IP on the client side of the connection and so iRules have access to this information meaning that you should be easily able to filter based on source IP.

 

For the port exhaustion issue I suspect you're using a single SNAT address in your Virtual Server definition. To overcome port exhaustion, simply use a snatpool instead, containing multiple IP addresses. This will give you significantly more ports to use which should avoid the port exhaustion problem.

 

Having said all of this, keep in mind that if you have the DNS services or GTM licenses then you'll actually be able to use the BIG-IP itself for DNS resolution, rather than having to load balance your DNS servers. BIG-IP has phenomenal DNS performance too, probably better than you're getting now load-balancing separate DNS servers.