Forum Discussion

Girma_Tefera's avatar
Girma_Tefera
Icon for Altocumulus rankAltocumulus
May 08, 2023

Placing BIG-IP DNS in front of a Pool of DNS Servers

The F5 DNS server was positioned in front of a pool of Microsoft DNS servers. If the record is wideip, F5 DNS will answer to the query; else, the inquiry will be forwarded to Microsoft DNS server. Before the integration, we tested the wideip by setting the F5 listener (10.1.226.249) as the user's primary DNS server. It responded as predicted and dropped the query if the non-wideip. Following the test, we incorporated the Microsoft DNS servers (10.3.2.2 and 10.3.2.4) as nodes >> Pool>> and connected this pool to the F5 listener (10.2.226.249). If a wideip query is made at this time, it will typically be forwarded to Microsoft DNS, and if that fails, it will resolve locally. The first three attempts at nslookup will be dropped, and the name will be resolved. 

How do I prioritise wideip queries to be resolved by F5 DNS rather than sending them primarily to Microsoft DNS servers?

 

 

  • Dear Ben_Novak and Nikoolayy1;

    Thank you for your kind and helpful support.

    I found the answer to this problem. The problem was When I use nslookup for wideip test.demo.local, it will append the domain suffix to nslookup, which means it will ask for test.demo.local.demo.local on my client workstation (10.1.75.72) domain joined PC, which indicates it is under the domain of demo.local. Now that F5 has determined that this is a non-wideip query, it will forward the request to Microsoft DNS, making the initial two or three nslookups unsuccessful. It will eventually try without adding a domain suffix, and F5 will respond with test.demo.local because it is a wideip query.

    To resolve this problem Since the domain is included by default, I tried the nslookup without adding it and discovered that the result was as I had anticipated. For more information, see the link below.

    https://serverfault.com/questions/74067/windows-appending-domain-suffix-to-all-lookups

     

     

  • Hi Girma_Tefera,

    DNS logic in F5 DNS/GTM/GSLB, is handles at the DNS profile on the listener (vs).  

    As you noted, if a request matches a wideip, the it will respond with F5 Inteligent DNS (gslb), if not, it will continue through the logic tree till if find a response or configured action.

    Between all the options and features, it can get rather complicated pretty quick.  The follow two articles should help clarify how all that process works.

    K18522641: Overview of the DNS profile (14.x and later)

    https://my.f5.com/manage/s/article/K18522641

    K14510: Overview of DNS query processing on BIG-IP

    https://my.f5.com/manage/s/article/K14510

    Other things to consider;

    • a wideip can be configured to ultimately fallback to bind, or local dns pool (if resources are down)
    • enable dns logging on the wideip to see what is happening

    Hoping this helps.  🙂

    • Girma_Tefera's avatar
      Girma_Tefera
      Icon for Altocumulus rankAltocumulus

      I appreciate your reply. My worry was that the wideip query would timed out since F5 DNS would transmit it to Microsoft DNS while the first three nslookups would timed out. My exception was that F5 would respond if the query was wideip; otherwise, it would go to Microsoft DNS. Why is wideip not prioritized instead of being forwarded to Microsoft?

       

      • Ben_Novak's avatar
        Ben_Novak
        Icon for Employee rankEmployee

        In it's default configuration, GTM will attempt to serve the response from GSLB, before asking the Microsoft DNS servers (if configured).  I suggest enabling wideip logging to see why it is not responding as you expect. 

        K25751652: How to configure Decision Logging for the F5 BIG-IP DNS/GTM to local log directory

        https://my.f5.com/manage/s/article/K25751652#a1

         

  • Dear Ben_Novak and Nikoolayy1;

    Thank you for your kind and helpful support.

    I found the answer to this problem. The problem was When I use nslookup for wideip test.demo.local, it will append the domain suffix to nslookup, which means it will ask for test.demo.local.demo.local on my client workstation (10.1.75.72) domain joined PC, which indicates it is under the domain of demo.local. Now that F5 has determined that this is a non-wideip query, it will forward the request to Microsoft DNS, making the initial two or three nslookups unsuccessful. It will eventually try without adding a domain suffix, and F5 will respond with test.demo.local because it is a wideip query.

    To resolve this problem Since the domain is included by default, I tried the nslookup without adding it and discovered that the result was as I had anticipated. For more information, see the link below.

    https://serverfault.com/questions/74067/windows-appending-domain-suffix-to-all-lookups