Forum Discussion
Placing BIG-IP DNS in front of a Pool of DNS Servers
- May 13, 2023
Dear Ben_Novak and Nikoolayy1;
Thank you for your kind and helpful support.
I found the answer to this problem. The problem was When I use nslookup for wideip test.demo.local, it will append the domain suffix to nslookup, which means it will ask for test.demo.local.demo.local on my client workstation (10.1.75.72) domain joined PC, which indicates it is under the domain of demo.local. Now that F5 has determined that this is a non-wideip query, it will forward the request to Microsoft DNS, making the initial two or three nslookups unsuccessful. It will eventually try without adding a domain suffix, and F5 will respond with test.demo.local because it is a wideip query.
To resolve this problem Since the domain is included by default, I tried the nslookup without adding it and discovered that the result was as I had anticipated. For more information, see the link below.
https://serverfault.com/questions/74067/windows-appending-domain-suffix-to-all-lookups
Hi Girma_Tefera,
DNS logic in F5 DNS/GTM/GSLB, is handles at the DNS profile on the listener (vs).
As you noted, if a request matches a wideip, the it will respond with F5 Inteligent DNS (gslb), if not, it will continue through the logic tree till if find a response or configured action.
Between all the options and features, it can get rather complicated pretty quick. The follow two articles should help clarify how all that process works.
K18522641: Overview of the DNS profile (14.x and later)
https://my.f5.com/manage/s/article/K18522641
K14510: Overview of DNS query processing on BIG-IP
https://my.f5.com/manage/s/article/K14510
Other things to consider;
- a wideip can be configured to ultimately fallback to bind, or local dns pool (if resources are down)
- enable dns logging on the wideip to see what is happening
Hoping this helps. 🙂
I appreciate your reply. My worry was that the wideip query would timed out since F5 DNS would transmit it to Microsoft DNS while the first three nslookups would timed out. My exception was that F5 would respond if the query was wideip; otherwise, it would go to Microsoft DNS. Why is wideip not prioritized instead of being forwarded to Microsoft?
- Ben_NovakMay 08, 2023Employee
In it's default configuration, GTM will attempt to serve the response from GSLB, before asking the Microsoft DNS servers (if configured). I suggest enabling wideip logging to see why it is not responding as you expect.
K25751652: How to configure Decision Logging for the F5 BIG-IP DNS/GTM to local log directory
https://my.f5.com/manage/s/article/K25751652#a1
- Girma_TeferaMay 09, 2023Altocumulus
I enabled the log following your advice, and I now have this log.
for wideip (test.demo.local) query (listener 10.1.226.249) client (10.1.75.72)
May 9 06:14:33 cbe0000-00-bigip-01 info tmm[9029]: 2023-05-09 06:14:33 cbe0000-00-bigip-01.cbe.com.et from 10.1.75.72#49332: view none: query: test.demo.local.cbe.com.et IN A + (10.1.226.249%0)
May 9 06:14:35 cbe0000-00-bigip-01 info tmm[9029]: 2023-05-09 06:14:35 cbe0000-00-bigip-01.cbe.com.et from 10.1.75.72#49333: view none: query: test.demo.local.cbe.com.et IN AAAA + (10.1.226.249%0)
May 9 06:14:37 cbe0000-00-bigip-01 info tmm[9029]: 2023-05-09 06:14:37 cbe0000-00-bigip-01.cbe.com.et from 10.1.75.72#49334: view none: query: test.demo.local IN A + (10.1.226.249%0)
May 9 06:14:37 cbe0000-00-bigip-01 info tmm[9029]: 2023-05-09 06:14:37 cbe0000-00-bigip-01.cbe.com.et from 10.1.75.72#49335: view none: query: test.demo.local IN AAAA + (10.1.226.249%0)for non-wideip (abc.demo.local) query (listener 10.1.226.249) client (10.1.75.72)
May 9 06:15:12 cbe0000-00-bigip-01 info tmm[9029]: 2023-05-09 06:15:12 cbe0000-00-bigip-01.cbe.com.et from 10.1.75.72#59877: view none: query: abc.demo.local.cbe.com.et IN A + (10.1.226.249%0)
May 9 06:15:14 cbe0000-00-bigip-01 info tmm[9029]: 2023-05-09 06:15:13 cbe0000-00-bigip-01.cbe.com.et from 10.1.75.72#59878: view none: query: abc.demo.local.cbe.com.et IN AAAA + (10.1.226.249%0)
May 9 06:15:16 cbe0000-00-bigip-01 info tmm[9029]: 2023-05-09 06:15:16 cbe0000-00-bigip-01.cbe.com.et from 10.1.75.72#59879: view none: query: abc.demo.local IN A + (10.1.226.249%0)
May 9 06:15:16 cbe0000-00-bigip-01 info tmm[9029]: 2023-05-09 06:15:15 cbe0000-00-bigip-01.cbe.com.et from 10.1.75.72#59880: view none: query: abc.demo.local IN AAAA + (10.1.226.249%0)the image was taken from a client system (10.1.75.72)
The image that follows was taken without Microsoft DNS configured. Non-wideip queries are refused, and wideip queries respond immediately.
This should help you grasp things better, in my opinion.
- Nikoolayy1May 09, 2023MVP
Have you enabled response logging as I only see the query 🙂
Also maybe check the operations guide as maybe you have not enabled the DNS pools to be used by the DNS profile https://my.f5.com/manage/s/article/K14510 as Unhandled Query Actions is needed to be allowed. Also check if "Recursion Desired " is enabled in the DNS profile and keep in mind that the f5 community is not the F5 TAC that solves such issues as it is their job as this is an open tech community where we help one another 😉
https://my.f5.com/manage/s/article/K65762138
-
On the Main tab, click DNS > Delivery > Profiles > Other > DNS Logging or Local Traffic > Profiles > Other > DNS Logging. The DNS Logging profile list screen opens.
-
Click Create. The New DNS Logging profile screen opens.
-
In the Name field, type a unique name for the profile.
-
From the Log Publisher list, select a destination to which the BIG-IP system sends DNS log entries.
-
For the Log Queries setting, ensure that the Enabled check box is selected, if you want the BIG-IP system to log all DNS queries.
-
For the Log Responses setting, select the Enabled check box, if you want the BIG-IP system to log all DNS responses.
-
For the Include Query ID setting, select the Enabled check box, if you want the BIG-IP system to include the query ID sent by the client in the log messages.
-
Click Finished.
-
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com