For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

BJ_114988's avatar
BJ_114988
Icon for Nimbostratus rankNimbostratus
Dec 27, 2014

Replacing DNS with GTM

can someone please explain about how gtm works? i am familiar with how LTM works. Please give example if possible in terms of traffic flow from client (Browser) to backend server or pool member(end t...
BIG-IP DNS
deployment
design
Andrea_Arquint_'s avatar
Andrea_Arquint_
Historic F5 Account
Sep 23, 2015

Hi BJ

 

Some additions from my side to what Eldeeb already mentioned earlier. Before you start doing something. Please get familiar with the GTM concepts first which are available under following link https://support.f5.com/kb/en-us/products/big-ip_gtm/manuals/product/gtm-concepts-11-5-0.html (BIG-IP Global Traffic Manager: Concepts).

 

Backgroud: GTM is an intelligent and secure resolver. You could configure DNS Round-Robin (DNS R-R) basically with any available DNS server but in that case you don't have any further logic to control the traffic for your business critical applications. Within GTM (our DNS module) you will be able to control DNS queries among different sites for the same application (what we call a WIDE-IP within GSLB topic). So, you need at least one GTM per data center (site). All these GTM's are configured into a sync-group to share the configuration with eatch other (over a secured connection logically). That means each GTM has the knowledge for any application among your data centers (sites, company, cloud what else) because all GTM's are in sync.

 

Why is this needed? Because you want to make sure your business critical application is available anywhere and anytime. (High availability a basic protection target of information security.)

 

Basic config steps:

 

  • Configure GTM network connectivity
  • Configure sync-group between you GTM's (search on ask.f5.com)
  • configure your gslb servers (applications) on GTM (these are generic servers or other BIG-IP's which holds different appliactions etc. (search on ask.f5.com))
  • configure a gslb pool
  • the pool holds at least two "servers" (which are generic or BIG-IP apps etc.)
  • configure a WIDE-IP and assign the pool
  • configure a DNS profile and enable GSLB only (disable everything else)
  • configure a listener on (port 53) and assign the DNS profile
  • done

You will see within the DNS profile that there are a lot of more options. For instance, DNSSec, DNS-Express (DNS offloading to be more secure), Caching etc... All this stuff goes beyond gslb and gives you added value to konsolidate DNS overall with F5 (logically you could use our lovley iRules).

 

Cheerio,

 

Andrea