Forum Discussion
What IP's to use for DNS Listeners?
In another question on this forum, https://devcentral.f5.com/questions/f5-gtm-and-wide-ip, the poster asks if the Name Server records for his subdomain (.wip.) needed to use the self IP's of his F5's. The accepted answer is that, no, you use the DNS Listener IP's instead. However, F5's instructions for DNS Listener setup say to use the F5's self IP's to set the listeners up. So, through the transitive property of geometry (thank you, 9th grade), wouldn't the NS record, therefore, be the self IP's of the F5's?
Any help is appreciated.
Thank you, Mickey
"A listener object that is not defined as a self IP address cannot direct name resolution requests to BIND"
If you don't require that (and I usually make sure that requests not serviced by GTM are dropped myself), then you have no issues AFAIK.
Possibly it's listed as not best practice because if GTM can't resolve it, you won't get any answer, and whoever wrote it wanted to make sure at least SOMETHING was given back (e.g. for addresses that ARE NOT serviced by GTM - i.e. not WideIP's).
However for most of the installs I've done, that was the DESIRED effect anyway... Because I don't like running GTM's inline with normal DNS services - i.e. I like my GTM's to be serving ONLY WideIP's.
See this scenario-----
A DNS server already exists at IP address 10.2.5.37.
There are two VLANs, named external and guests.
There are two wide IPs: www.siterequest.com and downloads.siterequest.com. After being integrated into the network, Global Traffic Manager is responsible for the following actions:
Managing and responding to requests for the wide IPs
Forwarding other DNS traffic to the existing DNS server
Forwarding any traffic from the guests VLAN to the rest of the network To implement this configuration, Global Traffic Manager requires three listeners:
A listener with an IP address that is the same as the self IP address of Global Traffic Manager. This listener allows the system to manage DNS traffic that pertains to its wide IPs.
A listener with an IP address of 10.2.5.37, the IP address of the existing DNS server. This listener allows the system to forward incoming traffic to the existing DNS server.
A wildcard listener enabled on the guests VLAN. This listener allows Global Traffic Manager to forward traffic sent from the guests VLAN to the rest of the network.
- Brad_ParkerCirrus
No, SelfIPs are not listener IPs. Your listeners are virtual servers. For GTM you will configure a virtual server to be your DNS listener and thats the IP that will be you NS record.
- Mickey_Farmer_2Nimbostratus
Thanks, Brad. From F5's site, the setup of a DNS Listener asks for a self IP address on the GTM:
(From https://support.f5.com/kb/en-us/products/big-ip_gtm/manuals/product/gtm-implementations-11-5-0/4.html) Creating listeners to handle traffic for wide IPs
Determine the self IP address on which you want BIG-IP GTM to listen for DNS queries for the wide IPs configured on the system.
Create listeners that identify the wide IP traffic for which GTM is responsible. Create four listeners: two that use the UDP protocol (one each for an IPv4 address and IPv6 address), and two that use the TCP protocol (one each for an IPv4 address and IPv6 address). Note: DNS zone transfers use TCP port 53. If you do not configure a listener for TCP the client might receive the error: connection refused or TCP RSTs. 1. On the Main tab, click DNS > Delivery > Listeners. The Listeners List screen opens. 2. Click Create. The Listeners properties screen opens. 3. In the Name field, type a unique name for the listener. 4. For the Destination setting, in the Address field, type the IP address on which GTM listens for network traffic. The destination is a self IP address on GTM. 5. From the VLAN Traffic list, select All VLANs. 6. In the Service area, from the Protocol list, select UDP. 7. Click Repeat.
- Brad_ParkerCirrus"A listener is a specialized virtual server that passively checks for DNS packets on port 53 and the IP address you assign to the listener. When a DNS query is sent to the IP address of the listener, BIG-IP GTM either handles the request locally or forwards the request to the appropriate resource." Not sure why it says to use a self IP for the virtual server. While you can do that you don't have to. I don't believe that is a requirement. Your NS records will be whatever you setup as your listener(whether that is a self ip or some other IP).
- Amanpreet_SinghCirrostratus
"A listener object that is not defined as a self IP address cannot direct name resolution requests to BIND"
If you don't require that (and I usually make sure that requests not serviced by GTM are dropped myself), then you have no issues AFAIK.
Possibly it's listed as not best practice because if GTM can't resolve it, you won't get any answer, and whoever wrote it wanted to make sure at least SOMETHING was given back (e.g. for addresses that ARE NOT serviced by GTM - i.e. not WideIP's).
However for most of the installs I've done, that was the DESIRED effect anyway... Because I don't like running GTM's inline with normal DNS services - i.e. I like my GTM's to be serving ONLY WideIP's.
See this scenario-----
A DNS server already exists at IP address 10.2.5.37.
There are two VLANs, named external and guests.
There are two wide IPs: www.siterequest.com and downloads.siterequest.com. After being integrated into the network, Global Traffic Manager is responsible for the following actions:
Managing and responding to requests for the wide IPs
Forwarding other DNS traffic to the existing DNS server
Forwarding any traffic from the guests VLAN to the rest of the network To implement this configuration, Global Traffic Manager requires three listeners:
A listener with an IP address that is the same as the self IP address of Global Traffic Manager. This listener allows the system to manage DNS traffic that pertains to its wide IPs.
A listener with an IP address of 10.2.5.37, the IP address of the existing DNS server. This listener allows the system to forward incoming traffic to the existing DNS server.
A wildcard listener enabled on the guests VLAN. This listener allows Global Traffic Manager to forward traffic sent from the guests VLAN to the rest of the network.
- Brad_ParkerCirrusGood find on that. Best practice days you should NEVER resolve from on box BIND. It's a single threaded single core process(gtmd) where as WideIPs and DNS Express run in TMOS. If your are resolving from BIND you have a really expensive BIND server that doesn't use the DoS features BigIP has to its fullest potential. If you want to use Zone Runner(On box BIND) you should always use DNS Express to serve those zones. I repeat, you should never resolve DNS through to BIND even if it is still an option.
- gsharriAltostratusFor clarification I would point out that the statement "A listener object that is not defined as a self IP address cannot direct name resolution requests to BIND. For example, if you define a listener object for local resolution and the listener is not also defined as a self IP address, wide IP pools configured with the Return to DNS load balancing method will not return the desired results." found in SOL5427 is incorrect. A VIP listener can resolve using on box BIND for both wideIPs and non-wideIPs. Return to DNS fallback method does in fact return the expected results for wideip resolution. I have confirmed this behavior with v11.5.0 and 11.6.0. Not that resolving from BIND is a good idea as Brad points out. Now the question is which is the right answer on the exam.......
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com