Forum Discussion
Mickey_Farmer_2
Nimbostratus
NimbostratusWhat IP's to use for DNS Listeners?
In another question on this forum, https://devcentral.f5.com/questions/f5-gtm-and-wide-ip, the poster asks if the Name Server records for his subdomain (.wip.) needed to use the self IP's of his F5's...
"A listener object that is not defined as a self IP address cannot direct name resolution requests to BIND"
If you don't require that (and I usually make sure that requests not serviced by GTM are dropped myself), then you have no issues AFAIK.
Possibly it's listed as not best practice because if GTM can't resolve it, you won't get any answer, and whoever wrote it wanted to make sure at least SOMETHING was given back (e.g. for addresses that ARE NOT serviced by GTM - i.e. not WideIP's).
However for most of the installs I've done, that was the DESIRED effect anyway... Because I don't like running GTM's inline with normal DNS services - i.e. I like my GTM's to be serving ONLY WideIP's.
See this scenario-----
A DNS server already exists at IP address 10.2.5.37.
There are two VLANs, named external and guests.
There are two wide IPs: www.siterequest.com and downloads.siterequest.com. After being integrated into the network, Global Traffic Manager is responsible for the following actions:
Managing and responding to requests for the wide IPs
Forwarding other DNS traffic to the existing DNS server
Forwarding any traffic from the guests VLAN to the rest of the network To implement this configuration, Global Traffic Manager requires three listeners:
A listener with an IP address that is the same as the self IP address of Global Traffic Manager. This listener allows the system to manage DNS traffic that pertains to its wide IPs.
A listener with an IP address of 10.2.5.37, the IP address of the existing DNS server. This listener allows the system to forward incoming traffic to the existing DNS server.
A wildcard listener enabled on the guests VLAN. This listener allows Global Traffic Manager to forward traffic sent from the guests VLAN to the rest of the network.
Amanpreet_Singh
Cirrostratus
Cirrostratus"A listener object that is not defined as a self IP address cannot direct name resolution requests to BIND"
If you don't require that (and I usually make sure that requests not serviced by GTM are dropped myself), then you have no issues AFAIK.
Possibly it's listed as not best practice because if GTM can't resolve it, you won't get any answer, and whoever wrote it wanted to make sure at least SOMETHING was given back (e.g. for addresses that ARE NOT serviced by GTM - i.e. not WideIP's).
However for most of the installs I've done, that was the DESIRED effect anyway... Because I don't like running GTM's inline with normal DNS services - i.e. I like my GTM's to be serving ONLY WideIP's.
See this scenario-----
A DNS server already exists at IP address 10.2.5.37.
There are two VLANs, named external and guests.
There are two wide IPs: www.siterequest.com and downloads.siterequest.com. After being integrated into the network, Global Traffic Manager is responsible for the following actions:
Managing and responding to requests for the wide IPs
Forwarding other DNS traffic to the existing DNS server
Forwarding any traffic from the guests VLAN to the rest of the network To implement this configuration, Global Traffic Manager requires three listeners:
A listener with an IP address that is the same as the self IP address of Global Traffic Manager. This listener allows the system to manage DNS traffic that pertains to its wide IPs.
A listener with an IP address of 10.2.5.37, the IP address of the existing DNS server. This listener allows the system to forward incoming traffic to the existing DNS server.
A wildcard listener enabled on the guests VLAN. This listener allows Global Traffic Manager to forward traffic sent from the guests VLAN to the rest of the network.
Brad_ParkerCirrus
Good find on that. Best practice days you should NEVER resolve from on box BIND. It's a single threaded single core process(gtmd) where as WideIPs and DNS Express run in TMOS. If your are resolving from BIND you have a really expensive BIND server that doesn't use the DoS features BigIP has to its fullest potential. If you want to use Zone Runner(On box BIND) you should always use DNS Express to serve those zones. I repeat, you should never resolve DNS through to BIND even if it is still an option.
gsharriAltostratus
For clarification I would point out that the statement "A listener object that is not defined as a self IP address cannot direct name resolution requests to BIND. For example, if you define a listener object for local resolution and the listener is not also defined as a self IP address, wide IP pools configured with the Return to DNS load balancing method will not return the desired results." found in SOL5427 is incorrect. A VIP listener can resolve using on box BIND for both wideIPs and non-wideIPs. Return to DNS fallback method does in fact return the expected results for wideip resolution. I have confirmed this behavior with v11.5.0 and 11.6.0. Not that resolving from BIND is a good idea as Brad points out. Now the question is which is the right answer on the exam.......