Forum Discussion
NimbostratusZonerunner Issue
Hi guys,
i'm trying to solve two big issue using my F5 as master DNS.
First: i want to forward a full PTR network (in my case a /16) to another BIND but it doesn't seems to work. PTR are resolved only if F5 is the master. Is a supported feature or not? If I configure same forward on a normal BIND it works
Second: i'm forwarding an *.local domain to my AD servers but i've found that every time I do a dig using F5 VIP it reports back also authority section and this create issue using particular services
here is an example:
dig @ AD server output:
; <<>> DiG 9.9.4-RedHat-9.9.4-51.el7_4.2 <<>> @10.10.10.200 test.local
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44844
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 7, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;test.local. IN A
;; ANSWER SECTION:
test.local. 600 IN A 10.x.x.x
test.local. 600 IN A 192.168.x.x
dig @ F5 (that forwards to AD server):
; <<>> DiG 9.9.4-RedHat-9.9.4-51.el7_4.2 <<>> @10.10.10.201 test.local
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44763
;; flags: qr rd ra; QUERY: 1, ANSWER: 7, AUTHORITY: 13, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;test.local. IN A
;; ANSWER SECTION:
test.local. 600 IN A 10.x.x.x
test.local. 600 IN A 192.168.x.x
;; AUTHORITY SECTION:
. 71938 IN NS f.root-servers.net.
. 71938 IN NS c.root-servers.net.
. 71938 IN NS a.root-servers.net.
. 71938 IN NS b.root-servers.net.
. 71938 IN NS d.root-servers.net.
. 71938 IN NS g.root-servers.net.
. 71938 IN NS e.root-servers.net.
. 71938 IN NS h.root-servers.net.
. 71938 IN NS l.root-servers.net.
. 71938 IN NS m.root-servers.net.
. 71938 IN NS i.root-servers.net.
. 71938 IN NS k.root-servers.net.
. 71938 IN NS j.root-servers.net.
My F5 are running LTMOS 11.6.1 HF1 Any help is very appreciated!
Thanks
JGCumulonimbus
It is hard to answer your questions without knowing the specific configurations of your DNS server. And:
- Do you allow recursion?
- Have you configured a forwarder?
- What are your dig commands?
GiammarcoHi,
yes, this is the named configuration on the F5
restrict rndc access to local machines use the key in the default place: /config/rndc.key controls { inet 127.0.0.1 port 953 allow { 127.0.0.1; }; }; logging { channel logfile { syslog daemon; severity error; print-category yes; print-severity yes; print-time yes; }; category default { logfile; }; category config { logfile; }; category notify { logfile; }; }; options { listen-on port 53 { 127.0.0.1; "zrd-acl-000-001"; "zrd-acl-000-002"; "zrd-acl-000-000"; }; listen-on-v6 port 53 { ::1; }; recursion yes; directory "/config/namedb"; allow-transfer { localhost; }; allow-recursion { lan_hosts; }; check-names master warn; check-integrity yes; max-journal-size 1M; forwarders { 8.8.8.8; 8.8.4.4; }; }; acl "zrd-acl-000-000" { 127.10.0.0; }; acl "zrd-acl-000-002" { 127.10.0.2; }; acl "lan_hosts" { 10.10.10.0/24; }; acl "zrd-acl-000-001" { 127.10.0.1; }; acl "extkey" { key "external"; }; acl "noextkey" { !key "external"; }; key "external" { algorithm hmac-md5; secret ""; };the dig command that I'm doing is a simple:
dig @IP(AD or F5) SRV test.local