F5 XC Distributed Cloud DNS GSLB implementing Split-DNS

Have you ever wondered how to achieve Bind-like 'VIEW' behavior with F5 XC Load Balancer where depending on the customer’s IP, different DNS responses are returned? Well wonder no more!

F5 XC DNS Load Balancers have the topology load balancing feature from the start, but now you can use source IP prefix lists or BGP ASN numbers that opens the door to Split-DNS similar to the BIND "View" feature!

The XC DNS Load Balancers rules nowadays have new options that can support EDNS Client Subnet (ECS) feature load balancing or BGP ASN load balancing. EDNS is like X-Forwarded-For Header as it sees the real client subnet and not the DNS local resolver server IP Address. 

For more information, I suggest checking out the link below:

• EDNS0 Implementation and Troubleshooting recommendations

For anyone that has worked with F5 DNS/GTM BIG-IP, this is similar to creating custom topology records.

For more information, I suggest checking out the link below:

• Achieving split DNS behavior through BIG-IP DNS wide IPs

 

Configuring a DNS zone 

First, you need to configure a primary DNS zone as shown in the picture below or use the option "Allow Application Load Balancer Managed Records" that is described in the links below that allows a created F5 XC TCP or HTTP LB to be auto-added to the DNS primary zone in XC.

 

 

For more information, I suggest checking out the links below:

• Manage DNS Zone | F5 Distributed Cloud Technical Knowledge
• Use F5 Distributed Cloud to control Primary and Secondary DNS

The 2 DNS Load Balancer rules match either 46.233.56.0/24 or 0.0.0.0/0 that is any IP address, and this is why the Score is set to 110 for the first rule to have higher priority.

 

 

 

 

For testing, the Linux "dig" command supports +subnet option to change the EDNS subnet for example "dig test.niki.com @ns1.f5clouddns.com +subnet=46.233.56.0". If you don’t choose any subnet, the EDNS will be your IP address. But remember that the system could add a default mask like /24 if you don’t specify +subnet command with a mask. When you specify with @ to send the traffic directly to ns1.f5clouddns.com or ns2.f5clouddns.com you don't have to change your public DNS records and you can first test the XC DNS setup and then configure DNS delegation on your primary DNS servers.

 

If you are behind NAT or VPN, use What Is My IP Address - See Your Public Address - IPv4 & IPv6 to see your public IP address.

 

Example DNS request that will be sent to the specific pool:

dig test.niki.com @ns1.f5clouddns.com +subnet=46.233.56.1

 

 

Example DNS request that will be sent to the default pool:

dig test.niki.com @ns1.f5clouddns.com +subnet=5.5.5.5

 

 

Example DNS request with no "+subnet":

That will be sent to the specific pool as my IP matches 46.233.56.0 subnet, and it is auto-added to the EDNS in DNS request. 

 dig test.niki.com @ns1.f5clouddns.com

 

 

 

 

 

You can also use the ASN for this task, and the ASN is being compared to your EDNS subnet. There are a lot of tools to see your ASN number based on your IP address 😉

 

 

 

Summary:

XC has new and new features every day, and the DNS Load Balancer service is a clear example of this. We will see what comes next!