Finally. 🙂

Does this works with persistence?

AFAIK it should work.

Great article, good to see this feature in version 14

Great solution for DNS . thank's

Great solution, I will try that.

Great article. Thank you Eric.

Finally! Time to lab it up!!

@mwalkup69 if you lab this, can you test the persistence and let us know if it takes into account the ECS?

I have no easy way to test this, but I had many projects in the past that had problems with Google DNS and similar services.

@Leonardo Souza Great Idea!

@leonardo. "dig" is your friend for testing (modern versions):

$ dig  @203.0.113.13 test.example.com +short 
203.0.113.250
$ dig  +subnet=192.0.2.0/24 @203.0.113.13 test.example.com +short
192.0.2.2

You will also have to ensure that the DNS provider is sending ECS records. In the past I know that you had to register your BIG-IP DNS IPs with OpenDNS to have them forward ECS requests.

The external part that complicates the test, I could do with internal names/DNS/IPs, but that is why I said I don't have an easy way.

F5 PD could have been a little bit more friendly, providing extra information. 😛

https://support.f5.com/kb/en-us/products/big-ip_ltm/releasenotes/product/relnote-bigip-14-0-0.html "Support for EDNS0 For this release, the BIG-IP system now supports certain functionality associated with the Extended DNS (EDNS0 or EDNS) client subnet option."

Based on the number of comments so far, you can see this is a very helpful improvement for GTM.

Anyway, let's wait for @mwalkup69 tests.

What steps are needed to configure this in 13.1.1?

@Kevin Basler,

 

In version 13.1.1 you would have to consider an iRule to emulate the behavior that is described in this article. My previous article covers this here: Implementing Client Subnet in DNS Requests.

 

Thanks for your quick reply, Eric.

Looking at the irule, I see it doing a whereis on the ECS subnet and logging the response. I fail to see how GTM then knows how to use this information for its topology load balancing. Can you help me understand how this works?

Thanks

Kevin

A question was asked above regarding persistence, and yes when you apply a persistence profile you will see the client IP address in the persistence record, which means that if the user does start using a different local DNS resolver which supports client-subnet insertion, the GTM persistence record will be used.

Ok, great.

This seems to be exactly what we need in our architecture but has anybody got this working where the LDNS server is a Windows 2016 server?

In our lab we can see the Windows 2016 server forward the request to the F5 but we cannot see any eDNS client subnet field in a wireshark trace of that request. As such the solution doesn't work.

Does anybody know if we need to 'turn on' the client subnet somewhere on the Windows 2016 server? Thanks.

Hi,

Great article!

I have still some small doubts how ECS and Persistence works. Based on previous posts from Robin (thanks a lot Robin for sharing) it seems to work like that (for WideIP):

1. Persistence enabled at WideIP
2. Prefer Client Subnet checked

Result: Source IP of DNS server sending query is disregarded, persistence record is created based on Client Subnet in the query

1. Persistence enabled at WideIP
2. Prefer Client Subnet not checked

Result: Client subnet info in request is ignored, persistence record is based on IP of DNS server sending query.

Am I right with above?

Is that schema valid for any other LB used? For example RR, so if there is not persistence record (based on client subnet in request) LB is performed. If persistence record exists then LB is ignored and same IP is returned.

I am as well curious if anyone succeeded with enabling ECS on any version of Windows Srv?

Piotr

The information about Prefer Client Subnet as described in this article and help menus, was created with the topology in mind, but as indicated above, also applies to persistence.

Your conclusion is correct.

In relation to windows server, I can't add anything helpful.

Thanks Leo, know about global setting 🙂

Piotr

Can these ECS records be used to make load-balancing decisions that aren't based on topology?

I was thinking of using this for a delegation subzone between F5-DNS and Infoblox in which all traffic would hit Infoblox and then get delegated to F5 via CNAME. If traffic to F5 is only being sent from the same Infoblox Device, I want to do active/active and get different results based on the client that sends the original DNS query and thought that ECS might be able to accomplish this, but haven't been able to setup correctly so far. I see the ECS entry send from Infoblox to F5 but it doesn't seem to affect load-balancing decision so far.

Short answer is, yes this can be done, but you would need to use an irule.

Robin, thanks for your response. I was assuming that it would be possible with an iRule (unless 14.1+ have additional ECS features). I did some searching but couldn’t find an example. Anyone have a good example of an iRule to do this?

Eric Chen wrote this article based on the GUI features available in 14, however in version 13 ECS was available as a feature to be used within an irule. Eric’s previous article which was based on v13 has some iRules examples that you could use as your starting point. https://devcentral.f5.com/s/articles/implementing-client-subnet-dns-requests

 

Robin, Thank you for the link. However, I don't understand how to set DNS load-balancing method via iRule. Any ideas?

Update! Found I can do something like this:

when DNS_REQUEST {
    if { [DNS::edns0 subnet address] contains "10.3.0.0" } {
        pool test member 10.2.0.11 80
    } else { pool test }
}

Also, i found you can lower the TTL for a F5-DNS pool to zero so that there is no TTL to do more of an active/active setup for internal GSLB.

Thanks for you help!

I want to insert 'client subnet' in 'add OPT', The purpose is to display the source IP address in the real DNS Server log file, So use the following iRules script：

when DNS_REQUEST {
DNS::edns0 subnet address [IP::client_addr]
DNS::edns0 subnet source 32
}

Now through packet capture, the request data packet received by SLB can display the effect of inserting the 'client_addr' field into 'add OPT'.

But, when the backend server sends back the package, it displays' Flags: 0x8101 Standard query response, Format error ', Failed to resolve the A record of the domain name, 

So, do you have any good ideas to rule out this problem? Thanks!