BigIP DNS Cache Resolver Issue with Microsoft DNS 2012 R2

Question

Sup everyone,&nbsp;
I am running into an odd issue right now during my migration from a Big IP 1600 to the New Viprion Chassis B2250 series. We have configured our New Internal Big IP DNS Server in a non Bind Resolver Cache only DNS server that would process only internal Wide IP requests. Our Existing F5 DNS is running Bind. &nbsp;
On our Corp DNS server we have an NS delegation that points to the listeners for both Data Centers. Corp DNS also has CNAME Records that will do global resolution, example would be CNAME funkytown.ilb.blank.com  Alias funkytown.blank.com. Corp DNS would send that request to the Internal F5 DNS server that responds back with an A record with IP address. Corp DNS is the SOA for blank.com and the F5 DNS is the SOA for ilb.blank.com&nbsp;
The Intermittent issue we are seeing is sometimes very Random after we migrate from old Bind to new Cache resolver the Microsoft DNS will respond back to the client without the A record IP it just shows CNAME. &nbsp;
As much as i want to Blame Microsoft for this issue and not the F5 this is only happening when i migrate to the new setup its not happening going to our old legacy Bind servers. &nbsp;
Has anyone run into this issue before? If so do you know of a Fix? Anything anything? i basically cant migrate to the new Viprions cause of this issue as it is causing applications to be unavailable. &nbsp;
Legacy DNS Version 11.5.4 
New DNS Version 12.1.3.3&nbsp;
Thanks&nbsp;

avi_251195 · Answer

Hi James,&nbsp;
Running into kinda the same issue atm; Windows DNS server(s) (still need to confirm the OS version and release) quering BIGIP DNS (version 12.1.3.6 Build 0.0.3 Point Release 6). &nbsp;
Same concept as you described:
Corp DNS also has CNAME Records that will do global resolution, example would be CNAME funkytown.ilb.blank.com Alias funkytown.blank.com. Corp DNS would send that request to the Internal F5 DNS server that responds back with an A record with IP address. Corp DNS is the SOA for blank.com and the F5 DNS is the SOA for ilb.blank.com&nbsp;
The clients receive an incomplete answer to their query: the fqdn is there but no IP address. When this happens no query is sent to the BIGIP (confirmed in BIGIP logs). &nbsp;
Nothing of a clue as to why this happens let alone a fix. &nbsp;
PS&gt; there used to be an issue in Win. 2008 R2 - https://support.microsoft.com/en-us/help/3022780/dns-server-does-not-respond-with-ip-address-to-a-cname-query-for-a-del&nbsp;

jamesb797_33357 · Answer

Piarea,&nbsp;
After many packet captures and many hours trying to figure out this issue, we had tickets open with Microsoft and F5 support and no one was able to resolve our issue. Finally we were able to resolve this issue, I decided to take a drastic approach to fix this. For some reason Microsoft DNS and it not getting a valid SOA record cause the lb.blank.com zone in caching will never respond with a SOA, was intermittently thinking he was the SOA of this zone and since he had no local record he would respond incorrectly. &nbsp;
The FIX: create a DNS express Profile, and put your Zone in it, this will now respond back to CORP DNS with a Valid SOA record. This was the FIX for our issue.&nbsp;
Also if you have a external Big IP DNS that you forward DNS requests to from your internal BigIP DNS you will need to change that the caching forwarder does not work correctly we had to remove this and just create another NS delegation on CORP DNS to send direct to our external BigIP DNS.&nbsp;
thanks&nbsp;

avi_251195 · Answer

Thanks for the repsonse. &nbsp;
Glad to read that you have the issue solved for your deployment. It looks like a workaround for an issue; the issue being that the Microsoft DNS server/service does not acknowledge the SOA record sent from the BIGIP as a valid SOA record.&nbsp;
If the SOA record sent by the BIGIP is not accepted as a valid SOA records by the Microsoft DNS .. &nbsp;
It turns out that, following K14510, F5 recommends that you disable BIND in the DNS profile when you use the DNS Express feature. &nbsp;
In version 12.1.3.6 Build 0.0.3 Point Release 6 - the version I'm running - DNS Express is actually part of the DNS profile with the possibility to enable or disable it. &nbsp;
I've read that DNS Express comes as a add-on with DNS (GTM) or as a feature with LTM; I've got a DNS only box. &nbsp;
Thanks for the repsonse.&nbsp;
Cheers, Avi&nbsp;

Forum Discussion

BigIP DNS Cache Resolver Issue with Microsoft DNS 2012 R2

3 Replies

Recent Discussions

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

F5 Access Guard Deprecated: ZTA APM

F5 loadbalancer not working

Pricing when used with aws waf

F5 terminal - help to run commands - disk space full

Related Content

Re: BigIP Report

F5 BIG-IP Access Policy Manager (APM) - Google Authenticator and Microsoft Authenticator

Microsoft Powershell with iControl

Resolve Citrix Secure Ticket Authority (STA)

BigIP Report Old