Help
Technical Forum
Ask questions. Discover Answers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions
Custom Alert Banner

F5 AppWorld 2024 session proposal deadline extended to Friday, December 8th!

Configuring listener IP for TCP

Go to solution
Khaled_HA
Altocumulus
Altocumulus

‎18-Feb-2022 02:56

Hay folks!

I am preparing for the 302 exam and I ran into this  " DNS zone transfers use TCP port 53. If you do not configure a listener for TCP the client might receive the error: connection refused or TCP RSTs."

Link: https://techdocs.f5.com/en-us/bigip-16-0-0/big-ip-dns-implementations/replacing-a-dns-server-with-bi...

Why should I configure listener for TCP, besides for zone transfer ?

If I am not using zone transfer, is UDP listener enough for answering DNS quesries ?

Another question:

What are the scenarios client might recieve connection refused from the Big-IP DNS ?

 

Labels:
2 ACCEPTED SOLUTIONS

Go to solution
Daniel_Wolf
MVP
MVP

‎18-Feb-2022 11:29 - edited ‎18-Feb-2022 11:30

Hi @Khaled_HA,

UPD is limited to 512 bytes. Some of the newer record types might contain messages that exceed the 512 byte limit and use TCP as fallback.

I never tried to pass the 302 exam. However, I am 100% it is for BIG-IP 12.1. You are looking at an article that is relevant for 14.1 to 16.1. Make sure you are looking the relevant sources (K29900360: F5 certification | Exams and blueprints). 

KR
Daniel

View solution in original post

Go to solution
Daniel_Wolf
MVP
MVP
In response to Khaled_HA

‎20-Feb-2022 03:05

I will try to answer your second question too:

This solution (K14510: Overview of DNS query processing on BIG-IP systems) explains in which order the BIG-IP processes DNS requests and how to configure Unhandled Query Actions. One setting for unhandled queries is Reject.

  • Use the Reject setting to return a REFUSED status for the DNS query.

DISCLAIMER: I admit that I am not an expert for BIG-IP DNS. Maybe this is not the only correct answer to your question.

View solution in original post

6 REPLIES 6

Go to solution
Sebastiansierra
MVP
MVP

‎18-Feb-2022 03:38

Hi,

Creating DNS listeners TCP or UDP will depend on the customer that consumes the service, or the device that must use the DNS for resolution.

To create a TCP listener you need to run the same steps when you create your UDP listener:

1. In the path DNS ›› Delivery : Listeners : Listener List click create.

2. Set a Name

3. Set the IP, it could be the same for TCP or UDP protocol.

4. In protocol select TCP.

5. Click Finished

 

Go to solution
Khaled_HA
Altocumulus
Altocumulus
In response to Sebastiansierra

‎18-Feb-2022 04:11

Thanks but that was not my question.

My question is that "If I did not configure TCP lister, will the BigIP DNS refuse client connection ? and why? 

Isn't UDP enough? 

0 Kudos

Go to solution
Sebastiansierra
MVP
MVP

‎18-Feb-2022 05:35

When you create a listener a virtual server is deployed too with the IP and the Protocol that you selected for the listeners for example UDP.

If UDP is the only protocol that you want to allow for DNS it will be enough and TCP will not be required, but this depends on every scenery, I worked with some network devices that request the DNS resolution by TCP protocol and in this case, you must create both.

Go to solution
Daniel_Wolf
MVP
MVP

‎18-Feb-2022 11:29 - edited ‎18-Feb-2022 11:30

Hi @Khaled_HA,

UPD is limited to 512 bytes. Some of the newer record types might contain messages that exceed the 512 byte limit and use TCP as fallback.

I never tried to pass the 302 exam. However, I am 100% it is for BIG-IP 12.1. You are looking at an article that is relevant for 14.1 to 16.1. Make sure you are looking the relevant sources (K29900360: F5 certification | Exams and blueprints). 

KR
Daniel

Go to solution
Khaled_HA
Altocumulus
Altocumulus
In response to Daniel_Wolf

‎18-Feb-2022 14:20

Hay @Daniel_Wolf,

Thanks for bringing that to my mand.

Regarding my second question; what are the setuations where big-ip DNS would refuse the connection ?

If the big-ip DNS recieved a query for a domain that it is not authoritative for, will the big-ip DNS refuse the query ?

0 Kudos

Go to solution
Daniel_Wolf
MVP
MVP
In response to Khaled_HA

‎20-Feb-2022 03:05

I will try to answer your second question too:

This solution (K14510: Overview of DNS query processing on BIG-IP systems) explains in which order the BIG-IP processes DNS requests and how to configure Unhandled Query Actions. One setting for unhandled queries is Reject.

  • Use the Reject setting to return a REFUSED status for the DNS query.

DISCLAIMER: I admit that I am not an expert for BIG-IP DNS. Maybe this is not the only correct answer to your question.

Copyright © 2023 Khoros, LLC