Forum Discussion

Khaled_HA's avatar
Khaled_HA
Icon for Altocumulus rankAltocumulus
Feb 18, 2022
Solved

Configuring listener IP for TCP

Hay folks!

I am preparing for the 302 exam and I ran into this  " DNS zone transfers use TCP port 53. If you do not configure a listener for TCP the client might receive the error: connection refused or TCP RSTs."

Link: https://techdocs.f5.com/en-us/bigip-16-0-0/big-ip-dns-implementations/replacing-a-dns-server-with-big-ip-dns.html

Why should I configure listener for TCP, besides for zone transfer ?

If I am not using zone transfer, is UDP listener enough for answering DNS quesries ?

Another question:

What are the scenarios client might recieve connection refused from the Big-IP DNS ?

 

application delivery
cloud

6 Replies

Sort By
  • Daniel_Wolf's avatar
    Daniel_Wolf
    Icon for MVP rankMVP
    Feb 18, 2022

    Hi Khaled_HA,

    UPD is limited to 512 bytes. Some of the newer record types might contain messages that exceed the 512 byte limit and use TCP as fallback.

    I never tried to pass the 302 exam. However, I am 100% it is for BIG-IP 12.1. You are looking at an article that is relevant for 14.1 to 16.1. Make sure you are looking the relevant sources (K29900360: F5 certification | Exams and blueprints). 

    KR
    Daniel

    • Khaled_HA's avatar
      Khaled_HA
      Icon for Altocumulus rankAltocumulus
      Feb 18, 2022

      Hay Daniel_Wolf,

      Thanks for bringing that to my mand.

      Regarding my second question; what are the setuations where big-ip DNS would refuse the connection ?

      If the big-ip DNS recieved a query for a domain that it is not authoritative for, will the big-ip DNS refuse the query ?

      • Daniel_Wolf's avatar
        Daniel_Wolf
        Icon for MVP rankMVP
        Feb 20, 2022

        I will try to answer your second question too:

        This solution (K14510: Overview of DNS query processing on BIG-IP systems) explains in which order the BIG-IP processes DNS requests and how to configure Unhandled Query Actions. One setting for unhandled queries is Reject.

        • Use the Reject setting to return a REFUSED status for the DNS query.

        DISCLAIMER: I admit that I am not an expert for BIG-IP DNS. Maybe this is not the only correct answer to your question.

  • Sebastiansierra's avatar
    Sebastiansierra
    Icon for MVP rankMVP
    Feb 18, 2022

    Hi,

    Creating DNS listeners TCP or UDP will depend on the customer that consumes the service, or the device that must use the DNS for resolution.

    To create a TCP listener you need to run the same steps when you create your UDP listener:

    1. In the path DNS ›› Delivery : Listeners : Listener List click create.

    2. Set a Name

    3. Set the IP, it could be the same for TCP or UDP protocol.

    4. In protocol select TCP.

    5. Click Finished

     

    • Khaled_HA's avatar
      Khaled_HA
      Icon for Altocumulus rankAltocumulus
      Feb 18, 2022

      Thanks but that was not my question.

      My question is that "If I did not configure TCP lister, will the BigIP DNS refuse client connection ? and why? 

      Isn't UDP enough? 

  • Sebastiansierra's avatar
    Sebastiansierra
    Icon for MVP rankMVP
    Feb 18, 2022

    When you create a listener a virtual server is deployed too with the IP and the Protocol that you selected for the listeners for example UDP.

    If UDP is the only protocol that you want to allow for DNS it will be enough and TCP will not be required, but this depends on every scenery, I worked with some network devices that request the DNS resolution by TCP protocol and in this case, you must create both.