Forum Discussion

Girma_Tefera's avatar
Girma_Tefera
Icon for Altocumulus rankAltocumulus
Mar 24, 2023

Issue on Windows DNS forwarding to F5 DNS

We have an issue with our F5 DNS, some users encountered session timeout messages in the middle of service, and some users can't access their accounts because the login page of the web server doesn't show a login error, After frequent tries, their user will lock out. This and other issues arose after the deployment of F5 DNS. This DNS server will receive a DNS request from the existing Microsoft DNS server, which means Microsoft DNS is a forwarder for F5 DNS.

On F5 DNS, we attempt to collect a tcpdump. However, F5 DNS didn't contain any AAAA records, despite the AAAA query request from Microsoft DNS. Is anyone out there who faced this issue?

 

 

2 Replies

  • Hi, Girma_Tefera 

    So your Windows DNS server is recursive, and tries to resolve whatever name the original client asked for, by making a new request to F5. But this I did not understand: the Windows DNS sends *only* a AAAA query? If you don't have AAAA records, for sure there will be no AAAA responses.

    It is normal for a DNS client to make A & AAAA queries when trying to resolve a name. Questions:

    - Can you collect a traffic capture on your Windows machine as well?
    - Are there A queries as well?
    - Are there A records?
    - If you force the DNS queries from the F5 box to itself, do you get different or similar results?

    /Mike

    • Girma_Tefera's avatar
      Girma_Tefera
      Icon for Altocumulus rankAltocumulus

      Hi Mike757

      I appreciate your comments. I was take tcpdump on F5 and Microsoft DNS.

      ##If you force the DNS queries from the F5 box to itself, do you get different or similar results? yes, I have got A queries.

      FQDN is corebanking.cbe.com.et

      F5 DNS (listner) 10.1.226.253, 10.1.226.254, 10.3.226.253, 10.3.226.254

      microsoft DNS server is 10.1.11.13, 10.1.11.16, 10.3.11.13, 10.3.11.16

      -----------------------------------------------------------------------------------------------------------------------------------------------------------------

      from Microsoft DNS

      DNS Server log file creation at 3/15/2023 3:35:30 PM
      Log file wrap at 3/15/2023 3:35:30 PM

      Message logging key (for packets - other items use a subset of these fields):
      Field # Information Values
      ------- ----------- ------
      1 Date
      2 Time
      3 Thread ID
      4 Context
      5 Internal packet identifier
      6 UDP/TCP indicator
      7 Send/Receive indicator
      8 Remote IP
      9 Xid (hex)
      10 Query/Response R = Response
      blank = Query
      11 Opcode Q = Standard Query
      N = Notify
      U = Update
      ? = Unknown
      12 [ Flags (hex)
      13 Flags (char codes) A = Authoritative Answer
      T = Truncated Response
      D = Recursion Desired
      R = Recursion Available
      14 ResponseCode ]
      15 Question Type
      16 Question Name

      3/15/2023 3:35:31 PM 1F94 PACKET Response packet 0000024623F61FD0 does not match any outstanding query
      3/15/2023 3:35:31 PM 1F80 PACKET Response packet 00000246345C2920 does not match any outstanding query
      3/15/2023 3:35:32 PM 11D8 PACKET 00000246AF5AF380 UDP Snd 10.1.226.253 0de4 Q [0000 NOERROR] AAAA (11)corebanking(3)cbe(3)com(2)et(0)
      UDP question info at 00000246AF5AF380
      Socket = 19512
      Remote addr 10.1.226.253, port 53
      Time Query=0, Queued=0, Expire=0
      Buf length = 0x0fa0 (4000)
      Msg length = 0x0028 (40)
      Message:
      XID 0x0de4
      Flags 0x0000
      QR 0 (QUESTION)
      OPCODE 0 (QUERY)
      AA 0
      TC 0
      RD 0
      RA 0
      Z 0
      CD 0
      AD 0
      RCODE 0 (NOERROR)
      QCOUNT 1
      ACOUNT 0
      NSCOUNT 0
      ARCOUNT 0
      QUESTION SECTION:
      Offset = 0x000c, RR count = 0
      QTYPE AAAA (28)
      QCLASS 1
      ANSWER SECTION:
      empty
      AUTHORITY SECTION:
      empty
      ADDITIONAL SECTION:
      empty

      3/15/2023 3:35:32 PM 1FB8 PACKET 00000246E3FB8170 UDP Snd 10.1.226.253 8771 Q [0000 NOERROR] ALL (11)corebanking(3)cbe(3)com(2)et(0)
      UDP question info at 00000246E3FB8170
      Socket = 6316
      Remote addr 10.1.226.253, port 53
      Time Query=0, Queued=0, Expire=0
      Buf length = 0x0fa0 (4000)
      Msg length = 0x0028 (40)
      Message:
      XID 0x8771
      Flags 0x0000
      QR 0 (QUESTION)
      OPCODE 0 (QUERY)
      AA 0
      TC 0
      RD 0
      RA 0
      Z 0
      CD 0
      AD 0
      RCODE 0 (NOERROR)
      QCOUNT 1
      ACOUNT 0
      NSCOUNT 0
      ARCOUNT 0
      QUESTION SECTION:
      Offset = 0x000c, RR count = 0
      QTYPE ALL (255)
      QCLASS 1
      ANSWER SECTION:
      empty
      AUTHORITY SECTION:
      empty
      ADDITIONAL SECTION:
      empty

      3/15/2023 3:35:33 PM 1F4C PACKET Response packet 0000024666E688E0 does not match any outstanding query
      3/15/2023 3:35:33 PM 1F4C PACKET Response packet 0000024648EFDFC0 does not match any outstanding query
      3/15/2023 3:35:34 PM 1F94 PACKET Response packet 000002461F6BF0F0 does not match any outstanding query
      3/15/2023 3:35:34 PM 11D8 PACKET 0000024609E411A0 UDP Snd 10.3.226.253 f4ba Q [0000 NOERROR] AAAA (11)corebanking(3)cbe(3)com(2)et(0)
      UDP question info at 0000024609E411A0
      Socket = 11600
      Remote addr 10.3.226.253, port 53
      Time Query=0, Queued=0, Expire=0
      Buf length = 0x0fa0 (4000)
      Msg length = 0x0028 (40)
      Message:
      XID 0xf4ba
      Flags 0x0000
      QR 0 (QUESTION)
      OPCODE 0 (QUERY)
      AA 0
      TC 0
      RD 0
      RA 0
      Z 0
      CD 0
      AD 0
      RCODE 0 (NOERROR)
      QCOUNT 1
      ACOUNT 0
      NSCOUNT 0
      ARCOUNT 0
      QUESTION SECTION:
      Offset = 0x000c, RR count = 0
      QTYPE AAAA (28)
      QCLASS 1
      ANSWER SECTION:
      empty
      AUTHORITY SECTION:
      empty
      ADDITIONAL SECTION:
      empty

      3/15/2023 3:35:34 PM 11D8 PACKET 0000024609E411A0 UDP Snd 10.1.226.254 f4ba Q [0000 NOERROR] AAAA (11)corebanking(3)cbe(3)com(2)et(0)
      UDP question info at 0000024609E411A0
      Socket = 11600
      Remote addr 10.1.226.254, port 53
      Time Query=0, Queued=0, Expire=0
      Buf length = 0x0fa0 (4000)
      Msg length = 0x0028 (40)
      Message:
      XID 0xf4ba
      Flags 0x0000
      QR 0 (QUESTION)
      OPCODE 0 (QUERY)
      AA 0
      TC 0
      RD 0
      RA 0
      Z 0
      CD 0
      AD 0
      RCODE 0 (NOERROR)
      QCOUNT 1
      ACOUNT 0
      NSCOUNT 0
      ARCOUNT 0
      QUESTION SECTION:
      Offset = 0x000c, RR count = 0
      QTYPE AAAA (28)
      QCLASS 1
      ANSWER SECTION:
      empty
      AUTHORITY SECTION:
      empty
      ADDITIONAL SECTION:
      empty

      3/15/2023 3:35:34 PM 1F4C PACKET 00000246FDB75D40 UDP Snd 10.3.226.253 0552 Q [0000 NOERROR] AAAA (11)corebanking(3)cbe(3)com(2)et(0)
      UDP question info at 00000246FDB75D40
      Socket = 2468
      Remote addr 10.3.226.253, port 53
      Time Query=0, Queued=0, Expire=0
      Buf length = 0x0fa0 (4000)
      Msg length = 0x0028 (40)
      Message:
      XID 0x0552
      Flags 0x0000
      QR 0 (QUESTION)
      OPCODE 0 (QUERY)
      AA 0
      TC 0
      RD 0
      RA 0
      Z 0
      CD 0
      AD 0
      RCODE 0 (NOERROR)
      QCOUNT 1
      ACOUNT 0
      NSCOUNT 0
      ARCOUNT 0
      QUESTION SECTION:
      Offset = 0x000c, RR count = 0
      QTYPE AAAA (28)
      QCLASS 1
      ANSWER SECTION:
      empty
      AUTHORITY SECTION:
      empty
      ADDITIONAL SECTION:
      empty

      3/15/2023 3:35:35 PM 1F80 PACKET Response packet 0000024610333EF0 does not match any outstanding query
      3/15/2023 3:35:36 PM 1F80 PACKET Response packet 000002469BB66630 does not match any outstanding query
      3/15/2023 3:35:36 PM 1F44 PACKET Response packet 0000024606D21950 does not match any outstanding query
      3/15/2023 3:35:36 PM 1F80 PACKET Response packet 0000024608C63D00 does not match any outstanding query
      3/15/2023 3:35:36 PM 1F44 PACKET Response packet 00000246415E5370 does not match any outstanding query
      3/15/2023 3:35:36 PM 1F80 PACKET Response packet 00000246D2BF9B90 does not match any outstanding query
      3/15/2023 3:35:36 PM 1F80 PACKET Response packet 00000246C42723A0 does not match any outstanding query
      3/15/2023 3:35:36 PM 1F80 PACKET Response packet 00000246B5FFCA20 does not match any outstanding query
      3/15/2023 3:35:36 PM 1F4C PACKET Response packet 0000024675FBA950 does not match any outstanding query
      3/15/2023 3:35:36 PM 1F80 PACKET Response packet 000002466F9E54E0 does not match any outstanding query
      3/15/2023 3:35:36 PM 1F80 PACKET Response packet 00000246360508E0 does not match any outstanding query
      3/15/2023 3:35:36 PM 1F80 PACKET Response packet 000002460CA056E0 does not match any outstanding query
      3/15/2023 3:35:36 PM 1F80 PACKET Response packet 0000024672A18CE0 does not match any outstanding query
      3/15/2023 3:35:36 PM 1F80 PACKET Response packet 00000246988939E0 does not match any outstanding query
      3/15/2023 3:35:36 PM 1F80 PACKET Response packet 00000246F2FDB880 does not match any outstanding query
      3/15/2023 3:35:36 PM 11D8 PACKET 00000246E3FB8170 UDP Snd 10.3.226.253 8771 Q [0000 NOERROR] ALL (11)corebanking(3)cbe(3)com(2)et(0)
      UDP question info at 00000246E3FB8170
      Socket = 6316
      Remote addr 10.3.226.253, port 53
      Time Query=0, Queued=0, Expire=0
      Buf length = 0x0fa0 (4000)
      Msg length = 0x0028 (40)
      Message:
      XID 0x8771
      Flags 0x0000
      QR 0 (QUESTION)
      OPCODE 0 (QUERY)
      AA 0
      TC 0
      RD 0
      RA 0
      Z 0
      CD 0
      AD 0
      RCODE 0 (NOERROR)
      QCOUNT 1
      ACOUNT 0
      NSCOUNT 0
      ARCOUNT 0
      QUESTION SECTION:
      Offset = 0x000c, RR count = 0
      QTYPE ALL (255)
      QCLASS 1
      ANSWER SECTION:
      empty
      AUTHORITY SECTION:
      empty
      ADDITIONAL SECTION:
      empty

      --------------------------------------------------------------------------------------------------------------------------------------

      from F5 DNS

      No. Time Source Destination Protocol Length Info
      1 0.000000 00:00:00_00:00:00 00:00:00_00:00:00 FILEINFO 201 /usr/sbin/tcpdump -envi 0.0:nnn -s0 -w /var/tmp/00373033.pcap host 10.1.226.253
      2 0.271461 10.1.11.13 10.1.226.253 DNS 214 IN s1/tmm1 : Standard query 0xf908 AAAA corebanking.cbe.com.et
      3 0.271699 F5Networ_9b:9b:07 Broadcast ARP 178 OUT s1/tmm0 : Who has 10.1.226.253? Tell 10.1.226.6
      4 0.305038 10.1.11.13 10.1.226.253 DNS 214 IN s1/tmm1 : Standard query 0xa19a AAAA corebanking.cbe.com.et
      5 1.148454 10.3.11.13 10.1.226.253 DNS 214 IN s1/tmm0 : Standard query 0xeb31 AAAA corebanking.cbe.com.et
      6 1.271975 F5Networ_9b:9b:07 Broadcast ARP 178 OUT s1/tmm0 : Who has 10.1.226.253? Tell 10.1.226.6
      7 1.534897 10.1.11.16 10.1.226.253 DNS 214 IN s1/tmm1 : Standard query 0xf4ba AAAA corebanking.cbe.com.et
      8 2.271745 F5Networ_9b:9b:07 Broadcast ARP 178 OUT s1/tmm0 : Who has 10.1.226.253? Tell 10.1.226.6
      9 3.271886 F5Networ_9b:9b:07 Broadcast ARP 178 OUT s1/tmm0 : Who has 10.1.226.253? Tell 10.1.226.6
      10 3.283096 10.1.11.16 10.1.226.253 DNS 214 IN s1/tmm1 : Standard query 0x0de4 AAAA corebanking.cbe.com.et
      11 3.490579 10.1.11.16 10.1.226.253 DNS 214 IN s1/tmm0 : Standard query 0x8771 ANY corebanking.cbe.com.et
      12 4.271761 F5Networ_9b:9b:07 Broadcast ARP 178 OUT s1/tmm0 : Who has 10.1.226.253? Tell 10.1.226.6
      13 4.802786 10.1.11.13 10.1.226.253 DNS 214 IN s1/tmm1 : Standard query 0x3792 ANY corebanking.cbe.com.et
      14 4.862066 10.1.11.13 10.1.226.253 DNS 214 IN s1/tmm0 : Standard query 0x1f50 AAAA corebanking.cbe.com.et
      15 5.272107 F5Networ_9b:9b:07 Broadcast ARP 178 OUT s1/tmm0 : Who has 10.1.226.253? Tell 10.1.226.6
      16 5.679215 10.3.11.13 10.1.226.253 DNS 214 IN s1/tmm0 : Standard query 0x46cf AAAA corebanking.cbe.com.et
      17 7.127693 10.3.11.16 10.1.226.253 DNS 214 IN s1/tmm1 : Standard query 0x7fa3 AAAA corebanking.cbe.com.et
      18 7.128037 F5Networ_9b:9b:07 Broadcast ARP 178 OUT s1/tmm0 : Who has 10.1.226.253? Tell 10.1.226.6
      19 8.111770 10.1.11.13 10.1.226.253 DNS 214 IN s1/tmm0 : Standard query 0x14a1 ANY corebanking.cbe.com.et
      20 8.127953 F5Networ_9b:9b:07 Broadcast ARP 178 OUT s1/tmm0 : Who has 10.1.226.253? Tell 10.1.226.6
      21 8.940237 10.3.11.16 10.1.226.253 DNS 214 IN s1/tmm0 : Standard query 0x29f5 AAAA corebanking.cbe.com.et
      22 8.960955 10.3.11.16 10.1.226.253 DNS 214 IN s1/tmm1 : Standard query 0xa2fa AAAA corebanking.cbe.com.et
      23 9.127997 F5Networ_9b:9b:07 Broadcast ARP 178 OUT s1/tmm0 : Who has 10.1.226.253? Tell 10.1.226.6
      24 9.305662 10.3.11.13 10.1.226.253 DNS 214 IN s1/tmm0 : Standard query 0x5819 AAAA corebanking.cbe.com.et
      25 9.334004 10.1.11.13 10.1.226.253 DNS 214 IN s1/tmm1 : Standard query 0x59f1 ANY corebanking.cbe.com.et
      26 10.128081 F5Networ_9b:9b:07 Broadcast ARP 178 OUT s1/tmm0 : Who has 10.1.226.253? Tell 10.1.226.6
      27 10.211744 10.3.11.13 10.1.226.253 DNS 214 IN s1/tmm1 : Standard query 0xb440 ANY corebanking.cbe.com.et
      28 11.127648 F5Networ_9b:9b:07 Broadcast ARP 178 OUT s1/tmm0 : Who has 10.1.226.253? Tell 10.1.226.6
      29 11.440514 10.1.11.16 10.1.226.253 DNS 214 IN s1/tmm1 : Standard query 0x0552 AAAA corebanking.cbe.com.et
      30 12.127958 F5Networ_9b:9b:07 Broadcast ARP 178 OUT s1/tmm0 : Who has 10.1.226.253? Tell 10.1.226.6
      31 12.959134 10.1.11.13 10.1.226.253 DNS 214 IN s1/tmm0 : Standard query 0xae48 AAAA corebanking.cbe.com.et
      32 13.004613 10.1.11.13 10.1.226.253 DNS 214 IN s1/tmm0 : Standard query 0xeb2c AAAA corebanking.cbe.com.et
      33 13.252862 10.1.11.16 10.1.226.253 DNS 214 IN s1/tmm1 : Standard query 0xc4a0 ANY corebanking.cbe.com.et
      34 13.252937 F5Networ_9b:9b:07 Broadcast ARP 178 OUT s1/tmm0 : Who has 10.1.226.253? Tell 10.1.226.6
      35 13.831072 10.1.11.13 10.1.226.253 DNS 214 IN s1/tmm0 : Standard query 0xfcfe ANY corebanking.cbe.com.et
      36 13.831198 10.1.11.16 10.1.226.253 DNS 214 IN s1/tmm1 : Standard query 0x5f65 ANY corebanking.cbe.com.et
      37 13.837319 10.3.11.13 10.1.226.253 DNS 214 IN s1/tmm0 : Standard query 0x3622 AAAA corebanking.cbe.com.et
      38 14.252744 F5Networ_9b:9b:07 Broadcast ARP 178 OUT s1/tmm0 : Who has 10.1.226.253? Tell 10.1.226.6
      39 14.377764 10.3.11.16 10.1.226.253 DNS 214 IN s1/tmm0 : Standard query 0xa8bc ANY corebanking.cbe.com.et
      40 15.253063 F5Networ_9b:9b:07 Broadcast ARP 178 OUT s1/tmm0 : Who has 10.1.226.253? Tell 10.1.226.6
      41 15.972423 10.1.11.16 10.1.226.253 DNS 214 IN s1/tmm1 : Standard query 0x2cb5 AAAA corebanking.cbe.com.et
      42 16.252668 F5Networ_9b:9b:07 Broadcast ARP 178 OUT s1/tmm0 : Who has 10.1.226.253? Tell 10.1.226.6
      43 16.556502 10.3.11.13 10.1.226.253 DNS 214 IN s1/tmm0 : Standard query 0x7952 ANY corebanking.cbe.com.et
      44 17.252714 F5Networ_9b:9b:07 Broadcast ARP 178 OUT s1/tmm0 : Who has 10.1.226.253? Tell 10.1.226.6
      45 18.252481 10.1.11.13 10.1.226.253 DNS 214 IN s1/tmm0 : Standard query 0xab64 ANY corebanking.cbe.com.et
      46 18.252935 F5Networ_9b:9b:07 Broadcast ARP 178 OUT s1/tmm0 : Who has 10.1.226.253? Tell 10.1.226.6
      47 18.368875 10.3.11.13 10.1.226.253 DNS 214 IN s1/tmm0 : Standard query 0x0169 AAAA corebanking.cbe.com.et
      48 19.597288 10.1.11.16 10.1.226.253 DNS 214 IN s1/tmm1 : Standard query 0x63c5 AAAA corebanking.cbe.com.et
      49 19.597574 F5Networ_9b:9b:07 Broadcast ARP 178 OUT s1/tmm0 : Who has 10.1.226.253? Tell 10.1.226.6
      50 20.240246 10.1.11.13 10.1.226.253 DNS 214 IN s1/tmm0 : Standard query 0x5da3 AAAA corebanking.cbe.com.et
      51 20.295024 10.1.11.13 10.1.226.253 DNS 214 IN s1/tmm1 : Standard query 0x3a2c AAAA corebanking.cbe.com.et
      52 20.596679 F5Networ_9b:9b:07 Broadcast ARP 178 OUT s1/tmm0 : Who has 10.1.226.253? Tell 10.1.226.6
      53 20.721497 10.3.11.16 10.1.226.253 DNS 214 IN s1/tmm1 : Standard query 0xeaae AAAA corebanking.cbe.com.et
      54 21.596764 F5Networ_9b:9b:07 Broadcast ARP 178 OUT s1/tmm0 : Who has 10.1.226.253? Tell 10.1.226.6
      55 21.994232 10.3.11.13 10.1.226.253 DNS 214 IN s1/tmm1 : Standard query 0x0d7b AAAA corebanking.cbe.com.et
      56 22.271914 10.1.11.16 10.1.226.253 DNS 214 IN s1/tmm1 : Standard query 0x2d18 AAAA corebanking.cbe.com.et
      57 22.596682 F5Networ_9b:9b:07 Broadcast ARP 178 OUT s1/tmm0 : Who has 10.1.226.253? Tell 10.1.226.6
      58 22.959742 10.1.11.13 10.1.226.253 DNS 214 IN s1/tmm0 : Standard query 0x90a8 AAAA corebanking.cbe.com.et
      59 23.596842 F5Networ_9b:9b:07 Broadcast ARP 178 OUT s1/tmm0 : Who has 10.1.226.253? Tell 10.1.226.6
      60 24.129326 10.1.11.16 10.1.226.253 DNS 214 IN s1/tmm0 : Standard query 0x3df5 AAAA corebanking.cbe.com.et