Forum Discussion

pstoianov's avatar
pstoianov
Icon for Altocumulus rankAltocumulus
Sep 10, 2022
Solved

LTM as balancer of pool of DNS servers

Hello all, 

I would appreciate if you can point me to right direction as I'm out of ideas in this regard:

F5 LTM has VS (1.0.0.1:53) with pool of DNS servers (2.2.2.0/24), when client sends query to 1.0.0.1:53, I would like keep the originator's ip address for additional processing on DNS nodes. This does not work as nodes are answering with source IP 2.2.2.xx.

Is there any way to achieve this with F5 LTM? 

On nodes, I have lots of ACL, QPS limits per ACL, DNS spoof in the case of VPN connection used which prevents me of using Source Translation - automap.

P. S. My F5 does not have licenses for DNS/GTM but for LTM/ASM. 

application delivery

5 Replies

Sort By
  • David_Larsen's avatar
    David_Larsen
    Icon for Employee rankEmployee
    Sep 12, 2022

    There is really only one way to do this from a network perspective.  If you put an interface/IP on the F5 in the 2.2.2.0/24 network.  Then you would have to make the default gateway of the DNS servers be the IP address created in 2.2.2.0/24. For further HA you would need 3 IP addresses in 2.2.2.0/24, one for each F5 LTM and then a floating address.  The default gateway would be the floating address.  This will force all the traffic going to the DNS boxes to come back through the LTM to keep the TCP Handshakes functional.  

    To further complicate I have done scenarios where the DNS box has multiple routes on it.  The default route goes to the BIG-IP LTM but then other routes for internal clients to a different router.  But to accomplish exactly what you have asked I would use above method and make the LTM the default gateway of the DNS boxes.

  • pstoianov's avatar
    pstoianov
    Icon for Altocumulus rankAltocumulus
    Sep 14, 2022

    Yep, seems to me that EDNS0 is the way to go as described RFC7871. Unfortunately, my HA boxes doesn't have GTM.