Technical Forum
Ask questions. Discover Answers.
cancel
Showing results for 
Search instead for 
Did you mean: 

LTM as balancer of pool of DNS servers

pstoianov
Altocumulus
Altocumulus

Hello all, 

I would appreciate if you can point me to right direction as I'm out of ideas in this regard:

F5 LTM has VS (1.0.0.1:53) with pool of DNS servers (2.2.2.0/24), when client sends query to 1.0.0.1:53, I would like keep the originator's ip address for additional processing on DNS nodes. This does not work as nodes are answering with source IP 2.2.2.xx.

Is there any way to achieve this with F5 LTM? 

On nodes, I have lots of ACL, QPS limits per ACL, DNS spoof in the case of VPN connection used which prevents me of using Source Translation - automap.

P. S. My F5 does not have licenses for DNS/GTM but for LTM/ASM. 

1 ACCEPTED SOLUTION

If DNS was provisioned on the box then eDNS0 would be an option.  But in order to use eDNS0 you have to have a DNS profile that requires GTM provisioned: https://clouddocs.f5.com/api/irules/DNS__edns0.html

View solution in original post

5 REPLIES 5

David_Larsen
F5 Employee
F5 Employee

There is really only one way to do this from a network perspective.  If you put an interface/IP on the F5 in the 2.2.2.0/24 network.  Then you would have to make the default gateway of the DNS servers be the IP address created in 2.2.2.0/24. For further HA you would need 3 IP addresses in 2.2.2.0/24, one for each F5 LTM and then a floating address.  The default gateway would be the floating address.  This will force all the traffic going to the DNS boxes to come back through the LTM to keep the TCP Handshakes functional.  

To further complicate I have done scenarios where the DNS box has multiple routes on it.  The default route goes to the BIG-IP LTM but then other routes for internal clients to a different router.  But to accomplish exactly what you have asked I would use above method and make the LTM the default gateway of the DNS boxes.

PeteWhite
F5 Employee
F5 Employee

What about using EDNS0 Client Subnet?

If DNS was provisioned on the box then eDNS0 would be an option.  But in order to use eDNS0 you have to have a DNS profile that requires GTM provisioned: https://clouddocs.f5.com/api/irules/DNS__edns0.html

good point - i didn't read down that far 🐵

pstoianov
Altocumulus
Altocumulus

Yep, seems to me that EDNS0 is the way to go as described RFC7871. Unfortunately, my HA boxes doesn't have GTM.