Forum Discussion

PPawar_309940's avatar
PPawar_309940
Icon for Nimbostratus rankNimbostratus
Jun 05, 2018

Multiple listeners F5-DNS

Hi,

 

This is a basic question about the behavior of the F5 DNS which I am trying to understand and want to know how exactly it works.

 

I have configured two tcp/udp listeners in F5 as List 1 - 192.168.20.1 and List 2 - 192.168.20.2

 

List 1 is configured with a pool for forwarding the dns request, pool member is the external bind server List 2 is not configured with any pool.

 

I have configured two test wide ips in gtm, as test1.abc.com - 100.100.100.1 test2.abc.com - 200.200.200.1

 

Wide ip pools are configured as Preferred method : Global Availability Alternate : Round Robin Fail Back : Return to DNS

 

Now the interesting part:

 

  • when I do a nslookup from a machine for both the wide ips above by pointing to List 1 ip address then I get the dns reply almost immediately.
  • when I do the same thing for List 2 ip address then I get dns timeouts and then finally get the answer. Surely this is not right.

  • when I configure the List 2 with the same pool which was used for List 1 then I don't see dns timing out for List 2 ip address, which is very strange, because I don't want any dns forwarding for listener 2.

     

  • I checked the named config under the F5 zonerunner and saw that recursion was set to yes for 10.0.0.0/8 and 192.168.0.0/16, since we are not using the F5 binds I thought of disabling it and disabled recursion and removed the 10 and 192.168 subnet.

     

  • I ran the nslookup test again for the List 2 ip and this time dns reply was almost instant.

     

This clearly means that when a dns query was sent to List 2 ip it was forwarding this to F5 bind, but the question is why it was sending the request to bind as F5 always considers wide ips first and since both the wide ips were configured on the GTM so it should have given the reply without any time outs.

 

Second thing is what was changed after I disabled the recursion, both the listeners are configured exactly the same with only one exception which is List 1 had pool and List 2 doesn't.

 

Last thing is how to check/troubleshoot if the dns query is handled by GTM(wide ip) or F5 bind.

 

I can check the statistics for wide ips but how to check if the bind is replying the query.

 

Could anyone explain this behavior to me or there is something which I have misunderstood.

 

Thanks, Pankaj

 

application delivery
BIG-IP DNS

3 Replies

Sort By
  • Daniel_Tavernie's avatar
    Daniel_Tavernie
    Icon for Cirrostratus rankCirrostratus
    Jun 06, 2018

    PPawar, If you are using the default "dns" profile (it sounds like you are) the behavior you are seeing doesn't match my experience. I don't necessarily have an answer for you but some next steps that may get us there.

     

    Do the DNS servers in the DNS Pool respond to test1.abc.com and test2.abc.com? If so, for troubleshooting you could change the IP in one place to see where the response is coming from.

     

    I feel like there is a way to get DNS/GTM to indicate (log) how it made the resolution decision but I may be thinking of logging Load Balancing reasoning. I'll keep digging.

     

    The flow should go as follows (this is not definitive, but covers most bases):

     

    1. DNS query received at Listener.
    2. Packet validated by IP and UCP/TCP profiles and dropped if malformed etc.
    3. Listener (LTM-type) iRules which have certain DNS/GTM-related limitations.
    4. DNSSEC
    5. Wide IP (DNS/GTM-type) iRules (if applicable) which have certain DNS/GTM/LTM-related limitations.
    6. DNS Express
    7. DNS Cache
    8. DNS Resolving Cache
    9. Unhandled Query Action: Allow (OPTION 1): DNS Load Balancing (to configured DNS Pool) if DNS Pool assigned to Listener.
    10. Unhandled Query Action: Allow (OPTION 2): F5-local BIND if DNS Pool NOT assigned to Listener AND "Use BIND Server on BIG-IP" set to Enabled.
    11. Unhandled Query Action: Allow (OPTION 3): Forward (not LB) to a DNS server (DNS server IP must match Listener IP) as long as Listener IP is not a Self IP (not using a Self IP is recommended best practice starting in 12.1, I believe--using a Self IP may have been required in v11 and earlier) AND if DNS Pool NOT assigned to Listener AND "Use BIND Server on BIG-IP" set to Disabled.
  • Anoop's avatar
    Anoop
    Icon for Nimbostratus rankNimbostratus
    Jun 07, 2018

    Hello Pankaj,

     

    Please double check your configuration once and ensure wideip is up and available. F5 will never respond from BIND as long as there is wideip object is configured which is up and running fine.