Technical Forum
Ask questions. Discover Answers.
cancel
Showing results for 
Search instead for 
Did you mean: 

Placing BIG-IP DNS in front of a Pool of DNS Servers

Girma_Tefera
Altocumulus
Altocumulus

The F5 DNS server was positioned in front of a pool of Microsoft DNS servers. If the record is wideip, F5 DNS will answer to the query; else, the inquiry will be forwarded to Microsoft DNS server. Before the integration, we tested the wideip by setting the F5 listener (10.1.226.249) as the user's primary DNS server. It responded as predicted and dropped the query if the non-wideip. Following the test, we incorporated the Microsoft DNS servers (10.3.2.2 and 10.3.2.4) as nodes >> Pool>> and connected this pool to the F5 listener (10.2.226.249). If a wideip query is made at this time, it will typically be forwarded to Microsoft DNS, and if that fails, it will resolve locally. The first three attempts at nslookup will be dropped, and the name will be resolved. 

How do I prioritise wideip queries to be resolved by F5 DNS rather than sending them primarily to Microsoft DNS servers?

 

 

1 ACCEPTED SOLUTION

Girma_Tefera
Altocumulus
Altocumulus

Dear Ben_Novak and Nikoolayy1;

Thank you for your kind and helpful support.

I found the answer to this problem. The problem was When I use nslookup for wideip test.demo.local, it will append the domain suffix to nslookup, which means it will ask for test.demo.local.demo.local on my client workstation (10.1.75.72) domain joined PC, which indicates it is under the domain of demo.local. Now that F5 has determined that this is a non-wideip query, it will forward the request to Microsoft DNS, making the initial two or three nslookups unsuccessful. It will eventually try without adding a domain suffix, and F5 will respond with test.demo.local because it is a wideip query.

To resolve this problem Since the domain is included by default, I tried the nslookup without adding it and discovered that the result was as I had anticipated. For more information, see the link below.

https://serverfault.com/questions/74067/windows-appending-domain-suffix-to-all-lookups

 

 

View solution in original post

7 REPLIES 7

Ben_Novak
F5 Employee
F5 Employee

Hi Girma_Tefera,

DNS logic in F5 DNS/GTM/GSLB, is handles at the DNS profile on the listener (vs).  

As you noted, if a request matches a wideip, the it will respond with F5 Inteligent DNS (gslb), if not, it will continue through the logic tree till if find a response or configured action.

Between all the options and features, it can get rather complicated pretty quick.  The follow two articles should help clarify how all that process works.

K18522641: Overview of the DNS profile (14.x and later)

https://my.f5.com/manage/s/article/K18522641

K14510: Overview of DNS query processing on BIG-IP

https://my.f5.com/manage/s/article/K14510

Other things to consider;

  • a wideip can be configured to ultimately fallback to bind, or local dns pool (if resources are down)
  • enable dns logging on the wideip to see what is happening

Hoping this helps.  🙂

I appreciate your reply. My worry was that the wideip query would timed out since F5 DNS would transmit it to Microsoft DNS while the first three nslookups would timed out. My exception was that F5 would respond if the query was wideip; otherwise, it would go to Microsoft DNS. Why is wideip not prioritized instead of being forwarded to Microsoft?

 

In it's default configuration, GTM will attempt to serve the response from GSLB, before asking the Microsoft DNS servers (if configured).  I suggest enabling wideip logging to see why it is not responding as you expect. 

K25751652: How to configure Decision Logging for the F5 BIG-IP DNS/GTM to local log directory

https://my.f5.com/manage/s/article/K25751652#a1

 

Hello Ben_Novak;

I enabled the log following your advice, and I now have this log.

for wideip (test.demo.local) query (listener 10.1.226.249) client (10.1.75.72)
May 9 06:14:33 cbe0000-00-bigip-01 info tmm[9029]: 2023-05-09 06:14:33 cbe0000-00-bigip-01.cbe.com.et from 10.1.75.72#49332: view none: query: test.demo.local.cbe.com.et IN A + (10.1.226.249%0)
May 9 06:14:35 cbe0000-00-bigip-01 info tmm[9029]: 2023-05-09 06:14:35 cbe0000-00-bigip-01.cbe.com.et from 10.1.75.72#49333: view none: query: test.demo.local.cbe.com.et IN AAAA + (10.1.226.249%0)
May 9 06:14:37 cbe0000-00-bigip-01 info tmm[9029]: 2023-05-09 06:14:37 cbe0000-00-bigip-01.cbe.com.et from 10.1.75.72#49334: view none: query: test.demo.local IN A + (10.1.226.249%0)
May 9 06:14:37 cbe0000-00-bigip-01 info tmm[9029]: 2023-05-09 06:14:37 cbe0000-00-bigip-01.cbe.com.et from 10.1.75.72#49335: view none: query: test.demo.local IN AAAA + (10.1.226.249%0)

for non-wideip (abc.demo.local) query (listener 10.1.226.249) client (10.1.75.72)
May 9 06:15:12 cbe0000-00-bigip-01 info tmm[9029]: 2023-05-09 06:15:12 cbe0000-00-bigip-01.cbe.com.et from 10.1.75.72#59877: view none: query: abc.demo.local.cbe.com.et IN A + (10.1.226.249%0)
May 9 06:15:14 cbe0000-00-bigip-01 info tmm[9029]: 2023-05-09 06:15:13 cbe0000-00-bigip-01.cbe.com.et from 10.1.75.72#59878: view none: query: abc.demo.local.cbe.com.et IN AAAA + (10.1.226.249%0)
May 9 06:15:16 cbe0000-00-bigip-01 info tmm[9029]: 2023-05-09 06:15:16 cbe0000-00-bigip-01.cbe.com.et from 10.1.75.72#59879: view none: query: abc.demo.local IN A + (10.1.226.249%0)
May 9 06:15:16 cbe0000-00-bigip-01 info tmm[9029]: 2023-05-09 06:15:15 cbe0000-00-bigip-01.cbe.com.et from 10.1.75.72#59880: view none: query: abc.demo.local IN AAAA + (10.1.226.249%0)

the image was taken from a client system (10.1.75.72)

Girma_Tefera_0-1683602627972.png

The image that follows was taken without Microsoft DNS configured. Non-wideip queries are refused, and wideip queries respond immediately.

Girma_Tefera_1-1683602846362.png

This should help you grasp things better, in my opinion.

 

Have you enabled response logging as I only see the query 🙂   

 

Also maybe check the operations guide as maybe you have not enabled the DNS pools to be used by the DNS profile  https://my.f5.com/manage/s/article/K14510  as Unhandled Query Actions  is needed to be allowed. Also check if "Recursion Desired " is enabled in the DNS profile  and keep in mind that the f5 community is not the F5 TAC that solves such issues as it is their job as this is an open tech community where we help one another  😉

 

https://my.f5.com/manage/s/article/K65762138

 

  1. On the Main tab, click DNS > Delivery > Profiles > Other > DNS Logging or Local Traffic > Profiles > Other > DNS Logging. The DNS Logging profile list screen opens.

  2. Click Create. The New DNS Logging profile screen opens.

  3. In the Name field, type a unique name for the profile.

  4. From the Log Publisher list, select a destination to which the BIG-IP system sends DNS log entries.

  5. For the Log Queries setting, ensure that the Enabled check box is selected, if you want the BIG-IP system to log all DNS queries.

  6. For the Log Responses setting, select the Enabled check box, if you want the BIG-IP system to log all DNS responses.

  7. For the Include Query ID setting, select the Enabled check box, if you want the BIG-IP system to include the query ID sent by the client in the log messages.

  8. Click Finished.

Girma_Tefera
Altocumulus
Altocumulus

Dear Ben_Novak and Nikoolayy1;

Thank you for your kind and helpful support.

I found the answer to this problem. The problem was When I use nslookup for wideip test.demo.local, it will append the domain suffix to nslookup, which means it will ask for test.demo.local.demo.local on my client workstation (10.1.75.72) domain joined PC, which indicates it is under the domain of demo.local. Now that F5 has determined that this is a non-wideip query, it will forward the request to Microsoft DNS, making the initial two or three nslookups unsuccessful. It will eventually try without adding a domain suffix, and F5 will respond with test.demo.local because it is a wideip query.

To resolve this problem Since the domain is included by default, I tried the nslookup without adding it and discovered that the result was as I had anticipated. For more information, see the link below.

https://serverfault.com/questions/74067/windows-appending-domain-suffix-to-all-lookups

 

 

Thanks for following up with this!