08-May-2023 07:18
The F5 DNS server was positioned in front of a pool of Microsoft DNS servers. If the record is wideip, F5 DNS will answer to the query; else, the inquiry will be forwarded to Microsoft DNS server. Before the integration, we tested the wideip by setting the F5 listener (10.1.226.249) as the user's primary DNS server. It responded as predicted and dropped the query if the non-wideip. Following the test, we incorporated the Microsoft DNS servers (10.3.2.2 and 10.3.2.4) as nodes >> Pool>> and connected this pool to the F5 listener (10.2.226.249). If a wideip query is made at this time, it will typically be forwarded to Microsoft DNS, and if that fails, it will resolve locally. The first three attempts at nslookup will be dropped, and the name will be resolved.
How do I prioritise wideip queries to be resolved by F5 DNS rather than sending them primarily to Microsoft DNS servers?
Solved! Go to Solution.
12-May-2023 19:14 - edited 12-May-2023 19:15
Dear Ben_Novak and Nikoolayy1;
Thank you for your kind and helpful support.
I found the answer to this problem. The problem was When I use nslookup for wideip test.demo.local, it will append the domain suffix to nslookup, which means it will ask for test.demo.local.demo.local on my client workstation (10.1.75.72) domain joined PC, which indicates it is under the domain of demo.local. Now that F5 has determined that this is a non-wideip query, it will forward the request to Microsoft DNS, making the initial two or three nslookups unsuccessful. It will eventually try without adding a domain suffix, and F5 will respond with test.demo.local because it is a wideip query.
To resolve this problem Since the domain is included by default, I tried the nslookup without adding it and discovered that the result was as I had anticipated. For more information, see the link below.
https://serverfault.com/questions/74067/windows-appending-domain-suffix-to-all-lookups
08-May-2023 08:31
Hi Girma_Tefera,
DNS logic in F5 DNS/GTM/GSLB, is handles at the DNS profile on the listener (vs).
As you noted, if a request matches a wideip, the it will respond with F5 Inteligent DNS (gslb), if not, it will continue through the logic tree till if find a response or configured action.
Between all the options and features, it can get rather complicated pretty quick. The follow two articles should help clarify how all that process works.
https://my.f5.com/manage/s/article/K18522641
https://my.f5.com/manage/s/article/K14510
Other things to consider;
Hoping this helps. 🙂
08-May-2023 10:14
I appreciate your reply. My worry was that the wideip query would timed out since F5 DNS would transmit it to Microsoft DNS while the first three nslookups would timed out. My exception was that F5 would respond if the query was wideip; otherwise, it would go to Microsoft DNS. Why is wideip not prioritized instead of being forwarded to Microsoft?
08-May-2023 14:52
In it's default configuration, GTM will attempt to serve the response from GSLB, before asking the Microsoft DNS servers (if configured). I suggest enabling wideip logging to see why it is not responding as you expect.
https://my.f5.com/manage/s/article/K25751652#a1
08-May-2023 20:31
I enabled the log following your advice, and I now have this log.
for wideip (test.demo.local) query (listener 10.1.226.249) client (10.1.75.72)
May 9 06:14:33 cbe0000-00-bigip-01 info tmm[9029]: 2023-05-09 06:14:33 cbe0000-00-bigip-01.cbe.com.et from 10.1.75.72#49332: view none: query: test.demo.local.cbe.com.et IN A + (10.1.226.249%0)
May 9 06:14:35 cbe0000-00-bigip-01 info tmm[9029]: 2023-05-09 06:14:35 cbe0000-00-bigip-01.cbe.com.et from 10.1.75.72#49333: view none: query: test.demo.local.cbe.com.et IN AAAA + (10.1.226.249%0)
May 9 06:14:37 cbe0000-00-bigip-01 info tmm[9029]: 2023-05-09 06:14:37 cbe0000-00-bigip-01.cbe.com.et from 10.1.75.72#49334: view none: query: test.demo.local IN A + (10.1.226.249%0)
May 9 06:14:37 cbe0000-00-bigip-01 info tmm[9029]: 2023-05-09 06:14:37 cbe0000-00-bigip-01.cbe.com.et from 10.1.75.72#49335: view none: query: test.demo.local IN AAAA + (10.1.226.249%0)
for non-wideip (abc.demo.local) query (listener 10.1.226.249) client (10.1.75.72)
May 9 06:15:12 cbe0000-00-bigip-01 info tmm[9029]: 2023-05-09 06:15:12 cbe0000-00-bigip-01.cbe.com.et from 10.1.75.72#59877: view none: query: abc.demo.local.cbe.com.et IN A + (10.1.226.249%0)
May 9 06:15:14 cbe0000-00-bigip-01 info tmm[9029]: 2023-05-09 06:15:13 cbe0000-00-bigip-01.cbe.com.et from 10.1.75.72#59878: view none: query: abc.demo.local.cbe.com.et IN AAAA + (10.1.226.249%0)
May 9 06:15:16 cbe0000-00-bigip-01 info tmm[9029]: 2023-05-09 06:15:16 cbe0000-00-bigip-01.cbe.com.et from 10.1.75.72#59879: view none: query: abc.demo.local IN A + (10.1.226.249%0)
May 9 06:15:16 cbe0000-00-bigip-01 info tmm[9029]: 2023-05-09 06:15:15 cbe0000-00-bigip-01.cbe.com.et from 10.1.75.72#59880: view none: query: abc.demo.local IN AAAA + (10.1.226.249%0)
the image was taken from a client system (10.1.75.72)
The image that follows was taken without Microsoft DNS configured. Non-wideip queries are refused, and wideip queries respond immediately.
This should help you grasp things better, in my opinion.
09-May-2023 04:45 - edited 09-May-2023 07:52
Have you enabled response logging as I only see the query 🙂
Also maybe check the operations guide as maybe you have not enabled the DNS pools to be used by the DNS profile https://my.f5.com/manage/s/article/K14510 as Unhandled Query Actions is needed to be allowed. Also check if "Recursion Desired " is enabled in the DNS profile and keep in mind that the f5 community is not the F5 TAC that solves such issues as it is their job as this is an open tech community where we help one another 😉
https://my.f5.com/manage/s/article/K65762138
On the Main tab, click DNS > Delivery > Profiles > Other > DNS Logging or Local Traffic > Profiles > Other > DNS Logging. The DNS Logging profile list screen opens.
Click Create. The New DNS Logging profile screen opens.
In the Name field, type a unique name for the profile.
From the Log Publisher list, select a destination to which the BIG-IP system sends DNS log entries.
For the Log Queries setting, ensure that the Enabled check box is selected, if you want the BIG-IP system to log all DNS queries.
For the Log Responses setting, select the Enabled check box, if you want the BIG-IP system to log all DNS responses.
For the Include Query ID setting, select the Enabled check box, if you want the BIG-IP system to include the query ID sent by the client in the log messages.
Click Finished.
12-May-2023 19:14 - edited 12-May-2023 19:15
Dear Ben_Novak and Nikoolayy1;
Thank you for your kind and helpful support.
I found the answer to this problem. The problem was When I use nslookup for wideip test.demo.local, it will append the domain suffix to nslookup, which means it will ask for test.demo.local.demo.local on my client workstation (10.1.75.72) domain joined PC, which indicates it is under the domain of demo.local. Now that F5 has determined that this is a non-wideip query, it will forward the request to Microsoft DNS, making the initial two or three nslookups unsuccessful. It will eventually try without adding a domain suffix, and F5 will respond with test.demo.local because it is a wideip query.
To resolve this problem Since the domain is included by default, I tried the nslookup without adding it and discovered that the result was as I had anticipated. For more information, see the link below.
https://serverfault.com/questions/74067/windows-appending-domain-suffix-to-all-lookups
16-May-2023 21:42
Thanks for following up with this!