Zonerunner Issue

Question

Hi guys,
i'm trying to solve two big issue using my F5 as master DNS. 
First:
i want to forward a full PTR network (in my case a /16) to another BIND but it doesn't seems to work. PTR are resolved only if F5 is the master. Is a supported feature or not? If I configure same forward on a normal BIND it works
Second:
i'm forwarding an *.local domain to my AD servers but i've found that every time I do a dig using F5 VIP it reports back also authority section and this create issue using particular services
here is an example:
dig @ AD server output:
; &lt;&lt;&gt;&gt; DiG 9.9.4-RedHat-9.9.4-51.el7_4.2 &lt;&lt;&gt;&gt; @10.10.10.200 test.local
; (1 server found)
;; global options: +cmd
;; Got answer:
;; -&gt;&gt;HEADER&lt;&lt;- opcode: QUERY, status: NOERROR, id: 44844
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 7, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;test.local.                    IN      A

;; ANSWER SECTION:
test.local.             600     IN      A       10.x.x.x
test.local.             600     IN      A       192.168.x.x

dig @ F5 (that forwards to AD server):
; &lt;&lt;&gt;&gt; DiG 9.9.4-RedHat-9.9.4-51.el7_4.2 &lt;&lt;&gt;&gt; @10.10.10.201 test.local
; (1 server found)
;; global options: +cmd
;; Got answer:
;; -&gt;&gt;HEADER&lt;&lt;- opcode: QUERY, status: NOERROR, id: 44763
;; flags: qr rd ra; QUERY: 1, ANSWER: 7, AUTHORITY: 13, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;test.local.                    IN      A

;; ANSWER SECTION:
test.local.             600     IN      A       10.x.x.x
test.local.             600     IN      A       192.168.x.x

;; AUTHORITY SECTION:
.                       71938   IN      NS      f.root-servers.net.
.                       71938   IN      NS      c.root-servers.net.
.                       71938   IN      NS      a.root-servers.net.
.                       71938   IN      NS      b.root-servers.net.
.                       71938   IN      NS      d.root-servers.net.
.                       71938   IN      NS      g.root-servers.net.
.                       71938   IN      NS      e.root-servers.net.
.                       71938   IN      NS      h.root-servers.net.
.                       71938   IN      NS      l.root-servers.net.
.                       71938   IN      NS      m.root-servers.net.
.                       71938   IN      NS      i.root-servers.net.
.                       71938   IN      NS      k.root-servers.net.
.                       71938   IN      NS      j.root-servers.net.

My F5 are running LTMOS 11.6.1 HF1
Any help is very appreciated!
Thanks

jg · Answer

It is hard to answer your questions without knowing the specific configurations of your DNS server. And:&nbsp;
Do you allow recursion?Have you configured a forwarder?What are your dig commands?

giammarco · Answer

Hi,
yes, this is the named configuration on the F5
restrict rndc access to local machines
use the key in the default place: /config/rndc.key
controls {
    inet 127.0.0.1 port 953 allow {
        127.0.0.1;
    };
};
logging {
    channel logfile {
        syslog daemon;
        severity error;
        print-category yes;
        print-severity yes;
        print-time yes;
    };
    category default {
        logfile;
    };
    category config {
        logfile;
    };
    category notify {
        logfile;
    };
};
options {
    listen-on port 53 {
        127.0.0.1;
        "zrd-acl-000-001";
        "zrd-acl-000-002";
        "zrd-acl-000-000";
    };
    listen-on-v6 port 53 {
        ::1;
    };
    recursion yes;
    directory "/config/namedb";
    allow-transfer {
        localhost;
    };
    allow-recursion {
        lan_hosts;
    };
    check-names master warn;
    check-integrity yes;
    max-journal-size 1M;
    forwarders {
        8.8.8.8;
        8.8.4.4;
    };
};
acl "zrd-acl-000-000" {
    127.10.0.0;
};
acl "zrd-acl-000-002" {
    127.10.0.2;
};
acl "lan_hosts" {
    10.10.10.0/24;
};
acl "zrd-acl-000-001" {
    127.10.0.1;
};
acl "extkey" {
    key "external";
};
acl "noextkey" {
    !key "external";
};
key "external" {
    algorithm hmac-md5;
    secret "";
};

the dig command that I'm doing is a simple:
dig @IP(AD or F5) SRV test.local

Forum Discussion

Zonerunner Issue

2 Replies

Recent Discussions

Disacard SSL::cert mode to ignore when default SSLClient profile is set to request or require

About custome Response Blocking Page

About IPI check ip list

Cookie Violation - Expired TimeStamp.

CGNAT with DS-lite and LSN

Related Content

Managing ZoneRunner Resource Records with Bigsuds

Regex issue

F5 GTM resolution issue

Irule Example Issue

ZoneRunner Log