F5 XC Distributed Cloud DNS GSLB implementing Split-DNS
Have you ever wondered how to achieve Bind-like 'VIEW' behavior with F5 XC Load Balancer where depending on the customer’s IP, different DNS responses are returned? Well wonder no more! F5 XC DNS Load Balancers have the topology load balancing feature from the start, but now you can use source IP prefix lists or BGP ASN numbers that opens the door to Split-DNS similar to the BIND "View" feature! The XC DNS Load Balancers rules nowadays have new options that can support EDNS Client Subnet (ECS) feature load balancing or BGP ASN load balancing. EDNS is like X-Forwarded-For Header as it sees the real client subnet and not the DNS local resolver server IP Address. For more information, I suggest checking out the link below: EDNS0 Implementation and Troubleshooting recommendations For anyone that has worked with F5 DNS/GTM BIG-IP, this is similar to creating custom topology records. For more information, I suggest checking out the link below: Achieving split DNS behavior through BIG-IP DNS wide IPs Configuring a DNS zone First, you need to configure a primary DNS zone as shown in the picture below or use the option "Allow Application Load Balancer Managed Records" that is described in the links below that allows a created F5 XC TCP or HTTP LB to be auto-added to the DNS primary zone in XC. For more information, I suggest checking out the links below: Manage DNS Zone | F5 Distributed Cloud Technical Knowledge Use F5 Distributed Cloud to control Primary and Secondary DNS The 2 DNS Load Balancer rules match either 46.233.56.0/24 or 0.0.0.0/0 that is any IP address, and this is why the Score is set to 110 for the first rule to have higher priority. For testing, the Linux "dig" command supports +subnet option to change the EDNS subnet for example "dig test.niki.com @ns1.f5clouddns.com +subnet=46.233.56.0". If you don’t choose any subnet, the EDNS will be your IP address. But remember that the system could add a default mask like /24 if you don’t specify +subnet command with a mask. When you specify with @ to send the traffic directly to ns1.f5clouddns.com or ns2.f5clouddns.com you don't have to change your public DNS records and you can first test the XC DNS setup and then configure DNS delegation on your primary DNS servers. If you are behind NAT or VPN, use What Is My IP Address - See Your Public Address - IPv4 & IPv6 to see your public IP address. Example DNS request that will be sent to the specific pool: dig test.niki.com @ns1.f5clouddns.com +subnet=46.233.56.1 Example DNS request that will be sent to the default pool: dig test.niki.com @ns1.f5clouddns.com +subnet=5.5.5.5 Example DNS request with no "+subnet": That will be sent to the specific pool as my IP matches 46.233.56.0 subnet, and it is auto-added to the EDNS in DNS request. dig test.niki.com @ns1.f5clouddns.com You can also use the ASN for this task, and the ASN is being compared to your EDNS subnet. There are a lot of tools to see your ASN number based on your IP address 😉 Summary: XC has new and new features every day, and the DNS Load Balancer service is a clear example of this. We will see what comes next!
nsupdate to modify zone in specific views.
we have zone name example.com and we have 2 view (external and internal) so in /var/namedb/ we have zone file db.external.example.com and db.internal.example.com . How can we use nsupdate to modify zone in specific views? because we can't seem to specify view in nsupdate script. and we can't specify "zone internal.example.com" in nsupdate script too
F5 DNS Generic Host
I am trying to create a few generic hosts for a POC, but having issues with them being monitor failed. I created a new server named RANCHER-POC-11 and gave it an ip address of 10.4.65.11, this has a monitor of https assigned to it. I then created a virtual server with the same ip address and port 443 as well as the https monitor. The Server and Virtual Servers are both red triangles. I performed a packet capture and I don't see that the gtm is even attempting to monitor. I put a specific route in the network and pointed to the GW and now if I initiate a connection from the CLI I see logs in our monitoring but only if I do the connection manually. This is the first generic host we have tried to deploy as the rest of the virtual servers/pools are pulled from the LTM's and this service is not behind the LTM. Any suggestions would be appreciated. Thanks, Joe
DNS Request to VS?
Hello, we found on our Firewall lots of DNS-Requests from the floating IP to some VS (with ASM-Policy). Now we want the Firewall to only allow DNS-Requests to the known DNS-Servers. Question: is this normal behaviour? The BIGIP has DNS-Resolver configured. Where can I check the Config-Utility? Thanks for any hint. KarlAccelerate Your Initiatives: Secure & Scale Hybrid Cloud Apps on F5 BIG-IP & Distributed Cloud DNS
It's rare now to find an application that runs exclusively in one homogeneous environment. Users are now global, and enterprises must support applications that are always-on and available. These applications must also scale to meet demand while continuing to run efficiently, continuously delivering a positive user experience with minimal cost. Introduction In F5’s 2024 State of Application Strategy Report, Hybrid and Multicloud deployments are pervasive. With the need for flexibility and resilience, most businesses will deploy applications that span multiple clouds and use complex hybrid environments. In the following solution, we walk through how an organization can expand and scale an application that has matured and now needs to be highly-available to internal users while also being accessible to external partners and customers at scale. Enterprises using different form-factors such as F5 BIG-IP TMOS and F5 Distributed Cloud can quickly right-size and scale legacy and modern applications that were originally only available in an on-prem datacenter. Secure & Scale Applications Let’s consider the following example. Bookinfo is an enterprise application running in an on-prem datacenter that only internal employees use. This application provides product information and details that the business’ users access from an on-site call center in another building on the campus. To secure the application and make it highly-available, the enterprise has deployed an F5 BIG-IP TMOS in front of each of endpoint An endpoint is the combination of an IP, port, and service URL. In this scenario, our app has endpoints for the frontend product page and backend resources that only the product page pulls from. Internal on-prem users access the app with internal DNS on BIG-IP TMOS. GSLB on the device sends another class of internal users, who aren’t on campus and access by VPN, to the public cloud frontend in AWS. The frontend that runs in AWS can scale with demand, allowing it to expand as needed to serve an influx of external users. Both internal users who are off-campus and external users will now always connect to the frontend in AWS through the F5 Global Network and Regional Edges with Distributed Cloud DNS and App Connect. Enabling the frontend for the app in AWS, it now needs to pull data from backend services that still run on-prem. Expanding the frontend requires additional connectivity, and to do that we first deploy an F5 Distributed Cloud Customer Edge (CE) to the on-prem datacenter. The CE connects to the F5 Global Network and it extends Distributed Cloud Services, such as DNS and Service Discovery, WAF, API Security, DDoS, and Bot protection to apps running on BIG-IP. These protections not only secure the app but also help reduce unnecessary traffic to the on-prem datacenter. With Distributed Cloud connecting the public cloud and on-prem datacenter, Service Discovery is configured on the CE on-prem. This makes a catalog of apps (virtual servers) on the BIG-IP available to Distributed Cloud App Connect. Using App Connect with managed DNS, Distributed Cloud automatically creates the fully qualified domain name (FQDN) for external users to access the app publicly, and it uses Service Discovery to make the backend services running on the BIG-IP available to the frontend in AWS. Here are the virtual servers running on BIG-IP. Two of the virtual servers, “details” and “reviews,” need to be made available to the frontend in AWS while continuing to work for the frontend that’s on-prem. To make the virtual servers on BIG-IP available as upstream servers in App Connect, all that’s needed is to click “Add HTTP Load Balancer” directly from the Discovered Services menu. To make the details and reviews sevices that are on-prem available to the frontend product page in AWS, we advertise each of their virtual servers on BIG-IP to only the CE running in AWS. The menu below makes this possible with only a few clicks as service discovery eliminates the need to find the virtual IP and port for each virtual server. Because the CE in AWS runs within Kubernetes, the name of the new service being advertised is recognized by the frontend product page and is automatically handled by the CE. This creates a split-DNS situation where an internal client can resolve and access both the internal on-prem and external AWS versions of the app. The subdomain “external.f5-cloud-demo.com” is now resolved by Distributed Cloud DNS, and “on-prem.f5-cloud-demo.com” is resolved by the BIG-IP. When combined with GSLB, internal users who aren’t on campus and use a VPN will be redirected to the external version of the app. Demo The following video explains this solution in greater detail, showing how to configure connectivity to each service the app uses, as well as how the app looks to internal and external users. (Note: it looks and works identically! Just the way it should be and with minimal time needed to configure it). Key Takeaways BIG-IP TMOS has long delivered best-in-class service with high-availability and scale to enterprise and complex applications. When integrated with Distributed Cloud, freely expand and migrate application services regardless of the deployment model (on-prem, cloud, and edge). This combination leverages cloud environments for extreme scale and global availability while freeing up resources on-prem that would be needed to scrub and sanitize traffic. Conclusion Using the BIG-IP platform with Distributed Cloud services addresses key challenges that enterprises face today: whether it's making internal apps available globally to workforces in multiple regions or scaling services without purchasing more fixed-cost on-prem resources. F5 has the products to unlock your enterprise’s growth potential while keeping resources nimble. Check out the select resources below to explore more about the products and services featured in this solution. Additional Resources Solution Overview: Distributed Cloud DNS Solution Overview: One DNS – Four Expressions Interactive Demo: Distributed Cloud DNS at F5 DevCentral: The Power of &: F5 Hybrid DNS solution F5 Hybrid Security Architectures: One WAF Engine, Total Flexibilitycross platform migration issue
Hi, we want to migrate the config from iseries 4K to rseries 5k . The current software version on iseries is 13.x.. I tried to run bigip v15.x on rseries, then export the config from iseries and import it into rseries, but not successful, there were some errors. Can someone please advise how should I do to make the migration successful? Thanks in advance!SNI Sites not taking correct certificate.
I have configured one VIP with two certificate aks.test.com aks4.test.com On SSL profile for aks.test.com i have enabled SNI feature and aks.test.com is working fine taking correct certificate (aks.test.com). but aks4.test.com having not secure error on browser and taking the certificate of (aks.test.com). Could someone please help what could be the issue in this case.
UCS backup not loading Big IP DNS pool
I was planning to upgrade Big IP DNS currently in version 13.x to version 15 and then to version 16. I was labbing up the upgrade before doing it on the prod device. While trying to restore the UCS backup file to the lab environment same version (version 13) no error was displayed but the pool and rest of the configuration did not load up. The only configuration that was restored was self ip , hostname, vlans , and the listerner configuration. What am I missing ? Any suggestion or help would be appreciated.
