dns security
1 TopicExternal and Internal DNS on same appliance
Hello F5 experts, Is it possible to somehow logically divide our current F5 DNS F5s so that they have external and internal DNS records without security risks? How it could/couldn't be done, do you have experience with it? Any brainstorming is highly appreciated :) . We have primary BIND servers that delegate a couple of DNS zones to F5s. However, internal services that translate to internal IPs also started to appear, while we want to use GSLB on our 2 data centers, but we clearly do not want these internal IPs to be visible from the Internet. I was thinking about creating a new DNS zone for internal services for which we want to use GSLB and delegate the zone from our primary DNS servers to our F5 DNS, where I would create a new DNS listener (that is, there will be different NS records on primary DNS servers for internal than for external services) on which I would put an ACL only for private IPs. But both the zone and the Wide IPs for internal services will be available on the F5, and I can't create/block it only for a specific listener, as far as I know. Which means that if someone from the Internet directly tries to resolve the internal services and asks the IP addresses of external listeners, F5 will provide them right... At the moment, I have iRule on a Wide IP for the internal services, which only allows private IPs, but I consider this to be only a temporary workaround and we need full solution as internal services will grow.Solved135Views0likes6Comments