DNS: reply from unexpected source
Hi, Firstly, I must say that I am a complete newbie when it comes to BIG-IP products. On the other hand, the load balancer was configured by experts, so I am pretty confident that they made a reasonably good job. I have two DNS servers (DNS1 and DNS2) and a BIG-IP F5 14.1.4.6 load balancer. Both DNS servers' default gateway is the F5. When a DNS client asks the DNS service in the F5, the load balancer sends the request to one of the DNS servers keeping the client's IP. Then, on receiving the reply from the DNS server, the F5 sends the reply to the client using its own IP (with SNAT). This way, the DNS client only talks to the F5. On the other hand, when a DNS client ask one of the DNS servers directly, the DNS server sends the reply to the default gateway (the F5) and the packet is routed to its destination without any change. Nevertheless, every now and then I am facing replies from unexpected sources. For instance, sometimes the client asks DNS1 but it gets the reply from the F5. Thus, I get messages like this: ;; reply from unexpected source: bigip#53, expected dns1#53 It looks like that, on receiving the reply from DNS1, the F5 replaces the packet's source IP (SNAT) with its own ip. Example: Right behaviour: PC -> DNS query to F5 service -> F5 -> sends a query to DNS1 or DNS2 keeping the PC's source IP -> DNS1 replies to the F5 (its default gateway) -> F5 replaces source IP (SNAT) and sends the reply to the PC -> the PC receives the reply from the service it asked to. PC -> sends a DNS query to DNS1 -> DNS1 replies to the F5 (its default gateway) -> the F5 somehow knows that the reply was sent directly to DNS1 and forwards the reply to the PC keeping DNS1's IP address -> the PC receives the reply from the server it asked to (DNS1). Wrong behaviour PC -> sends a DNS query to DNS1 -> DNS1 replies to the F5 (its default gateway) -> the F5 replaces the packet's source IP (DNS1) with its own IP and forwards the reply to the PC -> the PC receives the reply from an unexpected server (F5). Can you give me a hand to solve this? Maybe you can just give me a hint to start looking for the solution. Thanks in advance. Regards,
Are NTP and DNS traffic management type or not?
Hello everyone, I'm system engineer in integrator company and currently I have one PoC of AWAF project with a customer. I have little experience of working with f5 devices, so I have one question and it'll help me a lot in future to analyze how BIG-IP devices. I've done some research in documentations but I couldn't find clear answer on topics, which type of traffic is considered as Data Traffic and which one is Management? For example NTP and DNS traffic should use management route or TMM route (I mean the case when there is no direct path to the destination DNS/NTP servers)? I thought that BIG-IP devices will use management route (management gateway) to do DNS queries and time synchronization, so I asked customer to grant access on firewall from management interface to the destination servers, but it didn't work. Then I've captured traffic via tcpdump and I realized that BIG-IP devices try to use TMM default route instead. But I've read in this article - https://support.f5.com/csp/article/K13284 that NTP is management traffic. Also this article - https://support.f5.com/csp/article/K7017 says that during the device boot, ntpd daemon is starting before TMM, so if it has no route via management interface, time synchronization will fail. So, I'm a little confused, what should I ask customer, open access from TMM interface for DNS, NTP, also for Signature Updates? I just do not understand logically, why NTP, DNS and system update do not use management routes? If all of them are considered as a data traffic, than what is management route used for? Only for accessing management GUI and SSH, is that correct? Sorry for a long question, but I really want to understand the platform's logic of traffic routing, to be able to operate it and correctly implement it with the customer. Thanks in advance. // Giorgi
DNS: unlicensed (enabled) - not authorized
Hi guys, I am preparing to take exam 302, but I have a problem when I add the second virtual server to pool of WideIP, its disabled for "unlicensed (enabled) - not authorized". root@(gtm-stgo)(cfg-sync In Sync)(Active)(/Common)(tmos)# show gtm pool a pool_apache_http members ----------------------------- Gtm::Pool::A pool_apache_http ----------------------------- Status Availability : available State : enabled Reason : Available Load Balancing Preferred 26 Alternate 0 Fallback 0 Returned from DNS 0 Returned to DNS 0 Dropped 0 ------------------------------------------------------------- | Gtm::Pool Member: pool_apache_http:A vs_apache_GTD:GTM-Stgo ------------------------------------------------------------- | Status | Availability : unlicensed | State : enabled | Reason : Not Authorized | | Load Balancing | Preferred 0 | Alternate 0 | Fallback 0 -------------------------------------------------------------- | Gtm::Pool Member: pool_apache_http:A vs_apache_http:GTM-Stgo -------------------------------------------------------------- | Status | Availability : available | State : enabled | Reason : Available | | Load Balancing | Preferred 26 | Alternate 0 | Fallback 0 Im working with licenses of strongbox, and i have licensed and provisioned module GTM and LTM. sys::License Licensed Version12.1.5 Registration key Licensed On2020/04/06 License Start Date2020/04/05 License End Date2020/05/22 Service Check Date2020/04/04 Platform IDZ100k Active Modules APM, Base, VE GBB (500 CCU) () Anti-Virus Checks Base Endpoint Security Checks Firewall Checks Network Access Secure Virtual Keyboard APM, Web Application Machine Certificate Checks Protected Workspace Remote Desktop App Tunnel BT-VE, 1G () Rate Shaping SDN Services, VE DNS and GTM (250 QPS), VE SSL, VE Routing Bundle, VE ASM, VE DNS-GTM, Base, 1Gbps Acceleration Manager, VE Max Compression, VE AFM, VE DNSSEC GTM Licensed Objects, Unlimited DNS Licensed Objects, Unlimited DNS Rate Fallback, 250K GTM Rate Fallback, 250K GTM Rate, 250K DNS Rate Limit, 250K QPS DNS Rate Limit, 1000 QPS GTM Rate, 1000 VE, Carrier Grade NAT (AFM ONLY) PSM, VE show sys provision --------------------------------------------------------- Sys::Provision ModuleCPU (%)Memory (MB)Host-Memory (MB)Disk (MB) --------------------------------------------------------- afm0000 am0000 apm0000 asm0000 avr0000 fps0000 gtm105920 host1025820112772 ilx0000 lc0000 ltm1000 pem0000 swg0000 tmos8854242800 list sys provision sys provision afm { } sys provision am { } sys provision apm { } sys provision asm { } sys provision avr { } sys provision fps { } sys provision gtm { level nominal } sys provision ilx { } sys provision lc { } sys provision ltm { level nominal } sys provision pem { } sys provision swg { } Please your help, for continue studing.
iRule to discard specific DNS REQUEST
Hi We use F5 DNS and we saw there is many DNS request to us. for example. we have many spam dns request for www.seo.com which is not exist in our domain name. (it's non-existing domain spam) Can we have irule to discard only this request for www.seo.com in our listener? Is this irule work? when DNS_REQUEST { if {([string tolower [DNS::question name]] equals "www.seo.com")} { drop (or DNS::drop) } else { } }
Cisco Umbrella client with APM client works after upgrade with DNS proxy enabled
We are working with an end user which uses both Cisco Umbrella and Big IP APM client components web browser to establish VPN. WE are aware about the fact that there are some limitations as decribed here: https://my.f5.com/manage/s/article/K80231353 Strangely enough after upgrading the client components the client suddenly starts working, has there something been improved in the client which now works fine with Cisco Umbrella client. The installed software components before (when it was not working) and after are displayed in attachment. The only thing that changed is the Big-IP Components Installed and Big IP Edge Client version, but the Edge client components are still of the same version. How come that the DNS proxy is now not having issues anymore? Client only has Components Installer Service and DNS Relay Proxy Service active.BIG-IP DNS DNSSEC and DKIM
Hi Everyone, I am new for F5 DNS. I would like to do the DKIM and DNSSEC in Zones. I check this link (https://support.f5.com/csp/article/K30222115) for DKIM configured, will DKIM support 255 characters? I try to import + but it said not support. Same as DNSSEC, will it support all 255 characters?Implementing F5 DNS and Creating Custom CNAME Redirects
We are currently implementing a solution in Azure and have encountered some DNS-related issues. I think it's a good idea to implement F5 DNS. However, I wonder if we can create an iRule to set up a CNAME for a specific domain. In other words, if a domain like "example.com" is received, the iRule would inspect this request and respond to the user with a CNAME from "example.com" to "example.2.com". I have created the following irule: when DNS_REQUEST { set original_name [DNS::question name] if { [string tolower $original_name] ends_with "example.com" } { set modified_name [string map {"example.com" "example.2.com"} [string tolower $original_name]] DNS::question name $modified_name set cname_record "${original_name} IN CNAME ${modified_name}." log local0. "$cname_record" set new_rr [DNS::rr $cname_record] log local0. "$new_rr" DNS::answer clear DNS::answer insert $new_rr DNS::header aa 1 DNS::return } } If I see the logs it looks good: <DNS_REQUEST>:test.example.com. IN CNAMEtest.example.2.com. <DNS_REQUEST>: test.example.com. 3600 IN CNAME test.example.2.com However, when I perform an nslookup, dig, or access the domain directly from the browser, it doesn't work. nslookup: nslookup test.example.com Server: UnKnown Address: x.x.x.x Name: test.example.com dig: dig @x.x.x.x test.example.com ;; Question section mismatch: got test.example.2.com/A/IN Browser: DNS_PROBE_FINISHED_NXDOMAIN Any idea if this is possible?
