Forum Discussion

MetaGawd_156909's avatar
MetaGawd_156909
Icon for Nimbostratus rankNimbostratus
Jun 26, 2014

GTM query regarding Internal and external zone views.

(EDITED 7-1)

 

Relatively new (a returnee of sorts ) to F5 products.

 

We have an implementation of GTM (a redundant pair of instances with one at two different physical locations) that we are trying to ready for production that is intended to replace our internal DMZ nameservers and external authoritative DNS name servers. The thought was to create an internal and external view utilizing one set of DNS servers

 

After setting up wideIPs, we proceeded to migrate our external zones to GTM using the external view. This seemed successful. In the Zone RUnner GUI we then created a internal zone using one of our domains. We then discovered that it seemed populated with the external records even though it was defined as db.internal.(domain).com.

 

Via CLI I was able to confirm that the db.internal.(domain).com. did NOT have these external records, and proceeded to manually enter internal records. I then reloaded the zrd process after validating the BIND files

 

I'm assuming that there must be some misconfiguration in the GTM instance itself as it appears that BIND is properly configured in terms of the views but in the GUI ZoneRunner does not see any internal view domain that shares a domain name with an external view zone.

 

To sum up:

 

-From the GTM GUI if I create a zone as internal only when I attempt to view the zone details I get this error:

 

01150b21:3: RCODE returned from query: 'NOTAUTH'.

 

-If I attempt to create a record for the internal only zone in the GUI get this error:

 

115040a:3: Zone not authoritative during update.

 

-From the CLI I can create the internal view zones, check them and successfully add them to the named.conf. named.conf correctly has both views defined and the correct zones assigned. The internal view and external views zones all have the correct information. The permissions all appear to be correct (belonging to the named process).

 

Any ideas on what I may be doing wrong?

 

BIG-IP DNS
design
dns
views
views configuration

8 Replies

Sort By
  • Marvin's avatar
    Marvin
    Icon for Cirrocumulus rankCirrocumulus
    Feb 28, 2016

    Nice one John works great, changing the internal listener (ACLs) and the view list did the trick indeed! If I do a netstat -an | grep 127.10 I see that the Big IP is listening internally for DNS requests on 127.10.0.0 and 127.10.0.1 and also 127.0.0.1.

    Darren if I change both ACL to the same IP 127.0.0.0 than I am not able to access the zones anymore, so it seems it is needed to have two listeners. I believe these are only for ACL functionality internally within BIND, because the real listener in the named conf is 127.0.0.1

    listen-on port 53 {
    127.0.0.1;
    "zrd-acl-000-001";
    "zrd-acl-000-000";
};

listen-on-v6 port 53 {
    ::1;
};

acl "zrd-acl-000-000" {
127.10.0.0;
};

acl "zrd-acl-000-001" {
127.10.0.1;
};


[root@F5:Active:In Sync] namedb  netstat -an | grep :53
tcp        0      0 **127.10.0.1:53**               0.0.0.0:*                   LISTEN
tcp        0      0 **127.10.0.0:53**               0.0.0.0:*                   LISTEN
tcp        0      0 **127.0.0.1:53**                0.0.0.0:*                   LISTEN
tcp        0      0 ::1:53                          :::*                        LISTEN
udp        0      0 **127.10.0.1:53**               0.0.0.0:*
udp        0      0 **127.10.0.0:53**               0.0.0.0:*
udp        0      0 **127.0.0.1:53**                0.0.0.0:*
udp        0      0 ::1:53                          :::*
udp        0      0 ::1:5353                        :::*
  • John_Heyer_1508's avatar
    John_Heyer_1508
    Icon for Cirrostratus rankCirrostratus
    Dec 11, 2014

    I was able to get this working finally, but there are a few tricks to doing so. Namely, the GTM always takes the first view match if the source IP is allowed, so "internal" needs to be listed ahead of "external" in DNS -> Zones -> ZoneRunner -> View List.

    The other gotcha is each view has its own loopback IP address. This IP will be 127.10.0.X, so be sure to include that IP by itself for each view, otherwise the GTM will not be able to query itself. Here's what the named.conf file would look like when all said and done:

    acl "zrd-acl-000-001" {
    127.10.0.1;
};
acl "zrd-acl-000-002" {
    127.10.0.2;
};
acl "rfc_1918" {
    10.0.0.0/8;
    172.16.0.0/12;
    192.168.0.0/16;
};
view "internal" {
    match-clients {
        "zrd-acl-000-001";
        "rfc_1918";
    };
    allow-transfer {
        "zrd-acl-000-001";
    };
};
view "external" {
    match-clients {
        "zrd-acl-000-002";
        "any";
    };
    allow-transfer {
        "zrd-acl-000-002";
    };        
};
    • Marvin's avatar
      Marvin
      Icon for Cirrocumulus rankCirrocumulus
      Feb 28, 2016
      Nice one John works great, changing the internal listener (ACLs) and the view list did the trick indeed! If I do a netstat -an | grep 127.10 I see that the Big IP is listening internally for DNS requests on 127.10.0.0 and 127.10.0.1 and also 127.0.0.1. @Darren if I change both ACL to the same IP 127.0.0.0 than I am not able to access the zones anymore, so it seems it is needed to have two listeners. I believe these are only for ACL functionality internally within BIND, because the real listener in the named conf is 127.0.0.1 listen-on port 53 { 127.0.0.1; "zrd-acl-000-001"; "zrd-acl-000-000"; }; listen-on-v6 port 53 { ::1; }; acl "zrd-acl-000-000" { 127.10.0.0; }; acl "zrd-acl-000-001" { 127.10.0.1; };
    • darren_19980's avatar
      darren_19980
      Icon for Nimbostratus rankNimbostratus
      Jul 14, 2015
      John, it is possible to use the same loopback IP for both internal and external view? and where did you define those loopback IPs?
  • John_Heyer_1508's avatar
    John_Heyer_1508
    Icon for Cirrostratus rankCirrostratus
    Sep 30, 2014

    Were you ever able to find a solution? I created a view called 'internal' with 'match-clients' and 'allow-transfer' both set to 'any'. But when attempting to view the RRs I get 01150b21:3: RCODE returned from query: 'NOTAUTH'

     

    Changing the view to 'external' and everything behaves exactly as configured.

     

  • Cory_50405's avatar
    Cory_50405
    Icon for Noctilucent rankNoctilucent
    Jul 02, 2014

    My only other thought would be file permissions which you say you've verified. Anything under /var/named should be owned by named. From bash, if you run 'ls -lR', do you see anything not owned by named?

     

  • MetaGawd_156909's avatar
    MetaGawd_156909
    Icon for Nimbostratus rankNimbostratus
    Jul 02, 2014

    Thanks for your reply Cory.

     

    I can confirm that the behavior happens whether or not the Create Reverse record box is checked (and if there is a reverse zone present or not).

     

    In regards to the latter, I did add an ACL for the internal view to the named.conf. I've tried this with and without that ACL in place, and the issue continues. I opened a support case; just waiting to hear back from the engineer.

     

    Thanks again!

     

  • Cory_50405's avatar
    Cory_50405
    Icon for Noctilucent rankNoctilucent
    Jul 02, 2014

    The 'Zone not authoritative during update' message could be because you have the 'Create Reverse Record' checkbox enabled and the reverse zone isn't authoritative (or even created) within ZoneRunner.

     

    It sounds like the NOTAUTH issue could be related to permissions within named.conf. Have you changed any controls or ACLs within your named.conf file?