Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

BIGIP DNS forwarder

Hello Everyone,

I need small help with dns forwarding on F5 DNS.

At present we have wide ips configured on F5 dns like example: test.abc.com; uat.abc.com etc

Under the zonerunner section it automatically has created the zone for "abc.com", so far so good.

We have a bind linux server which has got some dns A records in the same zone like test123.abc.com etc.

Now I want F5 DNS to reply the queries for the all the wide ips configured on F5 DNS and simply forward all the request which are not configured on f5 dns to bind. For this I have configured the forwarder and allowed recursion in the named configuration. When I did the nslookup pointing dns queries to listener on F5 dns for test123.abc.com I found that F5 is getting the request but not forwarding it to bind.In a nutshell I found that f5 dns wont forward anything to bind on zone "abc.com" becuase if I try dns query for another domain like www.google.com it forwards the request to bind, and I think the reason becuase F5 has some wide ips in the zone abc.com it considers itself as master of that zone atleast this is what I see under the zonerunner configuration.

I tried to create the forwarding dns using a wildcard like *.abc.com, but f5 wont let me do that.

We have a cisco GSS at one of the site which exctly does the same thing, and forwards the request for a wildcard domain *.abc.com to binds.

Can anyone suggest how can I do this on F5, any suggestions would be appricated.

Thanks, Pankaj

0
Rate this Question
Comments on this Question
Comment made 02-Aug-2017 by PPawar 168

Anyone ??

0
Comment made 02-Aug-2017 by cjunior 1819

Hello,
Sorry by the questions,
What the configuration for DNS profile attached on listener?
Is this not a case for a record delegation?
Respectfully

0
Comment made 02-Aug-2017 by PPawar 168

Thanks for the reply cjunior.

But what dns listner has to do with this, also can I delegate the zone to external bind for which as per the zonerunner my F5 dns is the authorotative server. All I want is to forward all dns traffic from f5 to external bind server if the A record is not configured on F5.

As I have mentioned in the previous post that we have GSS doing the same thing and passing *.test.com to bind server.

Sorry for my ignorance on this topic as by no means I am expert on this.

Any help with the example will be appreciated.

Thanks, Pankaj

0
Comment made 02-Aug-2017 by cjunior 1819

No problem, I asked because the listener can drop "Unhandled Query Actions" and disable "Use BIND Server on BIG-IP."
Regards.

0

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Hi,

You can configure your external BIND server with F5 DNS Express. So then you can take full advantage of the BIG-IP platform and maintain your BIND environment. Don't forget to set your DNS profile properly.

Please take a look at the following great articles to understand how DNS Express can help you:

Lightboard Lessons: DNS Express

DNS Express and Zone Transfers

v11: DNS Express – Part 1

0
Comments on this Answer
Comment made 03-Aug-2017 by PPawar 168

Thanks Pedro,

DNS express is something we want to do at some later stage. At the moment I just want to forward *. wildcard zone to external non f5 bind, is there any way that it can be done.

Thanks, Pankaj

0
Comment made 03-Aug-2017 by Pedro Haoa

OK.

You can do the following to load balancing (forward) DNS queries that do not match your Wide IPs to the BIND server:

1. Create a Monitor with a Query and Receive String for your external BIND:

(tmos)# create /ltm monitor dns dns_monitor qname www.devcentral.test recv 172.20.30.100

2. Create a Pool with at least one Pool Member (IP and port of your external BIND):

(tmos)# create /ltm pool dns_pool members add {172.20.30.1:53 172.20.30.2:53 172.20.30.3:53} monitor dns_monitor

3. Modify the Listener to support Load Balancing (forward) queries

(tmos)# modify /gtm listener dns_X_listener pool dns_pool translate-address enabled

4. Save your configuration:

(tmos)# save /sys config

5. Use dig to test your listener:

dig @200.100.50.X www.devcentral.test

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Good day, This question seems to be coming up alot lately. I tried this on my DNS system and it worked for me. Can you give this a try?

1. Log into Gui
2. Select the zone "abc.com."
3. Select 'Resource Records'
4. Click the 'Create' button to add the glue 'A' RR for the delegation server.
5. Adjust the 'Record Configuration' values

    a. 'Name' should be set to the name of the DNS server authoritative for test123.abc.com

        NOTE: This should be the FQDN of the host

        ex. ns1.test123.abc.com.

    b. 'TTL' should be set to a reasonable value, say '500'
    c. Set 'Type' to 'A'
    d. Set 'IP Address' to the remove DNS server
    e. Click 'Finished' button

6. Click the 'Create' button to add the 'NS' RR for the delegation server.
7. Adjust the 'Record Configuration' values

    a. 'Name' should be set to the name of the delegated domain, "test123.abc.com."

        NOTE: Make sure this is the domain, not the host

    b. 'TTL' should be set to a reasonable value, say '500'
    c. Set 'Type' to 'NS'
    d. Set 'Nameserver' to the name used in step 7 above.

        ex. ns1.test123.abc.com.

    e. Click 'Finished' button

8. Query the GTM listener for a resource record known only by the delegated DNS server, say test1.test123.abc.com.

9. Enable recursion if you want the local BIND server to do all the work.  Disable recursion if you want the local BIND to only return the referral.

Hope you find this helpful.

0
Comments on this Answer
Comment made 03-Aug-2017 by Kevin.K

One more item: My BIG-IP DNS is 10.12.23.120 and my remote Linux DNS server is 10.12.23.27. Record setup looks like:

abc.com.                external        abc.com.        11      NS      ltm1.abc.com.
abc.com.                external        abc.com.        11      SOA     ltm1.abc.com.
ltm1.abc.com.           external        abc.com.        11      A       10.12.23.120
ns1.test.abc.com.       external        abc.com.        11      A       10.12.23.27
test.abc.com.           external        abc.com.        11      NS      ns1.test.abc.com.
0
Comment made 03-Aug-2017 by PPawar 168

Thank you very much guys. I will give this a go and will let you all know the outcome.

Thanks, Pankaj

0
Comment made 04-Aug-2017 by PPawar 168

Hello Kevin,

I tried this its kind of working, but this is not what I would desire, please correct me if I am doing something wrong.

  1. Selected the already created zone from wide ip, zone was "abc.com."
  2. Under the Resource Record tab created the record configuration as below :

Name : ns1.abc.com ( name of the bind server ) TTL : 500 Type : A, then clicked on finished.

  1. Under the same tab, created record configuration as below

Name : as you said it should be the name of the delegated domain, whcih is abc.com

TTL : 500

Type : NS

Nameserver : ns1.abc.com

Now as soon as I click on finished, F5 threw an error and it wont let me use the domain name as "abc.com."

Now if put the host name like uat.abc.com ( this is the host A record already configured on the external bind ) then it works, which means if I have 100 records in binds then I have to create 100 NS records in F5 which doesn't look correct to me.

In our scenario we have configured wide ips on F5 for only those services which requires dns load balancing and which are on domain .abc.com domain.

For the services which does not require dns load balancing are configured on the binds which are also on the same domain as abc.com.

So my idea was to pass all the non gslb dns queries which are not on F5 to binds by simply doing *.abc.com and forward it to bind.

Thanks, Pankaj

0
Comment made 04-Aug-2017 by Kevin.K

Hi Pankaj, Sorry for misunderstanding your question. I tested Pedro's recommendation above and it worked for me. This seems like what you want to do. If you're prefer the UI to command line, here's the steps:

Log in to UI.
Navigate to Local Traffic > Pools > Pool List
Click Create
Add UDP monitor
Add New Members using IP address and port of the DNS server(s)
Click Finished.

Navigate to DNS > Listener
Select Listener
Change Listener: drop-down from Basic to Advanced
Check Address Translation
You may need SNAT automap depending on your routing config.
Click Load Balancing tab at the top.
From Default Pool drop-down select your pool.
Click update

All of the non Wide-IP requests for the domain will be sent to the DNS server.

Hope this works for you!

0
Comment made 05-Aug-2017 by PPawar 168

Thanks Kevin/Pedro.

This is working like expected.

I will throw some more test, but I am certain that this configuration is working.

Thanks a lot for your time.

Thanks, Pankaj

0
Comment made 06-Aug-2017 by Kevin.K

That's great news, thanks for letting us know Pankaj!

0
Comment made 4 months ago by IRONMAN 196

Kevin,

by adding the external DNS server pool to listeners, is it DNS forwarder, which will configure in zone runner under name configuartion?

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

recursion yes; forwarders { 8.8.8.8; };

0