Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

Local Pool of DNS under Listener not working as expected

We are configuring the GTM to be working as a proxy. So, in case there is no Wide IP is being matched by the DNS query it should forward the DNS query to a local pool of DNS Servers. I have configured the local pool of dns servers and associated it under the listener as the as the default pool. However, the requests are coming to the listener but maybe not forwarded to the DNS servers. I can see from statistics on GTM that there are IN packets coming to listener and Pool but there are no OUT packets.

Any idea why is this happening ?!

I have verified the connectivity between listener and DNS servers and they are on the same subnet.

0
Rate this Question

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Hi,

I supose that you set a DNS profile.

Can you validate that in this DNS profile you set the setting "Unhandled Query Actions" to "allow":

Allow: The BIG-IP system forwards queries to a DNS server or pool member. If a pool is not associated with a listener and the Use BIND Server on BIG-IP setting is set to Enabled, requests are forwarded to the local BIND server.

regards

0
Comments on this Answer
Comment made 1 month ago by sameh atef 358

It's already set on "Allow".

0
Comment made 1 month ago by sameh atef 358

Image Text

As you see here, requests are coming to Listener but apparently not forwarded to the DNS Servers although there are in the same subnet as the listener.

0
Comment made 1 month ago by youssef 3608

If request are not comming out, it's means that the request was manage by other option, you can see Overview of DNS query processing on BIG-IP systems:

https://support.f5.com/csp/article/K14510

It is possible to send us your DNS profile configuration (screenshoot).

You don't use DNS Bind? if yes can you disable "Use BIND Server on BIG-IP".

Regards,

0
Comment made 1 month ago by sameh atef 358

Image Text

everything is disabled except for these 3 options : GSLB, Unhandled Query Actions, Process Recursion Desired

0
Comment made 1 month ago by sameh atef 358

Image Text

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Hi Sameh,

could be a asymetric routing issue?

Depending on your network configuration you may have to enable snat automap on the VS to allow the DNS server to route packets back to your F5.

If this does not work out, then make sure the DNS server is receiving the DNS request (e.g pcap on your DNS servers)

Cheers, Kai

0
Comments on this Answer
Comment made 1 month ago by sameh atef 358

Listener and DNS servers are in the same subnet. I don't have permission to do this packet capture on DNS server as it's in production and no wireshark on this server.

0
Comment made 1 month ago by Kai Wilke 6957

Hi Sameh,

The snat automap is required to hide the original source address of the DNS client. If snat automap is disabled, the DNS server will see the original client IP address as originator of the DNS request, an will start to respond directly to them. This will only work if the default gateway of your DNS Server is pointing to your F5 and if the DNS client is not on the same subnet as the DNS server. In any other cases you have to enable snat automap...

As I already said, if this change does not work out you have to find a way to capture the traffic on your DNS server side (e.g. either pcap on the host directly or create a SPAN/Mirror Port on your switches). If both solution are not possible, you will be more or less in a death end...

Cheers, Kai

0