We use GTMs internally for GSLB services - however, we don't use them for general purpose DNS. Instead, we allow our internal DNS servers to recursively resolve the references to GTM-hosted zone records/wide IPs, so that the clients never directly execute DNS requests against the GTMs. (we understand and accept that this limits us to not using latency or client source IP geo for wide IP conditioning).
We would like to employ the same strategy for our public DNS records. However, we don't want to turn recursion on for our public name servers, because of the risk of DOS attacks.
Has anyone successfully configured DNS services to accomplish this goal - having public internet DNS clients only send requests to the standard, non-GTM DNS servers, but have those servers accomplish the same goal as recursively responding, without turning on recursion in general for the DNS server?
If you want to use standard DNS as the first option to resolve (BIG-IP DNS Later), without turning on recursion, you could try DNS Delegation: K277: Delegating a subdomain to a BIG-IP DNS or BIG-IP Link Controller system from another DNS server
I hope this helps.
Pedro, with recursion on in the primary DNS server's config, that works (it's what we do for our internal clients) ... but without recursion, the CNAMEs return the canonical name (and the GTM hostnames as the authoritative name servers) to the clients, and the clients then have to directly query the GTMs to get resolution of the wide IP. That's what we're trying to avoid - we want the recursive behavior without turning on recursion (because on the public internet, that's bad).
I'm asking our DNS vendor about a stub zone or forward zone now.
i guess you want to Restricting DNS recursion.
this SOL wish can help you
Enabling DNS recursion in the named configuration on a BIG-IP DNS system
Thank you, Oscarnet, but no, I'm trying to implement such that clients continue to send DNS requests solely to our existing DNS infrastructure, while getting back wide IP results from GTMs, by virtue of our existing DNS servers forwarding the request or otherwise making the DNS request to the GTMs on behalf of the client -- but without having to turn on recursion in the config of our existing DNS servers. We have recursion off on our GTMs, and plan on leaving it that way.
you can create a VS in front of DNS server and enable dns-gtm profile (like a GTM listener).
if GTM has a record, it will answer, else it will forward the request to the DNS server.
Stanislas, interesting - can you please go into more detail? i'm not sure if you mean a VS right on the GTM, or on a separate LTM ... and i'm not sure of how exactly how you're setting it up so that GTM responds if appropriate, forwards if not.
Even if you use a dedicated GTM, a GTM listener is not a GTM object but a local traffic virtual server with some required profiles.
If you browse virtual server menu, you can see a virtual server with listener address and port 53.
If the listener virtual server is configured with a pool, non wide ip requests will be forwarded to pool members instead of local bind service.