Forum Discussion

f5user_108265's avatar
f5user_108265
Icon for Nimbostratus rankNimbostratus
Jul 18, 2008

GTM iRule defining external DNS server

Hi everybody,

 

 

I am facing the following problem. I would like to force the GTM to query an internal (accessible only by the BIG-IP on the private side) DNS server if the DNS record cannot be found on the GTM/ZoneRunner level.

 

 

Imagine the following: GTM is managing the company.com domain. There are 4 wide IPs defined within it: a.company.com, b.company.com, c.company.com and d.company.com. Currently, if a DNS query for e.company.com arrives, GTM will respond with an answer saying that it failed to resolve the name. However, what I would like to do is to configure GTM so that before it sends the failed message, it will forward the DNS query to the internal DNS server for resolution. IF the server is aware of the e.company.com record it should send it back to GTM and eventually the client. Otherwise, GTM should respond that it could not resolve the name.

 

 

Is this do-able on the BIG-IP and GTM Wide IP rules? If so, could you tell me how to achieve this? My understanding is that it would require one to enable the recursion on the BIG-IP, as well as define iRule with the use of "when LB_FAILED". Am I right?

 

 

Thanks,

 

ALeu
application delivery
dev
devops
iRules

8 Replies

Sort By
  • JRahm's avatar
    JRahm
    Icon for Admin rankAdmin
    Jul 21, 2008
    Yes, you would enable recursion (beware, note the CERT VU800113 published a couple of weeks ago) and set up forwarders in your bind configuration (GTM->ZoneRunner->Named Configuration) 

      
  options {  
      forward only;  
      forwarders {  
          ns1.internal.company.com;  
          ns2.internal.company.com;  
      };  
      recursion yes;  
  };

    You don't need an iRule for this to work, but you could write one to only forward valid requests, which would require you to list in the rule each request not handled by the GTM that your internal servers would have an answer for. The need for this would depend on your business (and security) rules.
  • ALeu_26892's avatar
    ALeu_26892
    Icon for Nimbostratus rankNimbostratus
    Jul 21, 2008

    Posted By citizen_elah on 07/21/2008 5:42 AM

     

     

    Yes, you would enable recursion (beware, note the CERT VU800113 published a couple of weeks ago) and set up forwarders in your bind configuration (GTM->ZoneRunner->Named Configuration)

     

     

       
   options {   
       forward only;   
       forwarders {   
           ns1.internal.company.com;   
           ns2.internal.company.com;   
       };   
       recursion yes;   
   };

     

     

     

     

    Hmm, is it possible to configure something like this on the zone level? I am trying to accomplish this by entering the following code within the zone options field:

     

     

     
 type forward; 
 forwarders { 
     internal.dns.server1.com; 
     internal.dns.server2.com; 
 };

     

     

    and of course enabling recursion on in the named.conf file:

     

     

     
 recursion yes;

     

     

    Unfortunately, my BIG-IP does not seem to like the "type forward;" statement. When I click on the update button nothing happens (the IE progress bar keeps running until the page times out.)
  • JRahm's avatar
    JRahm
    Icon for Admin rankAdmin
    Jul 21, 2008
    The forwarders in the named options section are your name servers, not the zones. You can forward by zone instead of globally. This must be setup in each zone's configuration: 

     
 zone "internal.company.com" in { 
     type forward; 
     masters {ns1.internal.company.com; ns2.internal.company.com}; 
 };

    If you're going to be doing much work with DNS, I highly recommend the O'Reilly DNS & BIND book (latest edition)

  • ALeu_26892's avatar
    ALeu_26892
    Icon for Nimbostratus rankNimbostratus
    Jul 21, 2008

    Posted By citizen_elah on 07/21/2008 6:51 AM

     

     

    The forwarders in the named options section are your name servers, not the zones. You can forward by zone instead of globally. This must be setup in each zone's configuration:

     

     

     

     

    I am not sure whether I understood you correctly and yes, as you can see, I am not a DNS expert. Would you mind telling me what should be entered in the company.com zone and named.conf options fields to make it work so that queries for a company.com domain will be forwarded to the internal y.y.y.y DNS server for resolution? As I have mentioned earlier, I would like to configure the forwarding behavior only for the particular domain, unlike the author of this thread.

     

     

    Thanks
  • JRahm's avatar
    JRahm
    Icon for Admin rankAdmin
    Jul 21, 2008
    In your case, enable recursion in the options secution and just create the zones you want to foward as shown below: 

     
 options { 
   recursion yes; 
 };   
 zone "company.com" { 
   type forward; 
   forwarders { y.y.y.y; }; 
   forward only; 
 };
  • JRahm's avatar
    JRahm
    Icon for Admin rankAdmin
    Jul 21, 2008
    I guess I should ask if the clients in this case are desktops or other name servers. If other name servers, recursion can be disabled.
  • ALeu_26892's avatar
    ALeu_26892
    Icon for Nimbostratus rankNimbostratus
    Jul 21, 2008

    Posted By citizen_elah on 07/21/2008 8:00 AM

     

     

    I guess I should ask if the clients in this case are desktops or other name servers. If other name servers, recursion can be disabled.

     

     

     

    The clients will be desktops in my case. Unfortunately, the moment I enter the "type forward;" line and click on the update button, my BIG-IP GUI hangs.
  • JRahm's avatar
    JRahm
    Icon for Admin rankAdmin
    Jul 21, 2008
    I noticed that behavior in 9.2.3, but it works fine in versions 9.2.4 and 9.4.3.