Changing ZoneRunner NOTIFY Source Address

Question

Hi There,&nbsp;
I'm attempting to setup an external name server as a secondary slave, and cannot see how to change the source address when the zone sends it's NOTIFY to the secondary server from a SelfIP to a SNAT address..&nbsp;
This system is running 11.6 HF4 with LTM and GTM, although we're only using GTM so serve zones using the Zonerunner at the moment.&nbsp;
The virtual servers for both UDP and TCP are using SNAT addresses, but the SelfIP of the F5 is always used for NOTIFYs. I've tried using an iRule to force a SNAT IP when the NOTIFY opcode is seen in the DNS header, however the opcode is never notify. I've used another iRule to binary scan the UDP contents to confirm this so I'm not sure how the transfers work at all (when setup in a lab). Perhaps the iRule is not dumping locally generated traffic, and the NOTIFY is generated locally/not via the virtual server.&nbsp;
I've also verified that via TCP dump that notify is seen in the packet.&nbsp;
We need to force the use of the SNAT address so the secondary server can allow the transfer, as the secondary server is an external vendor and won't allow us to add more than one IP address.&nbsp;
I've been told that the NOTIFY opcode is not used, and the type will always be a query. I don't think this is correct based on section 3.1 of RFC1996 but perhaps I'm failing to read.&nbsp;
Hoping somebody can shed some light on this.&nbsp;
Thank you.&nbsp;

vernonwells · Answer

I assume you wish to change the source address for NOTIFYs that originate from the BIG-IP.  If that's the case, you likely can do this by changing the notify-source parameter in the named.conf:&nbsp;
http://www.zytrax.com/books/dns/ch7/xfer.htmlnotify-sourcehttps://support.f5.com/kb/en-us/solutions/public/6000/900/sol6963.html

antonioc74_2977 · Answer

I saw this post and tried using the notify-source parameter in the named.conf, but that didn't work. Has anyone managed to find a solution?&nbsp;

dm706_346160 · Answer

Hey guys/gals, I know this post is very old... but&nbsp;
I'm having a very similar problem. My ISP provider will not process NOTIFY on one address and perform a zone transfer to another IP.&nbsp;
My specific problem is caused by the egress path used for the NOTIFY is different than the ingress path for the DNS servers. I think this is because NOTIFY messages use Common partition egress and for external DNS listeners I've placed them in an /EXT/ partition. F5 is behind an ASA with NAT to those /EXT/ listeners.&nbsp;
I've been told by a few F5 experts to leave the BIND implementation alone, e.g. don't manually modify its files. Further, antonioc states it doesn't work to add notify-source to the named.conf.&nbsp;
Which means my only option is to change the NAT rule and create new listeners on the self-ips that are also used for egress NOTIFYs.&nbsp;
Any other ideas?&nbsp;

Forum Discussion

Changing ZoneRunner NOTIFY Source Address

3 Replies

Recent Discussions

Chrome V 124+ on MacOS - Virtual Server Access Issue

F5Access | MacOS Sonoma

Transaction looks successful but file not downloading

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

F5 Access Guard Deprecated: ZTA APM

Related Content

Managing ZoneRunner Resource Records with Bigsuds

Decoding the IPv4 address from the persistence cookie

CSV to Address External Datagroup File

SNAT IP address logging

Change admin account