GTM issue - connection refused

Question

Hi.&nbsp;
I'm working with GTM v11.5.2 HF1. I'm having a strange problem that I would like to know your coments about it.&nbsp;
The topology is:&nbsp;
Workstation-&gt;GTM-&gt;Link Controler-&gt;DNS Server (Authoritative)&nbsp;
If I make a DNS query from workstation direct to the Link Controler, it return the ip address as I expect.&nbsp;
If I make a DNS query from workstation to the GTM, it's give me query refused.&nbsp;
How the GTM is configured?&nbsp;
I create a forward zone (teste.com) with link controler ip address. The recursion is on in named configuration, also Set recursion is enable in GTM settings. &nbsp;
If I make the query from shell in GTM (using listener ip address), the query return the IP address and I can see communication between gtm and link controller using tcpdump.&nbsp;
If I make the query from workstation in GTM (using listener ip address) it's give me QUERY REFUSED and I CAN'T see communication between gtm and link controller using tcpdump. I also did a tcpdump between workstation and GTM, GTM refuse the query without check Link Controller.&nbsp;
Please, help. Any comments ? tips?? have u seend it before ?&nbsp;
Regards.&nbsp;

caio_178191 · Answer

Problem solved.&nbsp;You must put an ACL in named configuration.&nbsp;Here we have a default Named Configuration in GTM with recursive deactivated.&nbsp;Code
restrict rndc access to local machines
use the key in the default place: /config/rndc.key

controls {
    inet 127.0.0.1 port 953 allow {
        127.0.0.1;
    };
};

logging {
    channel logfile {
        syslog daemon;
        severity error;
        print-category yes;
        print-severity yes;
        print-time yes;
    };
    category default {
        logfile;
    };
    category config {
        logfile;
    };
    category notify {
        logfile;
    };
};

options {
    listen-on port 53 {
        127.0.0.1;
        "zrd-acl-000-000";
    };
    listen-on-v6 port 53 {
        ::1;
    };
    recursion no;
    directory "/config/namedb";
    allow-transfer {
        localhost;
    };
    check-names master warn;

check-integrity yes;
    max-journal-size 1M;
    version "none";
};

acl "zrd-acl-000-000" {
 127.10.0.0;
};

CodeTo activate the recursion, we should change the "no" to "yes" in the line "recursion no". But besides that, we need to add an acl. So, our code will be:&nbsp;Code
restrict rndc access to local machines
use the key in the default place: /config/rndc.key

controls {
    inet 127.0.0.1 port 953 allow {
        127.0.0.1;
    };
};

logging {
    channel logfile {
        syslog daemon;
        severity error;
        print-category yes;
        print-severity yes;
        print-time yes;
    };
    category default {
        logfile;
    };
    category config {
        logfile;
    };
    category notify {
        logfile;
    };
};

options {
    listen-on port 53 {
        127.0.0.1;
        "zrd-acl-000-000";
    };
    listen-on-v6 port 53 {
        ::1;
    };
    recursion yes;
    directory "/config/namedb";
    allow-transfer {
        localhost;
    };
    check-names master warn;

check-integrity yes;
    max-journal-size 1M;
    version "none";
    allow-recursion {
      internal;
    };
};

acl "zrd-acl-000-000" {
 127.10.0.0;
};
acl "internal" {
  0.0.0.0/0;
};

CodeAfter this configuration, the system starts to accept recursive querys.&nbsp;

______54573 · Answer

when we recursion yes; and set acl.sometimes GTM will response with source ip 127.0.0.1 to client:10233.748891740127.0.0.110.198.105.41DNS84Standard query response 0x3fb7 Server failure .do you know ?

boneyard · Answer

i would start a new thread and add some info, for example packet capture or dig output.&nbsp;

Forum Discussion

GTM issue - connection refused

3 Replies

Recent Discussions

import live updates from version x to version y

Tenant image upgrade

iRule editor partition button does not work

F5Access | MacOS Sonoma

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

Related Content

Regex issue

F5 Connection Mirroring question

query regarding connection issues to a particular node in a pool

F5 GTM resolution issue

DevCentral Connects hosts Capture the Flag!