Forum Discussion

Govind_32899's avatar
Govind_32899
Icon for Nimbostratus rankNimbostratus
Jan 27, 2017

Configure F5 GTM to forward DNS query

I would like to Configure F5 GTM to forward DNS query to public DNS server for name resolution . We are planning to set Listner IP as a DNS server for resolving name server for that the client .Should i add forwarder in the named file and setting the recursion to yes ? . What kind of risk it posses as we are not using GTM for any internal name resolution as of now . Kindly suggest

 

allow-recursion { X.X.X.X/24; }; forwarders { 8.8.8.8; };

 

13 Replies

  • I don't have access today to test a few things in my lab, but I will try to provide some help.

     

    Starting from the easy part, if the GTM listener is only allowed internally (firewall rules, or private IP for example), I don't see any security risk, as the GTM should not be able to receive queries from outside.

     

    Now the part is a little bit more complicated. In a GTM device, any DNS query can be answered by 2 different processes. First, is TMM (the F5 system), that is responsible for the "intelligent" DNS resolution. Second, is named (BIND) that provide static DNS response.

     

    My expectation is that you can use TMM to act as DNS server to accept and answer recursive queries. However, I never had to implement that, so this is why I say is my expectation.

     

    On the other hand, we know that BIND can do that for sure. You just need to be sure that the GTM listener is also the device self ip, and BIND is enabled in the DNS profile.

     

    • Leonardo_Souza's avatar
      Leonardo_Souza
      Icon for Cirrocumulus rankCirrocumulus

      I was not testing that. You said also that was going to use BIND, and that I know that works.

       

      Do you plan to use TMM for that? I can do some tests, in that case.

       

    • Govind_32899's avatar
      Govind_32899
      Icon for Nimbostratus rankNimbostratus

      There is one vulnerability with BIND vulnerability CVE-2016-2776 . This is Fixed in 12.1.2 . But configuration wise we need to enable recursion & configure forwarder .

       

  • Hi,

     

    I will comment the Leonardo DNS service description.

     

    when configure Listener a virtual server is created with the following behavior:

     

    • if a wide IP match the DNS request:
      • if the pool assigned to the Wide IP returns a VS, answer with it
      • if no pool member is available and fallback method is "return to DNS" the request is released to DNS server
      • if no pool member is available and fallback method is not "return to DNS" the request is ignored
    • if not, the request is released to DNS

    If No pool is assigned to the Listener and the Listener IP is a self IP (floating or not), Released to DNS requests are handled by local Bind

     

    If Pool is assigned to the listener, the DNS request will be load balanced and forwarded to one pool member.

     

    In this configuration, you can assign a pool with your ISP DNS forwarders.

     

  • Hello Stanislas,

    If I just want to forward specific queries towards certain servers, what is the easiest to do?

    In bind this would look like

    zone "site1.F5.com" {
      type forward;
      forward only;
      forwarders {1.1.1.1 ; 2.2.2.2; };
    };
    zone "site353.example.com" {
      type forward;
      forward only;
      forwarders {3.3.3.3 ; 5.5.4.4; };
    };
    zone "urgent911.example.net" {
      type forward;
      forward only;
      forwarders {3.3.4.4 ; 4.4.1.1; };
    };
    

    Of course without too much interference on other config (DNS express, other GSLB, ...)

    Or to ask the question different, you mention "◦if no pool member is available and fallback method is "return to DNS" the request is released to DNS server" => to which server it is released ...

    thanks in advance for your answer.

    • Stanislas_Piro2's avatar
      Stanislas_Piro2
      Icon for Cumulonimbus rankCumulonimbus

      Hi,

       

      The answer is in my previous post

       

      If No pool is assigned to the Listener and the Listener IP is a self IP (floating or not), Released to DNS requests are handled by local Bind

       

      If Pool is assigned to the listener, the DNS request will be load balanced and forwarded to one pool member.

       

  • We have tested in our lab environment DNS forwarding to public DNS, just enable recursion.

     

    recursion yes; allow-recursion { 192.168.45.0/24; 192.168.42.0/24; 192.168.5.0; }; forwarders { 8.8.8.8; }; Thanks, Ranjeet SIngh

     

  • I have a similar issue with v13.

     

    I have a listener IP with a default pool. What I am expecting is that local wideips are resolved but for records not existing locally the request will be forwarded to the pool member. What is happenning is that all requests are being forwarded. It does not check locally first. According to the v13 GTM implementations document, what I'm after should be possible.

     

    • Leonardo_Souza's avatar
      Leonardo_Souza
      Icon for Cirrocumulus rankCirrocumulus

      It should go for wide ips first, then forward or local bind depending on your configuration.

       

      Can you post here the listener configuration, the linked DNS profile, and the pool?

       

    • tbird_40716's avatar
      tbird_40716
      Icon for Nimbostratus rankNimbostratus

      Hi Leonardo, I had a call to support and the config is actually working as expected. I was testing from the GTM itself which does not work - it checks bind only I think, does not scan through the wideips. From a remote server the wideips are checked correctly before the forward occurs. All good. Thank you.