Forum Discussion

mike_aws_119486's avatar
mike_aws_119486
Icon for Nimbostratus rankNimbostratus
Feb 22, 2019

Forward Zone + Recursion - Queries Time Out before Resolving

I have an existing F5 BIG-IP DNS providing GSLB using a DNS Listener and Wide IPs for zone 'company.com'

So I have:

  • UDP Listener
  • WIPS within the 'company.com' domain linked to LTM Virtual Servers
    • system1.company.com
    • system2.company.com
    • LOTS more WIPs
  • ZoneRunner Zone for 'company.com' as MASTER
  • DNS records for other systems not hosted on the F5
    • system5.company.com A

Clients are configured to use the F5 BIG-IP DNS listener as their DNS server and the DNS server resolves these Wide IPs absolutely fine on first response, so if I do an NSLOOKUP I will get:

Name:    system1.company.com
Address: 10.1.1.1

Now we have another new system running which has its own DNS servers and uses the domain name 'foo.com' and I want the clients using the F5 BIG-IP DNS as their DNS server to be able to resolve records within this solution.

So I have zone the following as per relevant user guides / articles:

  • DNS -> Zones -> ZoneRunner -> Zone List
  • Create
    • Zone Name - foo.com
    • Zone Type - forward
    • Options - forwarders { 10.5.5.5; };
  • DNS -> Zones -> ZoneRunner -> named Configuration
    • recursion yes;
    • allow-recursion { 10.0.0.0/8; }

Now on the face of it this is working BUT all requests both for external records or original WIPs now time out twice before resolving, so NSLOOKUP responses are like this:

Resolution of Wide IP locally held on F5:

DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
Name:    system1.company.com
Address: 10.1.1.1

Resolution of Record on the external Forward Zone:

DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
Name:    login.foo.com
Address: 10.5.5.10

Its as though by turning on recursion the F5 is trying to resolve the DNS records in a different order, but the following suggests Wide IPs should be first:

https://support.f5.com/csp/article/K14510

Any ideas what could be happening?

NOTE: Examples above reflect our setup just names/addresses are changed.

application delivery
BIG-IP DNS

2 Replies

Sort By
  • mike_aws_119486's avatar
    mike_aws_119486
    Icon for Nimbostratus rankNimbostratus
    Feb 22, 2019

    OK we think we can see what it is doing but not why.

     

    The F5 is configured with System DNS servers (System -> Configuration -> Device -> DNS -> DNS Lookup Server List).

     

    These are set to internal DNS servers for resolving the hostnames of internal services used by the F5 such as AD/LDAP etc.

     

    If we do a TCPDUMP on the F5 with and without recursion enabled, we can see that when recursion is enabled its trying to resolve against these IPs first which explains the two Time Outs:

     

    DNS Query 1 - Goes to IP 1 from DNS Lookup Server List DNS Query 2 - Goes to IP 2 from DNS Lookup Server List DNS Query 3 - Successfully resolves either locally or via Forwarder

     

    So the question is how we stop it doing this?