APM - Allow Local DNS Servers - Actual Usage

Question

Hi All,&nbsp;
Intrigued how this setting behaves "Allow Local DNS Servers" as it doesn't seem to do what it says.&nbsp;
Help is ambiguous...&nbsp;
"Check this box to enable local access to DNS servers configured on client prior to establishing network access connection."&nbsp;
Scenario we have... The internal DNS server needs to resolve a certain zone, but the clients own DNS should resolve all other queries.&nbsp;
DNS Address Space inclusion is for internal zone.
Allow local DNS Servers enabled.&nbsp;
DNS/Host section has two internal DNS servers configured.&nbsp;
But it's just not working.&nbsp;
Any ideas?&nbsp;

Response to Seth Cooper (F5)
Can you confirm if the DNS Relay Proxy service is installed on the client?&nbsp;
I can confirm the DNS Relay Proxy is installed on the client, and that we used CTU to check that.&nbsp;
Do you have split or full tunnel configured?&nbsp;
Split tunnel is configured.&nbsp;
If split tunnel are the DNS servers configured in the allowed IPs?&nbsp;
Yes, IP ranges include the internal DNS servers to query.&nbsp;
Can you post a little bit more information about your actual configuration?&nbsp;
The APM Network Access is configured for third parties to access select systems via a VPN (can't be delivered by other APM resources).&nbsp;
For purpose of this, let's refer to the internal DNS zone as lab.int.&nbsp;
A client would expect to connect to the VPN and be able to resolve queries for lab.int. against the internal DNS provided over the VPN.&nbsp;
As the DNS Server is not recursive, and serves only lab.int. all other queries need to be locally resolved by the clients own DNS servers.&nbsp;
How it's configured...&nbsp;
The network access resource is configured to split tunnel and has a block of IP address ranges (which covers the DNS servers). The DNS servers are provided under the DNS/HOSTS section, along with the default dns suffix of lab.int.&nbsp;
Also under the network settings section, the include DNS addresses has *.lab.int. and no exclusions (IP or DNS).&nbsp;
Now we're looking at this "Allow local DNS servers" and need clarity over it's usage, because it sounds like it fills the requirement, but it's unclear what it actually does and isn't in the documentation.&nbsp;
Effectively, we're trying to make use of the DNS Relay Proxy to resolve only the internal zone.&nbsp;

seth_cooper · Answer

Can you confirm if the DNS Relay Proxy service is installed on the client? Do you have split or full tunnel configured? If split tunnel are the DNS servers configured in the allowed IPs? Can you post a little bit more information about your actual configuration?

seth_cooper · Answer

The Allow Local DNS setting and the Allow Local Subnet settings are really only needed if you are using full tunnel or if your split tunnel will overlap the IP ranges needed on the local subnet.  These basically just create routing exceptions.  &nbsp;
Your issues seems to be with the DNS Relay Proxy.  Please make sure you have the DNS Address Space settings configured correctly.  Can you review this SOL?  https://support.f5.com/kb/en-us/solutions/public/9000/600/sol9694.html &nbsp;
If you are still having issues you can certainly open a case with F5 Support.  Please provide the CTU report (f5wininfo.exe) from the client and a qkview from the APM.&nbsp;
Seth&nbsp;

markku_leinio_1 · Answer

Hi JD, did you get this resolved? I'm having similar issue in https://devcentral.f5.com/questions/apm-dns-address-space-options.&nbsp;
Markku&nbsp;

Forum Discussion

APM - Allow Local DNS Servers - Actual Usage

3 Replies

Recent Discussions

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

F5 Access Guard Deprecated: ZTA APM

F5 loadbalancer not working

Pricing when used with aws waf

F5 terminal - help to run commands - disk space full

Related Content

Server Profile SNI

Check a Virtual Server's SSL Status

Virtual Server graphical App for F5 LTM

iRule based RADIUS Server Stack

2 internal server vlans