DNS Interference from F5?

Trying to clean up DNSSEC issues that crop up here and there, I got doing the reply-size-test https://www.dns-oarc.net/oarc/services/replysizetest to make sure that wasn't an issue.

 

I discovered that two of my DNS Caching servers were reporting "DNS reply size limit is at least 1086" rather than "DNS reply size limit is at least 3843". So, I opened tickets with our network/firewall group to see if they were causing me problems. They says there's nothing different for these two servers and my other 6 DNS Caching servers. And, having me exercise the servers, they aren't seeing any problems at the borders.

 

It occurs me that the two DNS servers are in an F5 pool (the others aren't). So, I'm wondering if there's something about the F5 that might be causing the reply size to be different.

 

I'm running the test "dig +bufsize=4096 +short +notcp rs.dns-oarc.net txt @" at regular intervals. And, they will oscillate between 1086 or 38xx, where 38xx is less than 3843....which differs between the two instances and isn't consistent.

 

Now for some gory details... our BigIP (6400 HA pair, LTM, 10.2.3HF1 - last updated on Jan 7, 2012, plan to update to 10.2.4HF4 around Jan 5, 2013 :-)

 

We employ FWSM vlans all around, effectively both infront and behind the F5...for an F5 sandwich....but the FWSM is only on the outside. So what we have is 5 vlans tagged to the external interface. (a couple of public VS subnets, a private VS subnet, external network failover and FWSM routing). And, then 30+ vlans off of the internal interface. For each vlan, there is a Forwarding(IP) virtual server that takes traffic from the FWSM vlan to the specific subnet/vlan behind the F5.

 

virtual FWSM_F5_Misc_Servers_Routing {

 

ip forward

 

destination xxx.yyy.zzz.160:any

 

mask 255.255.255.224

 

profiles fastL4 {}

 

vlans FWSM_F5_Routing enable

 

}

 

And, performance(Layer4) wildcard virtual server in the other direction

 

virtual F5_Misc_Servers_WC {

 

pool FWSM_WIldcard_Virt

 

destination any:any

 

mask 0.0.0.0

 

profiles fastL4 {}

 

vlans F5_Misc_Servers enable

 

}

 

All IPs behind the F5 are routable throughout the enterprise (including the RFC1918 ranges), though in this case the F5_Misc_Servers vlan is in public IP space. Since we don't use our F5 for NAT'ng anymore (and we didn't have border firewalls to do NAT when this F5 pair was configured.)

 

Any thoughts on whether my F5 configuration might explain the strange behavior I'm getting?

 

Lawrence