Multi-homed GTM, how to restrict internal/external DNS queries

Question

I have a set of GTMs with 2 active interfaces - 1 DMZ, 1 internal. I also have 2 subdomains allocated to the GTMs, one for internal Wide IPs and one for external Wide IPs. I want to set it up to only answer requests for the external subdomain on the DMZ listener and similarly only internal DNS requests for the internal listener. Grateful for any help or guidance here.

ots02 · Answer

I have a similar situation (2 pure GTMs). In my case, the irule works very well. I have set up all of the internal records as WideIPs, then you can apply the irule directly to the WideIP
It can also be done using an additional "view" (under Zonerunner view list), but I think that the irule on WIP is simpler and more flexible.&nbsp;
In my case, I have an irule that drops everything that does not have an RFC1918 source address. this rule is applied to the internal WIPs.&nbsp;
when DNS_REQUEST {
  if { ([IP::addr [IP::client_addr]/8 equals 10.0.0.0])} {
  }
  elseif { ([IP::addr [IP::client_addr]/12 equals 172.16.0.0])} {
  }
  elseif { ([IP::addr [IP::client_addr]/16 equals 192.168.0.0])} {
  }
  else {log "[IP::client_addr] attempting to query internal dns zone!!!!!"
 discard
 }
}&nbsp;

hamish · Answer

An iRule will allow this...&nbsp;
I'm not aware of any other way to doit (Apart from perhaps topology records to force resolution from an empty pool... A bit of a hack that though).&nbsp;
The iRule should be about to be implemented at either at the GTM or lTM level.&nbsp;
H&nbsp;

ruiqiang_lu_121 · Answer

i think you can use irule to resolve this issue. you can add one  irule to one  listener, another irule to another listener. 
this irule is LTM's irule, you can Provisioning LTM, and configure this irule to VS of listener.&nbsp;
the irule like this:&nbsp;
when DNS_REQUEST {
     if { [DNS::question name] equals "www.a.com"} {
        DNS::drop
     }
}&nbsp;

jon_ole_nome_46 · Answer

Thanks for you input, I will check to see if this is possible on a "pure" GTM, or if I would need a LTM/GTM setup to do that.

kevin_stewart · Answer

Here's a slight twist to get multi-homed records.

Create an "internal" topology region - include all of the local/internal IP subnets.

Create separate internal and external pools for each WIP resource with a common naming extension (ex. int_foo.example.com_pool and ext_foo.example.com_pool).

Create a "drop" pool - no members, preferred LB Method: Fallback IP, Fallback IP: 1.1.1.1, Alternate and Fallback LB Methods set to none.

Assign the external pool to the WIP.

Apply this iRule to all multi-homed WIPs:
when DNS_REQUEST {
    if { [matchregion [IP::client_addr] internal_network] } {
        if { [catch {
             try to send internal GTM pool
            set pool [findstr [LB::server pool] "ext_" 4]
            pool "int_$pool"
        } error] } {
             internal GTM pool doesn't exist - send nothing
            pool drop_pool
        }
    } 
}

This is really nothing more than a variation on some of the examples above, and probably pretty close to Jason's comments, but can be done completely inside a GTM iRule and will allow you to serve up internal and external DNS entries for the same resources (if they exist).