DNS query logging

Question

I need to be able to do query DNS logging for my GTM.  I have a GTM and LTM.  I am looking at the directions for configuring high speed logging and confused on what objects get created on the LTM and GTM.  It looks like the profile gets created on the GTM and I modify the listners to use the new profile.  The other objects (publisher, remote logging pool, publisher) get created on the LTM.  But I dont see what tells the GTM to publish to the LTM.  &nbsp;
It would make more sense if the Logging could all be done from the GTM.&nbsp;
is there an irule I can put on the GTM that logs all DNS queries to a remote log server?&nbsp;

brad_parker · Answer

Your DNS profile is what connects connects the DNS logging profile to the listener. The DNS logging profile uses a log publisher which uses a logging destination. All of which actually runs in LTM(tmm) even though it is attached to a DNS listener that is part of GTM. Very little of GTM actually runs in the gtmd process anymore(BIND still does that's why its not recommended to resolve DNS from on box BIND) as it is single threaded where as tmm runs using CMP. I highly recommend sticking with High Speed Logging via the profile, it will preform better than doing it wiht an iRule. Built in features are more highly optomized than iRules.

pedinopa_170325 · Answer

So focusing on the GTM.  I modify the listener to use the Logging profile (in which I have to select the pool).  The profile gets created on the LTM so how does it become useable to the GTM (does the GTM see whatever profiles get created on the LTM)?&nbsp;
Do I configure remote logging destination and publishers on the GTM or only on the LTM?&nbsp;

brad_parker · Answer

Are you saying your "LTM" and "GTM" are two separate devices?  What BigIP version are you running?  While your GTM may not have the LTM module provisioned, the components of it still essentially run in LTM(tmm).  You need to create a pool that you will be sending your high speed logging to(location in GUI depends on version), create a log destination that uses that pool, then use that destination in your log publisher(this is done in the log configuration).  You then create your DNS logging profile using the publisher you created.  Your new DNS logging profile will then be enabled in the DNS profile that is attached to your listener.  All this is on the same device.  Depending on the BigIP version, the location of these items in the GUI will be a little bit different.

pedinopa_170325 · Answer

Yes my GTM is a seperate system than my LTM. I am running 11.51 HF5. Since the GUI does not allow me to provision LTM objects do I need to do it command line. LTM functions are not licensed for this box.

brad_parker · Answer

Nope, the pools and nodes for HSL will live under DNS  ››  Delivery : Load Balancing : Pools : Pool List.  your DNS logging profile will live under DNS  ››  Delivery : Profiles : Other : DNS Logging.  Your log destination and publisher will live under System  ››  Logs : Configuration : Log Destinations.  Your DNS profile will live under DNS  ››  Delivery : Profiles : DNS.  And lastly your listener lives under DNS  ››  Delivery : Listeners : Listener List.  I hope this helps you more.  Like I said while these items technically run in LTM it is under the hood in GTM.  TMM is the process running these services and while its associated with LTM, it performs functions for several other modules without having to actually provision LTM.

Forum Discussion

DNS query logging

10 Replies

Recent Discussions

Geo Fence in ASM through irule for URI

Chrome V 124+ on MacOS - Virtual Server Access Issue

google-visualization-issues

The best load balance method on this scenario?

SMS server with BIGIP

Related Content

Logging DNS Requests

Logging of DNS Requests and Responses without a DNS license

BIG IP DNS - Queries Per Second

BIG-IP Advanced Firewall Manager (AFM) DNS NXDOMAIN Query Attack Type Walkthrough - part two

BIG-IP Advanced Firewall Manager (AFM) DNS NXDOMAIN Query Attack Type Walkthrough