Forum Discussion

Daniel_55334's avatar
Daniel_55334
Icon for Altostratus rankAltostratus
Jul 06, 2015

GTM to replace LDNS

We are going to replace LDNS servers with a pair of GTM. They will serve queries from Internet only.

 

We have 2 sites, with 1 GTM and a pair of LTM in each site. GTM is located in DMZ and LTM in internal network, communicate through firewall. And GTM will be monitoring LTM for VS availability.

 

LTM is currently hosting VS with private IP addresses and firewall does the NAT translation to public address. I have some questions as below.

 

  1. When GTM discovers the VS on LTM, it is getting the private addresses. How can it hand out public address when responding DNS queries from Internet?
  2. We can configure GTM to use wideip to process queries for LTM VS. If we transfer the zone files from LDNS to GTM, how should such zone files in GTM be used?

I already searched documents in devcentral but seems there is no particular one that describes such configurations.

 

Thanks in advance.

 

application delivery
BIG-IP DNS
deployment
LTM

5 Replies

Sort By
  • nathe's avatar
    nathe
    Icon for Cirrocumulus rankCirrocumulus
    Jul 06, 2015

    1. You can't use auto discover with VSs that are translated. You need to manually add them and then specify the public and translation addresses.

       

    2. You can configure DNS Express to have GTM be a secondary authoritative server for the zone.

       

    Hope this helps,

     

    N

     

  • nathe's avatar
    nathe
    Icon for Cirrocumulus rankCirrocumulus
    Jul 06, 2015

    1. In a GTM/LTM setup you can let LTM monitor the VSs and its big3d agent will inform the GTM over iQuery of their statuses.

       

    2. One approach is to create a sub zone for those A records you were going to config a wideip for i.e. wip.domain.com and then make the GTM servers he name servers for this zone. Keep the domain zone as it is cos I imagine local clients will use/need it.

       

    N

     

  • Andrea_Arquint_'s avatar
    Andrea_Arquint_
    Historic F5 Account
    Sep 21, 2015

    Hi Daniel,

     

    I know, 2 months ago but just for others who are sticky on that topic as well.

     

    1. You just need to configure on DNS (GTM) under GSLB -> Servers "BIG-IP System (Redundant)" with "bigip" health monitor assigned (iQuery does communicate status in both directions automatically). Bear in mind disabling "virtual server discovery" for your configuration (https://support.f5.com/kb/en-us/solutions/public/9000/100/sol9138.html)..)

       

    2. I don't know if I understood clear second question... You register a domain at your local registrar for instance "domain.jp". You host this zone somewhere (at an external DNS provider or internally on your local bind's maybe). It depends on your concept how you want to announce GSLB RR for that zone. In case that F5 DNS module (GTM GSLB) should resolve GSLB related RR only you have to configure a delegation for your GSLB RR on the SOA for domain.jp.

       

    Example:

     

    • SOA (other DNS than F5 BIG-IP) is the responsible for your zone domain.jp

       

    • Configure at least two additional NS records on the SOA for domain.jp

       

    • NS records (delegation for your GTM's, they are the SOA's for third level domain gslb.domain.jp):

       

    • gslb.domain.jp (IP GTM DC A)

       

    • gslb.domain.jp (IP GTM DC B)

    • add a cname RR like (which will be delegated to your GTM's):

       

    • www which points to www.gslb.domain.jp

       

    A request to www.domain.jp would resolve the cname pointing to www.gslb.domain.jp which will be forwarded to your GTM's. Your GTM's WIDE-IP www.gslb.domain.jp will response the corresponding LTM VS IP based on your preferred GSLB method and GSLB pool configuration.

     

    So, this is basically the concept for GSLB but within our DNS module you would have a lot more which could help you enforcing additionally DNS security.

     

    What do you actually mean by "replace LDNS"? LDNS concept includes basically recursion on WWW which is normally on provider premise for xDSL customers uplinks for instance. So, from this point of perspective you could replace an LDNS server as well with our DNS module.

     

    Regards,

     

    Andrea

     

    • Daniel_55334's avatar
      Daniel_55334
      Icon for Altostratus rankAltostratus
      Sep 22, 2015
      Thanks for your response Andrea. We are still pending on the implementation so it's definitely not too late. 1. OK I just add the LTM on GTM without VS auto discovery, and add the VS on GTM manually and configure public and translation addresses. In case VS1 on LTM is down and it notifies GTM about this, how does GTM relate it to the VS1 configured on itself? 2. The existing LDNS (maybe I should use the term DNS server instead) serves DNS queries from Internet about domain domain.jp. What I mean about "replace LDNS" is that GTM will serve the same purpose as this DNS server after migration and the DNS server will retire. Currently there are zone files on the DNS server. How should they be transferred to GTM so that GTM can replace the function of the DNS server?
  • Andrea_Arquint_'s avatar
    Andrea_Arquint_
    Historic F5 Account
    Sep 22, 2015

    Hi Daniel,

     

    Good to know. It's a pleasure to help out.

     

    1. (Please correct me if I assume wrong approach) In case VS1 goes down on a LTM cluster (LTM and GTM are on separate boxes right?), GSLB (both GTM's) does mark VS1 as down based on iQuery communication (wihin the monitor "bigip"). Therefore GSLB does not respond the WIDE-IP pool members IP address for VS1 (VS1 as WIDE-IP pool member) for the corresponding request and it will respond an IP from one of the remaining (online) WIDE-IP pool members which should represent the same application logically.

       

      Background info: Basically, a WIDE-IP has as a pool assigned. This pool contains LTM Virtual Servers (you configured manually) from different sites to control traffic within same application. Configuring GSLB methods is per WIDE-IP. So, you decide on a per WIDE-IP basis how traffic should be handled (which is very flexible btw.) across your sites (data centers).

       

    2. I would recommend using DNS-Express for this use-case basically. As you can see from the following link https://support.f5.com/kb/en-us/solutions/public/14000/500/sol14510.html how the BIG-IP DNS module traffic is flowing through the box. Use our onbox "bind" which is called "Zonerunner" to configure your zone but expose all the configured zones via "DNS-Express" only. Therefore you need to make SURE you configure whin the DNS profile GSLB, DNS-Express only and make SURE to disable "Use BIND on BIG-IP". Background info: Basically, you offload all your zones from Zonerunner and AXFR all these into our physical memory (via DNS-Express) on the box itself (which is very fast).

    This is just the way you could go for in case you completely want to get rid off your actual DNS. Otherwise I would recommend you to use at least one master DNS and offload the zone to this one. DNS-Express aka DNS-X is used to hide your DNS infrastructure and therefore you don't have to take care of related vulnerabilities for this offloaded systems.

     

    Does all this make sense to answer your questions?

     

    Cheerio,

     

    Andrea