Forum Discussion

Gordon_Bailey-M's avatar
Gordon_Bailey-M
Historic F5 Account
Jul 13, 2016

DNS Express Query Refused

I have a strange one. I have a DNS Express zone which has been transferred successfully. I can see the zones if I performa dnsxdump on the GTM. I have a DNS profile with DNS Express enabled; BIND/named disabled. I also have a default pool attached pointing to Google DNS servers.

 

I can resolve to external FQDNs without a problem (the traffic gets pushed to the Google pool). But internal FQDNs do not resolve (I get a QUERY REFUSED error). If I disable DNS Express, the internal FQDNs are pushed to the Google servers and I get a NXDOMAIN (which I expect).

 

So why is my DNS Express refusing queries??? Am I missing something?

 

1 Reply

  • So if I understand that correctly..

     

    1. You have a listener with a pool attached, and a dns profile on it that enables DNS Express. DNS Express is set up to act as a slave for your internal zones.

       

    2. You can see the internal zone data using dnsxdump

       

    3. When you send queries for external zones to the listener, they do not match any zones DNS express knows of, and so the packet is forwarded on to the pool (in this case, 8.8.8.8).

       

    4. When you send queries for your internal zones to it, (which you would expect DNS Express to respond to), you instead get a REFUSED response.

       

    5. If you disable DNS express, the query is sent to the pool, as expected.

       

    If that's all correct.. then.. I'm very puzzled. I've tried a bunch of misconfigurations in my lab (12.0.0) to see if I can replicate this, but have been unsuccessful. I'm thinking maybe local bind is somehow getting the query and responding with REFUSED, since it isn't authoritative for it, but I haven't found any way to get the query to fall through to local bind without it first going to the pool.

     

    Can you confirm it really is being refused by DNS express ? Have a look at the DNS profile stats on the listener statistics page, or use 'tmsh show ltm profile dns ' and see which counter is incrementing.