Condition GTM wide-ip response based on source IP of requestor when GTM is not primary DNS

Question

Hi - we have a setup where our GTM infrastructure is not our primary DNS - instead, we have separate DNS infrastructure, and for any GTM-managed wide-IPs we have a delegated sub-zone on our primary DNS servers - and the GTMs only handle wide-IPs that are referred to via CNAMEs in our primary DNS.  That is, e.g. company.com is hosted on our primary; gslb.company.com is a delegated zone, with name server IPs that are the GTMs; wip.company.com is a CNAME to wip.gslb.company.com, which is a wide-IP on our GTMs.&nbsp;
In that scenario, a client will request resolution of wip.company.com - and our primary DNS server will contact the GTMs to obtain the IP (i.e., will handle the call recursively), and return the IP to the client. But from the GTM's perspective, I believe it will see our DNS server's source as the "client". The only way (at least that I'm aware of) to affect that is to have the client call non-recursively - but the average client doesn't do that, and we wouldn't WANT it to for anything besides these particular WIPs.&nbsp;
This whole problem goes away, of course, if you use the GTMs as your primary DNS infrastructure.  But for other reasons, we don't want to switch all clients to accessing our GTM tier for DNS services.&nbsp;
SO - is there any way, without imposing a requirement on the clients to call non-recursively, to condition the GTM response on that original client IP?&nbsp;
If it's relevant, our GTMs are currently running 11.5.3, though that will change to more recent soon. Oh, and sorry, i know it's supposed to be called BIG-IP DNS now.&nbsp;

irig4u_152672 · Answer

Hi,&nbsp;
You can use the topology load-balancing method, group your LDNS under region based on location and call the desired region in your topology statement.&nbsp;

daboochmeister · Answer

Thank you for responding, irig4u ... i'm confused though, if all source IPs are those of the responder/forwarders (in our case, Infoblox DNS), because those responders are recursively resolving the name for the client, then how do I condition the topology to respond based on the original client IP? (Maybe I'm not asking this clearly, please say so if so, i'll try to re-word).

bvberkel_103040 · Answer

Hi, &nbsp;
When the Infoblox DNS is resolving the records recursively you will never see the ip address of the client (where the request originated from). This means you will see the ip address of the LDNS, in your case the Infoblox DNS. As far as I know the only way to resolve this is to point all clients (eg. desktops/servers) to your F5 DNS.
Hope this helps.&nbsp;
Cheers.&nbsp;

daboochmeister · Answer

Yeah, that's what I expected, though I hoped for different. Thx.&nbsp;

brad_11480 · Answer

There is an option to pass the client IP address from the LDNS server to the F5 and version 13 (I believe) supports this. Before version 13 there is an iRule that can extract that IP from the packet.

Forum Discussion

Condition GTM wide-ip response based on source IP of requestor when GTM is not primary DNS

6 Replies

Recent Discussions

Need help on i-rule to specific uri path

Reverse Proxy Not Behaving

F5 terminal - help to run commands - disk space full

vulnerabilities-CVE-2020-16150 & CVE-2013-0169

google autenticator broken barcode

Related Content

Introduction of Incident Response

custom response page for api

Leverage F5 BIG-IP APM and Azure AD Conditional Access Easy button

FIX Message Response

iRules 101 - #13 - Nested Conditionals