Forum Discussion

Zdenda's avatar
Zdenda
Icon for Cirrus rankCirrus
Oct 25, 2016

DNS resolver for explicit proxy

Hi, I am trying to create DNS resolver for LTM http profile - type explicit. But I cannot find the proper way how to do that, can someone advise? I set DNS servers under System/Configuration/Device/DNS, but that does not look to be the way...

 

application delivery
LTM

10 Replies

Sort By
  • Zdenda's avatar
    Zdenda
    Icon for Cirrus rankCirrus
    Oct 25, 2016

    And this is pure LTM deployment, no APM or GTM is provisioned on that LB box

     

  • Matt_Dierick's avatar
    Matt_Dierick
    Icon for Employee rankEmployee
    Oct 25, 2016

    In System, this is the host (Linux) DNS. For the TMOS and your LTM explicit VIP, you have to create a Resolver object. It can be as "default".

     

    Go to Network > DNS Resolver

     

  • Zdenda's avatar
    Zdenda
    Icon for Cirrus rankCirrus
    Oct 27, 2016

    Thanks, but I'm still not able to make it running. Unfortunately there is no proper documentation for this, or I cannot find it.

    I got DNS resolver like this:

    net dns-resolver forward_proxy_dns_resolver {
    forward-zones {
        . {
            nameservers {
                10.10.10.10:domain
            }
        }
    }
    partition DMZ
    route-domain RD1
    use-tcp no
}

    Where 10.10.10.10 is UDP virtual server forwarding DNS queries to DNS severs. This VS works fine, tested. Anyway DNS resolver itself does not seem to work - I get either page can't be displayed, or NS lookup failed.

    Is dns resolver fully supporting routing domains in 11.5.4?

  • Matt_Dierick's avatar
    Matt_Dierick
    Icon for Employee rankEmployee
    Oct 27, 2016

    Hi,

     

    I found this information internally, let me know if it fits your request :

     

    • HTTP explicit proxy Virtual Server is configured with DNS Resolver (in HTTP profile) with same destination ip address as another (DNS) Virtual Server created to process DNS requests and forward them to the DNS server (pool member) on the same BigIP system, DNS Virtual Server needs to have Source address translation enabled to avoid using loopback address when initializing connection towards the DNS server (pool member). When Source Address translation is disabled, when receiving traffic initialized from loopback address, DNS server is not able to respond.

    When you set the proxy mode to Explicit, you must also configure the settings in the Explicit Proxy area of the HTTP profile.

     

    Else, if does not work, please open a support case in order to check if RD is supported.

     

  • Zdenda's avatar
    Zdenda
    Icon for Cirrus rankCirrus
    Oct 27, 2016

    This is exactly as I have it configured (explicit http profile uses dns resolver which forwards all dns requests to DNS VIP). I am not sure what I can be missing here, going to create a ticket to support. Thanks

     

  • zachar's avatar
    zachar
    Icon for Nimbostratus rankNimbostratus
    Jan 20, 2017

    Hi Zdenda,

     

    Did you make it work? We are about to configure the same here and just doing some research on the topic.

     

    Thanks, B

     

  • KeesvandenBos's avatar
    KeesvandenBos
    Icon for MVP rankMVP
    Jan 21, 2017

    In 11.5 you can create the DNS resolver under network -> DNS resolver. This resolver can be used in the explicit HTTP profile.

     

    Cheers,

     

    Kees

     

  • Zdenda's avatar
    Zdenda
    Icon for Cirrus rankCirrus
    Jan 25, 2017

    Hi, I wanted to use DNS resolver for explicit proxy HTTP profile, but I did not make it working. Maybe because of partitions/routing domains, I dont care.. it is also not well documented.

     

    So I used known forward proxy iRule which is great. I just hit some bug on one of our VIP (too many iRules there), so I removed parts related to 

    SERVER_CLOSED
    and 
    CLIENT_CLOSED
    , they are only logging anyway. And it works as sharp 🙂