Any way to do DNS loadbalancing without BIG-IP DNS module?

Question

Hi,In our environment we have a number of domain controllers which act as DNS servers for everything internally.Now, we have one specific type of client that is only able to be configured with a single IP address for its DNS server and this causes problems when a DNS server is down for maintenance.We run BIG-IP VE v16.1.4 with LTM, but not DNS, provisioned.I'd like to solve this&nbsp;without provisioning the BIG-IP DNS module in this particular instance, by doing this:1. Creating a new Stateless VS to receive DNS queries on port 53/udp2. Assign a UDP protocol profile with "datagram" enabled (so it LBs every single packet) to the VS3. Create a pool of DNS-servers4. Create an internal DNS record that will be used to check that a DNS server responds with the correct RR.5. Assign a "DNS" monitor to the pool and configure it to check service status by sending a DNS query for the RR I created the and seeing if the response is correct.However, the "DNS" monitor puts every server in the DOWN state. By using tcpdump on the BIG-IP VE I can see that the BIG-IP does&nbsp;not send any DNS query packets from this monitor to the DNS servers in the pool.&nbsp;I see a lot of other DNS queries from the BIG-IP (the servers in question is also the DNS servers for the BIG-IP).SO - should it even be possible to create a normal LTM pool containing DNS servers&nbsp;and having the BIG-IP monitor the service state of each member using the "DNS" monitor?

moonlit · Accepted Answer

So yes, there was a L3 problem - which was that I chose the wrong interface on the BIG-IP VE to monitor traffic. Turned out the monitor packets were sent on the management interface because of a routing thing I just happened to remember.

Anyway: PROBLEM SOLVED. In order to monitor a DNS server by sending a query and checking for a correct response, I did it the hard way by hand-crafting the packets sent to replicate the bytestring as seen when doing a manual DNS lookup, through dumping the packet.

In the "Send string" field you can enter individual bytes by prefixing the hex value with "\x", so I copied the DNS header (including transaction id, query number etc) plus the actual query, converted it to \x format and put it in the Send string field.
In the Receive string field I entered just the ASCII IP address which I knew the correct query would result in if the server is healthy.

zamroni777 · Answer

you probably has network layer problem.have you tried other monitor type such as udp or icmp/ping to ensure there is no network layer problem?

zamroni777 · Answer

the dns monitor doesnt have such limitation.you should try udp monitor with any send string.if you dont see the trafic in the tcpdump, then very likely there is L3/L4 config problem.

moonlit · Answer

Thank you for replying! Yes, I've added the built-in "gateway_icmp" monitor and it works fine.
I'm thinking that the "dns" type of a Monitor object is not meant for monitoring just any node but that it might instead be a part of the GTM/DNS module, which we have not provisioned (and we don't want to).

We did manage to set up a new VS (Fast/Performance L4) and pool by reading an archived guide and following the section for "Basic Stateful UDP traffic management":
https://www.f5.com/pdf/deployment-guides/dns-load-balancing-dg.pdf

The only thing lacking now is a monitor that can actually test DNS functionality. It's probably possible to set it up by using a UDP monitor and entering the request/response strings necessary, but something about that seems a bit off to me.

I'd like to know if a monitor of type "DNS" is supposed to be used to monitor just any node that is configured with port 53/udp and, if so, why the BIG-IP VE doesn't send any DNS udp packets to the pool members but instead just flags the nodes as Down.

EDIT: I now learned that the default "udp" monitor (with no strings configured) is able to tell if a server is listening on 53/udp or not, so I'm using that instead of "gateway_icmp". That should be good enough for our purposes.

joselabra · Answer

Hiii how r u?
Thx for provide the solution for the issue.
Regards!

Forum Discussion

Any way to do DNS loadbalancing without BIG-IP DNS module?

5 Replies

Recent Discussions

F5 AWAF Data Guard

repeated parameter name

Header injection rule

Leading tab in header name: Authorization

External and Internal DNS on same appliance

Related Content

Customer driven Site Deployment Using AWS and F5 Distributed Cloud Terraform Modules

Parsing tmsh command output with Python TextFSM module and some Lessons learned

Customer-driven Site Deployment Using AWS and F5 Distributed Cloud Terraform Modules

Ansible module to update BIG-IP root/admin passwords

Hardware Security Modules