DNS: reply from unexpected source
Hi,
Firstly, I must say that I am a complete newbie when it comes to BIG-IP products. On the other hand, the load balancer was configured by experts, so I am pretty confident that they made a reasonably good job.
I have two DNS servers (DNS1 and DNS2) and a BIG-IP F5 14.1.4.6 load balancer. Both DNS servers' default gateway is the F5. When a DNS client asks the DNS service in the F5, the load balancer sends the request to one of the DNS servers keeping the client's IP. Then, on receiving the reply from the DNS server, the F5 sends the reply to the client using its own IP (with SNAT). This way, the DNS client only talks to the F5. On the other hand, when a DNS client ask one of the DNS servers directly, the DNS server sends the reply to the default gateway (the F5) and the packet is routed to its destination without any change.
Nevertheless, every now and then I am facing replies from unexpected sources. For instance, sometimes the client asks DNS1 but it gets the reply from the F5. Thus, I get messages like this:
;; reply from unexpected source: bigip#53, expected dns1#53
It looks like that, on receiving the reply from DNS1, the F5 replaces the packet's source IP (SNAT) with its own ip.
Example:
Right behaviour:
PC -> DNS query to F5 service -> F5 -> sends a query to DNS1 or DNS2 keeping the PC's source IP -> DNS1 replies to the F5 (its default gateway) -> F5 replaces source IP (SNAT) and sends the reply to the PC -> the PC receives the reply from the service it asked to.
PC -> sends a DNS query to DNS1 -> DNS1 replies to the F5 (its default gateway) -> the F5 somehow knows that the reply was sent directly to DNS1 and forwards the reply to the PC keeping DNS1's IP address -> the PC receives the reply from the server it asked to (DNS1).
Wrong behaviour
PC -> sends a DNS query to DNS1 -> DNS1 replies to the F5 (its default gateway) -> the F5 replaces the packet's source IP (DNS1) with its own IP and forwards the reply to the PC -> the PC receives the reply from an unexpected server (F5).
Can you give me a hand to solve this? Maybe you can just give me a hint to start looking for the solution.
Thanks in advance.
Regards,