DNS (GTM)

GTM Listener IP - Best Practice

"F5 recommends to always use a self IP address when defining a listener object for local name resolution. A listener object that is not defined as a self IP address cannot direct name resolution requests to BIND."

ref: https://devcentral.f5.com/s/question/0D51T00006i7aIb/gtm-listener-ip-best-practice

Create wide IP

#app1.testsite.com

modify gtm server dc1-f5-apm-1-2 virtual-servers add { app1_vs { destination 194.168.135.252:https translation-address 10.242.151.42 translation-port https }}

create gtm pool a app1_pool_apm_dc1 members add { dc1-f5-apm-1-2:app1_vs { member-order 0 } }

create gtm pool a app1_pool_apm_hm { }

create gtm wideip a app1.testsite.com pool-lb-mode global-availability pools add { app1_pool_apm_hm { order 1 } app1_pool_apm_dc1 { order 0 } }

GTM sync group setup

ref:https://techdocs.f5.com/kb/en-us/products/big-ip-dns/manuals/product/bigip-dns-implementations-13-0-0/3.html

Important Considerations

GTM Listener IP - Best Practice

"F5 recommends to always use a self IP address when defining a listener object for local name resolution. A listener object that is not defined as a self IP address cannot direct name resolution requests to BIND."

ref: https://devcentral.f5.com/s/question/0D51T00006i7aIb/gtm-listener-ip-best-practice

GTM Add

run gtm gtm_add

WARNING: Running this script will wipe out the current configuration

files (bigip_gtm.conf, named.conf and named zone files) on the BIG-IP GTM

Controller on which this script is run. The configuration will be

replaced with the configuration of the remote BIG-IP GTM Controller

in the specified sync group

The local BIG-IP GTM MUST already be added in the configuration of the

other GTM.

NOTE: The current master key of this BIG-IP will be changed to match the

master key of the remote BIG-IP GTM.

ref:https://devcentral.f5.com/s/question/0D51T00006i7aIb/gtm-listener-ip-best-practice

Great DIG command

Find the IP address of a particular domain name that you want to know. You can use the DIG command, without any additional option, which is:

dig example.com

It will do a DNS query, looking for the A records. They have the IP addresses which correspond to the domain name form the query.

The following dig command will give you a lot of extra information too. Data like the version of the DIG command you are using, a header that shows you what you did and who answered you, the port and protocol you used (usually UDP), the time it took for the query, the TTL of the record, and the server which answered you.

If you don’t want so much information, go for the short answer of just the IP address with this command:

dig example.com +short

Check what a particular resolver has in its cache memory. We will use Google’s DNS resolver (8.8.8.8) to see what it has for our domain name.

dig example.com @8.8.8.8

Look if a zone exists on a particular name server. We want to see the SOA record again, but we will specify with “@” symbol on which name server we are searching for it. In this case, the name server is “ns1.example.com”.

dig SOA example.com @ns1.example.com

See when the cache with the answer will expire.

dig example.com +noall +answer

How to check if your DNS zone is synchonized over all authoritative name servers?

dig example.com +nssearch

See the name servers, list of all of them, of the TLD you put in the query. Yes, you can also do this and check the name servers of a TLD like COM, EU, US, ASIA, or another.

The DIG command will be similar to the previous, but instead of a complete domain name, we will just put the TLD. In this case, “com”.

dig NS com +short

Reverse DNS check, IP address to hostname. You can also perform the reverse DNS check and see to which hostname does an IP address belongs. For this purpose, the domain owner needs to have PTR DNS records with the IP address and pointed correctly.

dig -x 1.2.3.4

Check the responsible mail servers for accepting emails.

dig MX example.com +short

See the delegation patch from the root server to your DNS zone. You can make a trace request and see the path, starting from the root server to your DNS zone.

dig example.com +trace

EDNS

check EDNS !

dig @192.168.70.123 hack.fullproxylabs.com +subnet=1.2.3.0/24

F5 iRule

when DNS_REQUEST {

if { [DNS::edns0 exists] } {

log local0. [DNS::edns0 subnet address]"

}

}

LTM log

Rule /Common/edns_logging <DNS_REQUEST>: 1.2.3.0"

DNS Logging

https://support.f5.com/csp/article/K25751652

https://support.f5.com/csp/article/K14615