Abstract image of a woman sitting on books and studying on a laptop

DNS Troubleshooting.pdf

R
Ritish H

This document provides an overview of DNS configuration and troubleshooting on BIG-IP systems. It includes: 1. A sample DNS zone file configuration with resource records for domains, name servers, mail servers, and hosts. 2. An introduction to BIG-IP DNS and how it can load balance DNS queries across datacenters using wide IPs, pools, and listeners. 3. Instructions for troubleshooting DNS resolution and iQuery communication between BIG-IP systems in the same sync group.

Technology
1 of 25
Downloaded 16 times
1
2
3
4
Most read
5
6
7
8
9
10
11
Most read
12
13
Most read
14
15
16
17
18
19
20
21
22
23
24
25
01.11.2017 PRESENTED BY: DNS Troubleshooting
Introduction to BIGIP DNS
DNS Hierarchy Sample of a Zone File $TTL 86400 ; 24 hours could have been written as 24h or 1d ; $TTL used for all RRs without explicit TTL value $ORIGIN example.com. @ 1D IN SOA ns1.example.com. hostmaster.example.com. ( 2002022401 ; serial 3H ; refresh 15 ; retry 1w ; expire 3h ; nxdomain ttl ) IN NS ns1.example.com. ; in the domain IN NS ns2.smokeyjoe.com. ; external to domain IN MX 10 mail.another.com. ; external mail provider ; server host definitions ns1 IN A 192.168.0.1 ;name server definition www IN A 192.168.0.2 ;web server definition ftp IN CNAME www.example.com. ;ftp server definition ; non server domain hosts bill IN A 192.168.0.3 fred IN A 192.168.0.4
BIG-IP DNS (formerly Global Traffic Manager or GTM) It’s a load balancer for DNS queries (caching, traffic management), decision making to load balance between datacenters. Terms • Wide IP - Maps FQDN to one or more pools of virtual servers that host content of the domain. It responds to listener requests. This will auto create a zone that matches the Wide IP • Server object - Server defined in BIG-IP DNS is either a BIG-IP or other 3rd party system responsible for owning one or more virtual server service. i. BIGIP devices (LTM/ASM/APM/etc) – Standalone/Redudant-Pair ii. Generic LB/Host (3rd party system) – Citrix LB, Cisco CSS, Centos machine • Listener - BIG-IP uses TCP/UDP listeners to respond to DNS queries. • Pool - In BIG-IP DNS a pool contains one or more virtual servers.
BIGIP Resolution Hierarchy
Listener
Wide IP - Maps FQDN to set of Virtual Server that host the domain content - Uses Pool to organize Virtual Server
iQuery communication and troubleshooting
Purpose Establishing communication between GTM and other system to be in a same Sync Group Requirement 1) DNS members must be running on same version (source: K13703) i. BIG-IP DNS synchronization group communication ii. Monitored BIG-IP systems must run the same or newer big3d version as the DNS / GTM that are monitoring them 2) Sync parameter must defined properly 3) NTP in sync 4) Port lockdown allowing 4353 and 443 5) Compatible big3d version iQuery
Virtual Server/Link Autodiscovery (K13994) 1) Virtual server and link auto-discovery feature allows: 2) BIG-IP DNS and BIG-IP Link Controller systems to automatically discover virtual servers and links that are associated with defined BIG-IP systems. 3) Uses iQuery protocol to automatically discover objects on the remote BIG-IP system if enabled. • The BIG-IP DNS configuration contains one or more BIG-IP server objects • TCP port 4353 is allowed between the BIG-IP DNS system and target BIG-IP systems • The target BIG-IP system's virtual server addresses must not employ network address translation Important Note: K9138: The BIG-IP GTM system disables virtual server auto-discovery for BIG-IP systems that use translated virtual server addresses K14106: Troubleshooting virtual server and link auto-discovery (11.x - 13.x) - telnet <remote_bigip_selfip> 4353 - iqdump
K13312: Overview of the BIG-IP GTM big3d_install, bigip_add, and gtm_add utilities (11.x - 13.x) Requirement of iQuery - TCP port 4353 - SSH port 22 (for initial certificate transfer/copy) bigip_add - Exchanges iQuery SSL certificate with remove BIGIP - Append Local GTM system’s certificate to remote BIGIP authorized cert (stored in /config/big3d/client.crt) - Append remote iQuery cert to local GTM list of authenticate iQuery (stored in .config/gtm/server.crt) bigip_install (K13703) - Similar to bigip_add but install the big3d version if its older than the local GTM F5 system - To check: run: # /usr/sbin/big3d -v (default big3d agent) #/shared/bin/big3d –v (executable file) gtm_add - Integrate new GTM system into existing sync group - Replace current config (bigip_gtm.conf, named.conf and the name zone files)
Troubleshoot iQuery 1. Config Utility - Check the status of the server object (Global Traffic -> Server -> Server List - iQuery Stat (Statistic -> Global Traffic -> Statistic Type -> iQuery) - Summary Stat (Statistic -> Global Traffic) 2. TMSH - Server (tmsh show /gtm server all) - iQuery (tmsh show /gtm iquery all) - GTM (tmsh show /gtm) 3. /var/log/gtm 4. Verify the big3d version # /usr/sbin/big3d -v (default big3d agent) #/shared/bin/big3d –v (executable file) 5. Check the iQuery processes # netstat –nap | grep 4353
Cont* 6. Iqdump utility (run from the GTM) iqdump 10.10.10.20 <sync_group_name> • If the iQuery channel is not established, it will prompt error 46947856243768:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed:s3_clnt.c:1168: • If the iQuery channel is established, iqdump returns XML similar to the following example: <!-- Local hostname: lc1.example.com --> <!-- Connected to big3d at: ::ffff:10.10.10.10:4353 --> <!-- Subscribing to syncgroup: default --> <!-- Tue May 6 09:55:43 2014 --> <xml_connection> <version>11.5.1</version> <big3d>big3d Version 11.5.1.0.0.110</big3d> 7. Verify device Certificate openssl x509 -noout -text -in /config/httpd/conf/ssl.crt/server.crt - Verify the certificate validity date and confirm whether the certificate is expired. - If necessary, renew the certificate. To do so, refer to K6353: Updating an SSL device certificate on a BIG-IP system.
Prober pool Collection of device that perform monitor probes of servers to gather data about the health and performance of the resources on the servers By default, the members of a GTM sync group dynamically determine the best BIG-IP device within the sync group configuration to use as the prober for the non-BIG-IP device server objects. Devices defined within the same data center as the server object to be probed are preferred. If no local prober is available, a remote prober is used.
Debugging To enable debugging tmsh modify /sys db log.gtm.level value debug tmsh modify /sys db log.big3d.level value debug tmsh modify /sys db gtm.debugprobelogging value enable To disable debugging tmsh modify /sys db log.gtm.level value debug tmsh modify /sys db log.big3d.level value debug tmsh modify /sys db gtm.debugprobelogging value enable Collect qkview and full tar ball for review. #qkview –s0 #tar -czvpf /var/tmp/$HOSTNAME-logs.tgz /var/log
Configure Decision Logging https://devcentral.f5.com/articles/configuring-decision-logging-for-the-f5-big-ip-global-traffic- manager • Modify WIP(s) to enable LB Decision Logging • Log Publisher • DNS Logging Profile • Custom DNS Profile and attach the logging profile • Apply the DNS Profile to the Listener
DNS Express
DNS Express Alows the BIG-IP to perform zone transfers from multiple primary DNS servers that are responsible for different zones, perform a zone transfer from the local BIND server on the BIG-IP, and serve DNS records faster than the primary DNS servers and the local BIND server. • Perform zone transfers from multiple primary DNS servers that are responsible for different zones. • Perform a zone transfer from the local BIND server on the BIG-IP system. • Serve DNS records faster than the primary DNS servers
K15298: Overview of the dnsxdump utility You can use the dnsxdump utility to view the DNS Express database information, which includes zone information and statistics. • The DB Dump section of the dnsxdump utility output displays the zone information for all configured DNS Express zones. • The DB Stats section of the dnsxdump utility output displays a cumulative count of records for all configured DNS Express zones. dnsxdump > /var/tmp/my_zones.txt
Zonerunner
Managing the BIG-IP BIND configuration file ZoneRunner utility is used to manage both DNS zone files and the BIND configuration file on the BIG-IP GTM system • Import and transfer DNS zone files • Manage zone resource records • Manage views • Manage a local nameserver and the associated configuration file, named.conf • Transfer zone files to a nameserver • Import only primary zone files from a nameserver
Cont* By default, BIG-IP GTM is configured to secure BIND to not allow zone transfers except from the localhost. Modify the allow-transfer statement to include the IP address of the GTM. You can modify the following allow-transfer statement to use the IP address of the GTM. DNS > Zones > ZoneRunner > named Configuration. allow-transfer { localhost; 192.168.10.105; } To verify zone transfers are working properly # dig @<IP address> es.net. axfr Directory of the zone file stored # cd /var/named/config/namedb/ Check the named configuration
K7032: Freezing zone files to allow manual update to ZoneRunner- managed zone files All changes made to a zone using dynamic update are written to the zone's journal file. When the BIG-IP DNS system restarts after a shutdown, the system replays the journal file to incorporate any updates that took place after the last zone file update into the zone. Dynamic update periodically flushes the complete contents of the updated zone to its zone file and automatically deletes the journal file. i. cd /var/named/config/namedb ii. cp <zone_filename> <zone_filename>.original iii. bigstart stop zrd iv. rndc freeze <zone name> <class> <view> v. Manually edit the zone for any changes vi. rndc sync -clean vii. Run the named-checkzone command to check the file for any syntax errors • named-checkzone askf5.net db.external.askf5.net • named-checkconf -t /var/named -z -j /config/named.conf viii. rndc thaw <zone name> <class> <view> ix. bigstart start zrd .
Behaviour of zrd - When a new dns express zone is added , it writes the data to zxfrd.bin - It then copies from zxfrd.bin to zxfrd-tmp.bin (15sec timer) - Rename the zxfrd-tmp.bin to tmmdns.bin (database) TMM then reload the database from tmmdns.bin - For VIPRION, csyncd monitors tmmdns.bin for any changes - Csyncd trigger tmm to reload on primary blades then populate to other blades # bigstart stop # rm -rf /var/db/{tmmdns.bin,zxfrd.bin} # bigstart start tmsh modify sys db log.zxfrd.level value debug Collect qkview and full tar ball for review. #qkview –s0 #tar -czvpf /var/tmp/$HOSTNAME-logs.tgz /var/log
DNS Troubleshooting.pdf

More Related Content

PPTX
Palo Alto strata NGFW overview-deck.pptx
zaidmutawe2000
 
PPTX
MP BGP-EVPN 실전기술-1편(개념잡기)
JuHwan Lee
 
PDF
Presentation f5 – beyond load balancer
xKinAnx
 
PDF
9 palo alto virtual routers concept (routing on palo alto)
Mostafa El Lathy
 
PPTX
IMS + VoLTE Overview
Hamidreza Bolhasani
 
PDF
Alphorm.com Formation Certification NSE4 : Fortinet Fortigate Security 6.x
Alphorm
 
PDF
Kamailio :: A Quick Introduction
Olle E Johansson
 
PDF
Netmanias L2,L3 Training (3) L2, L3 QoS
Chris Changmo Yoo
 
Palo Alto strata NGFW overview-deck.pptx
zaidmutawe2000
 
MP BGP-EVPN 실전기술-1편(개념잡기)
JuHwan Lee
 
Presentation f5 – beyond load balancer
xKinAnx
 
9 palo alto virtual routers concept (routing on palo alto)
Mostafa El Lathy
 
IMS + VoLTE Overview
Hamidreza Bolhasani
 
Alphorm.com Formation Certification NSE4 : Fortinet Fortigate Security 6.x
Alphorm
 
Kamailio :: A Quick Introduction
Olle E Johansson
 
Netmanias L2,L3 Training (3) L2, L3 QoS
Chris Changmo Yoo
 

What's hot (20)

PPTX
JUNOS: OSPF and BGP
Zenith Networks
 
PDF
01- intro to firewall concepts
Mostafa El Lathy
 
PDF
Web Application Security
MarketingArrowECS_CZ
 
PPTX
Access Management with Aruba ClearPass
Aruba, a Hewlett Packard Enterprise company
 
PDF
Redondance de routeur (hsrp, vrrp, glbp)
EL AMRI El Hassan
 
PDF
MikroTik Multicast Routing [www.imxpert.co]
Faisal Reza
 
PDF
DDoS Mitigation using BGP Flowspec
APNIC
 
PDF
Alphorm.com Formation F5 BIG-IP : Configuration et administration
Alphorm
 
PDF
3GPP LTE Detailed explanation 2 (RRC_Radio Resource Control)
Ryuichi Yasunaga
 
PDF
ClearPass Guest 6.4 User Guide
Aruba, a Hewlett Packard Enterprise company
 
PPTX
BIND DNS IPWorks Introduction To Advanced
Mustafa Golam
 
PDF
Dhcp Snooping
Prateek Baharani
 
PPTX
BGP (Border Gateway Protocol)
NetProtocol Xpert
 
PPTX
HSRP ccna
MohamedJafar5
 
PDF
12 palo alto app-id concept
Mostafa El Lathy
 
PDF
ims registration call flow procedure volte sip
Vikas Shokeen
 
PDF
La gouvernance IAM au service des stratégies métiers
Marc Rousselet
 
PDF
IEEE 802.11s Tutorial - Overview of the Amendment for Wireless Local Area Mes...
Xi'an Jiaotong-Liverpool University
 
PPT
Wi fi protected access
Lopamudra Das
 
PDF
Palo Alto Networks y la tecnología de Next Generation Firewall
Mundo Contact
 
JUNOS: OSPF and BGP
Zenith Networks
 
01- intro to firewall concepts
Mostafa El Lathy
 
Web Application Security
MarketingArrowECS_CZ
 
Access Management with Aruba ClearPass
Aruba, a Hewlett Packard Enterprise company
 
Redondance de routeur (hsrp, vrrp, glbp)
EL AMRI El Hassan
 
MikroTik Multicast Routing [www.imxpert.co]
Faisal Reza
 
DDoS Mitigation using BGP Flowspec
APNIC
 
Alphorm.com Formation F5 BIG-IP : Configuration et administration
Alphorm
 
3GPP LTE Detailed explanation 2 (RRC_Radio Resource Control)
Ryuichi Yasunaga
 
ClearPass Guest 6.4 User Guide
Aruba, a Hewlett Packard Enterprise company
 
BIND DNS IPWorks Introduction To Advanced
Mustafa Golam
 
Dhcp Snooping
Prateek Baharani
 
BGP (Border Gateway Protocol)
NetProtocol Xpert
 
HSRP ccna
MohamedJafar5
 
12 palo alto app-id concept
Mostafa El Lathy
 
ims registration call flow procedure volte sip
Vikas Shokeen
 
La gouvernance IAM au service des stratégies métiers
Marc Rousselet
 
IEEE 802.11s Tutorial - Overview of the Amendment for Wireless Local Area Mes...
Xi'an Jiaotong-Liverpool University
 
Wi fi protected access
Lopamudra Das
 
Palo Alto Networks y la tecnología de Next Generation Firewall
Mundo Contact
 
Ad

Similar to DNS Troubleshooting.pdf (20)

PPT
Building a Linux IPv6 DNS Server Project review PPT v3.0 First review
Hari
 
PPT
ppt_sun_l2_dns_02_99 SUN SOLARIS DNS assignment
pankajvanisdr4
 
PPTX
Upgrading AD from Windows Server 2003 to Windows Server 2008 R2
Amit Gatenyo
 
PPT
Building Linux IPv6 DNS Server (Complete Presentation)
Hari
 
PPTX
Oracle Real Application Cluster ( RAC )
varasteh65
 
PDF
Implementation of DNS Anycast - a case study
A. S. M. Shamim Reza
 
PDF
1049: Best and Worst Practices for Deploying IBM Connections - IBM Connect 2016
panagenda
 
PDF
Optimizing Tiered Storage for Low-Latency Real-Time Analytics at AI Scale
Alluxio, Inc.
 
ODP
DNSSEC - WHAT IS IT ? INSTALL AND CONFIGURE IN CHROOT JAIL
Utah Networxs Consultoria e Treinamento
 
PDF
Microsoft SharePoint Disaster Recovery to Azure
David J Rosenthal
 
PDF
Lksn2017 itnsa modul2
Verry Hendroprasetyo
 
PDF
Dg broker &amp; client connectivity - High Availability Day 2015
aioughydchapter
 
DOC
70 640
alokfit
 
DOCX
module B.docx
ssuser472c4f
 
PDF
Integration of neutron, nova and designate how to use it and how to configur...
Miguel Lavalle
 
PDF
Active Directory Security Assessment ADSA
Carrie Tran
 
PPT
Moving to ws2003
Sumit Tambe
 
PPT
Sharing-Knowledge-OAM-3G-Ericsson .ppt
wafawafa52
 
PDF
Advanced Globus System Administration
Globus
 
PDF
GlobusWorld 2021 Tutorial: Globus for System Administrators
Globus
 
Building a Linux IPv6 DNS Server Project review PPT v3.0 First review
Hari
 
ppt_sun_l2_dns_02_99 SUN SOLARIS DNS assignment
pankajvanisdr4
 
Upgrading AD from Windows Server 2003 to Windows Server 2008 R2
Amit Gatenyo
 
Building Linux IPv6 DNS Server (Complete Presentation)
Hari
 
Oracle Real Application Cluster ( RAC )
varasteh65
 
Implementation of DNS Anycast - a case study
A. S. M. Shamim Reza
 
1049: Best and Worst Practices for Deploying IBM Connections - IBM Connect 2016
panagenda
 
Optimizing Tiered Storage for Low-Latency Real-Time Analytics at AI Scale
Alluxio, Inc.
 
DNSSEC - WHAT IS IT ? INSTALL AND CONFIGURE IN CHROOT JAIL
Utah Networxs Consultoria e Treinamento
 
Microsoft SharePoint Disaster Recovery to Azure
David J Rosenthal
 
Lksn2017 itnsa modul2
Verry Hendroprasetyo
 
Dg broker &amp; client connectivity - High Availability Day 2015
aioughydchapter
 
70 640
alokfit
 
module B.docx
ssuser472c4f
 
Integration of neutron, nova and designate how to use it and how to configur...
Miguel Lavalle
 
Active Directory Security Assessment ADSA
Carrie Tran
 
Moving to ws2003
Sumit Tambe
 
Sharing-Knowledge-OAM-3G-Ericsson .ppt
wafawafa52
 
Advanced Globus System Administration
Globus
 
GlobusWorld 2021 Tutorial: Globus for System Administrators
Globus
 
Ad

Recently uploaded (20)

PPTX
The various Industrial Revolutions .pptx
bandileshozi3
 
PDF
WOOl fibre morphology and structure.pdf for textiles
Rajendrakumar868651
 
PPTX
Final SEM Unit 1 for mit wpu at pune .pptx
anishtilekar08
 
PDF
Getting started with AI Agents and Multi-Agent Systems
Maxim Salnikov
 
PPTX
Web Crawler for Trend Tracking Gen Z Insights.pptx
Actowiz Solustions
 
PDF
STKI Israel Market Study 2025 version august
Dr. Jimmy Schwarzkopf
 
PDF
Hybrid model detection and classification of lung cancer
IAESIJAI
 
PDF
Univ-Connecticut-ChatGPT-Presentaion.pdf
ry7r52mzb4
 
PPT
What is a Computer? Input Devices /output devices
GulJan8
 
PDF
CloudStack 4.21: First Look Webinar slides
ShapeBlue
 
PDF
1 - Historical Antecedents, Social Consideration.pdf
tuazon2030627
 
PDF
Taming the Chaos: How to Turn Unstructured Data into Decisions
Safe Software
 
PPTX
Tartificialntelligence_presentation.pptx
ry7r52mzb4
 
PPTX
MicrosoftCybserSecurityReferenceArchitecture-April-2025.pptx
SilvioHayashi
 
PDF
A Late Bloomer's Guide to GenAI: Ethics, Bias, and Effective Prompting - Boha...
Mindy Bohannon
 
PDF
A review of recent deep learning applications in wood surface defect identifi...
IAESIJAI
 
PDF
TrustArc Webinar - Click, Consent, Trust: Winning the Privacy Game
TrustArc
 
PDF
A contest of sentiment analysis: k-nearest neighbor versus neural network
IAESIJAI
 
PPTX
Benefits of Physical activity for teenagers.pptx
Nokwanda Thabethe
 
PDF
Developing a website for English-speaking practice to English as a foreign la...
IAESIJAI
 
The various Industrial Revolutions .pptx
bandileshozi3
 
WOOl fibre morphology and structure.pdf for textiles
Rajendrakumar868651
 
Final SEM Unit 1 for mit wpu at pune .pptx
anishtilekar08
 
Getting started with AI Agents and Multi-Agent Systems
Maxim Salnikov
 
Web Crawler for Trend Tracking Gen Z Insights.pptx
Actowiz Solustions
 
STKI Israel Market Study 2025 version august
Dr. Jimmy Schwarzkopf
 
Hybrid model detection and classification of lung cancer
IAESIJAI
 
Univ-Connecticut-ChatGPT-Presentaion.pdf
ry7r52mzb4
 
What is a Computer? Input Devices /output devices
GulJan8
 
CloudStack 4.21: First Look Webinar slides
ShapeBlue
 
1 - Historical Antecedents, Social Consideration.pdf
tuazon2030627
 
Taming the Chaos: How to Turn Unstructured Data into Decisions
Safe Software
 
Tartificialntelligence_presentation.pptx
ry7r52mzb4
 
MicrosoftCybserSecurityReferenceArchitecture-April-2025.pptx
SilvioHayashi
 
A Late Bloomer's Guide to GenAI: Ethics, Bias, and Effective Prompting - Boha...
Mindy Bohannon
 
A review of recent deep learning applications in wood surface defect identifi...
IAESIJAI
 
TrustArc Webinar - Click, Consent, Trust: Winning the Privacy Game
TrustArc
 
A contest of sentiment analysis: k-nearest neighbor versus neural network
IAESIJAI
 
Benefits of Physical activity for teenagers.pptx
Nokwanda Thabethe
 
Developing a website for English-speaking practice to English as a foreign la...
IAESIJAI
 

DNS Troubleshooting.pdf

  • 3. DNS Hierarchy Sample of a Zone File $TTL 86400 ; 24 hours could have been written as 24h or 1d ; $TTL used for all RRs without explicit TTL value $ORIGIN example.com. @ 1D IN SOA ns1.example.com. hostmaster.example.com. ( 2002022401 ; serial 3H ; refresh 15 ; retry 1w ; expire 3h ; nxdomain ttl ) IN NS ns1.example.com. ; in the domain IN NS ns2.smokeyjoe.com. ; external to domain IN MX 10 mail.another.com. ; external mail provider ; server host definitions ns1 IN A 192.168.0.1 ;name server definition www IN A 192.168.0.2 ;web server definition ftp IN CNAME www.example.com. ;ftp server definition ; non server domain hosts bill IN A 192.168.0.3 fred IN A 192.168.0.4
  • 4. BIG-IP DNS (formerly Global Traffic Manager or GTM) It’s a load balancer for DNS queries (caching, traffic management), decision making to load balance between datacenters. Terms • Wide IP - Maps FQDN to one or more pools of virtual servers that host content of the domain. It responds to listener requests. This will auto create a zone that matches the Wide IP • Server object - Server defined in BIG-IP DNS is either a BIG-IP or other 3rd party system responsible for owning one or more virtual server service. i. BIGIP devices (LTM/ASM/APM/etc) – Standalone/Redudant-Pair ii. Generic LB/Host (3rd party system) – Citrix LB, Cisco CSS, Centos machine • Listener - BIG-IP uses TCP/UDP listeners to respond to DNS queries. • Pool - In BIG-IP DNS a pool contains one or more virtual servers.
  • 7. Wide IP - Maps FQDN to set of Virtual Server that host the domain content - Uses Pool to organize Virtual Server
  • 8. iQuery communication and troubleshooting
  • 9. Purpose Establishing communication between GTM and other system to be in a same Sync Group Requirement 1) DNS members must be running on same version (source: K13703) i. BIG-IP DNS synchronization group communication ii. Monitored BIG-IP systems must run the same or newer big3d version as the DNS / GTM that are monitoring them 2) Sync parameter must defined properly 3) NTP in sync 4) Port lockdown allowing 4353 and 443 5) Compatible big3d version iQuery
  • 10. Virtual Server/Link Autodiscovery (K13994) 1) Virtual server and link auto-discovery feature allows: 2) BIG-IP DNS and BIG-IP Link Controller systems to automatically discover virtual servers and links that are associated with defined BIG-IP systems. 3) Uses iQuery protocol to automatically discover objects on the remote BIG-IP system if enabled. • The BIG-IP DNS configuration contains one or more BIG-IP server objects • TCP port 4353 is allowed between the BIG-IP DNS system and target BIG-IP systems • The target BIG-IP system's virtual server addresses must not employ network address translation Important Note: K9138: The BIG-IP GTM system disables virtual server auto-discovery for BIG-IP systems that use translated virtual server addresses K14106: Troubleshooting virtual server and link auto-discovery (11.x - 13.x) - telnet <remote_bigip_selfip> 4353 - iqdump
  • 11. K13312: Overview of the BIG-IP GTM big3d_install, bigip_add, and gtm_add utilities (11.x - 13.x) Requirement of iQuery - TCP port 4353 - SSH port 22 (for initial certificate transfer/copy) bigip_add - Exchanges iQuery SSL certificate with remove BIGIP - Append Local GTM system’s certificate to remote BIGIP authorized cert (stored in /config/big3d/client.crt) - Append remote iQuery cert to local GTM list of authenticate iQuery (stored in .config/gtm/server.crt) bigip_install (K13703) - Similar to bigip_add but install the big3d version if its older than the local GTM F5 system - To check: run: # /usr/sbin/big3d -v (default big3d agent) #/shared/bin/big3d –v (executable file) gtm_add - Integrate new GTM system into existing sync group - Replace current config (bigip_gtm.conf, named.conf and the name zone files)
  • 12. Troubleshoot iQuery 1. Config Utility - Check the status of the server object (Global Traffic -> Server -> Server List - iQuery Stat (Statistic -> Global Traffic -> Statistic Type -> iQuery) - Summary Stat (Statistic -> Global Traffic) 2. TMSH - Server (tmsh show /gtm server all) - iQuery (tmsh show /gtm iquery all) - GTM (tmsh show /gtm) 3. /var/log/gtm 4. Verify the big3d version # /usr/sbin/big3d -v (default big3d agent) #/shared/bin/big3d –v (executable file) 5. Check the iQuery processes # netstat –nap | grep 4353
  • 13. Cont* 6. Iqdump utility (run from the GTM) iqdump 10.10.10.20 <sync_group_name> • If the iQuery channel is not established, it will prompt error 46947856243768:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed:s3_clnt.c:1168: • If the iQuery channel is established, iqdump returns XML similar to the following example: <!-- Local hostname: lc1.example.com --> <!-- Connected to big3d at: ::ffff:10.10.10.10:4353 --> <!-- Subscribing to syncgroup: default --> <!-- Tue May 6 09:55:43 2014 --> <xml_connection> <version>11.5.1</version> <big3d>big3d Version 11.5.1.0.0.110</big3d> 7. Verify device Certificate openssl x509 -noout -text -in /config/httpd/conf/ssl.crt/server.crt - Verify the certificate validity date and confirm whether the certificate is expired. - If necessary, renew the certificate. To do so, refer to K6353: Updating an SSL device certificate on a BIG-IP system.
  • 14. Prober pool Collection of device that perform monitor probes of servers to gather data about the health and performance of the resources on the servers By default, the members of a GTM sync group dynamically determine the best BIG-IP device within the sync group configuration to use as the prober for the non-BIG-IP device server objects. Devices defined within the same data center as the server object to be probed are preferred. If no local prober is available, a remote prober is used.
  • 15. Debugging To enable debugging tmsh modify /sys db log.gtm.level value debug tmsh modify /sys db log.big3d.level value debug tmsh modify /sys db gtm.debugprobelogging value enable To disable debugging tmsh modify /sys db log.gtm.level value debug tmsh modify /sys db log.big3d.level value debug tmsh modify /sys db gtm.debugprobelogging value enable Collect qkview and full tar ball for review. #qkview –s0 #tar -czvpf /var/tmp/$HOSTNAME-logs.tgz /var/log
  • 16. Configure Decision Logging https://devcentral.f5.com/articles/configuring-decision-logging-for-the-f5-big-ip-global-traffic- manager • Modify WIP(s) to enable LB Decision Logging • Log Publisher • DNS Logging Profile • Custom DNS Profile and attach the logging profile • Apply the DNS Profile to the Listener
  • 18. DNS Express Alows the BIG-IP to perform zone transfers from multiple primary DNS servers that are responsible for different zones, perform a zone transfer from the local BIND server on the BIG-IP, and serve DNS records faster than the primary DNS servers and the local BIND server. • Perform zone transfers from multiple primary DNS servers that are responsible for different zones. • Perform a zone transfer from the local BIND server on the BIG-IP system. • Serve DNS records faster than the primary DNS servers
  • 19. K15298: Overview of the dnsxdump utility You can use the dnsxdump utility to view the DNS Express database information, which includes zone information and statistics. • The DB Dump section of the dnsxdump utility output displays the zone information for all configured DNS Express zones. • The DB Stats section of the dnsxdump utility output displays a cumulative count of records for all configured DNS Express zones. dnsxdump > /var/tmp/my_zones.txt
  • 21. Managing the BIG-IP BIND configuration file ZoneRunner utility is used to manage both DNS zone files and the BIND configuration file on the BIG-IP GTM system • Import and transfer DNS zone files • Manage zone resource records • Manage views • Manage a local nameserver and the associated configuration file, named.conf • Transfer zone files to a nameserver • Import only primary zone files from a nameserver
  • 22. Cont* By default, BIG-IP GTM is configured to secure BIND to not allow zone transfers except from the localhost. Modify the allow-transfer statement to include the IP address of the GTM. You can modify the following allow-transfer statement to use the IP address of the GTM. DNS > Zones > ZoneRunner > named Configuration. allow-transfer { localhost; 192.168.10.105; } To verify zone transfers are working properly # dig @<IP address> es.net. axfr Directory of the zone file stored # cd /var/named/config/namedb/ Check the named configuration
  • 23. K7032: Freezing zone files to allow manual update to ZoneRunner- managed zone files All changes made to a zone using dynamic update are written to the zone's journal file. When the BIG-IP DNS system restarts after a shutdown, the system replays the journal file to incorporate any updates that took place after the last zone file update into the zone. Dynamic update periodically flushes the complete contents of the updated zone to its zone file and automatically deletes the journal file. i. cd /var/named/config/namedb ii. cp <zone_filename> <zone_filename>.original iii. bigstart stop zrd iv. rndc freeze <zone name> <class> <view> v. Manually edit the zone for any changes vi. rndc sync -clean vii. Run the named-checkzone command to check the file for any syntax errors • named-checkzone askf5.net db.external.askf5.net • named-checkconf -t /var/named -z -j /config/named.conf viii. rndc thaw <zone name> <class> <view> ix. bigstart start zrd .
  • 24. Behaviour of zrd - When a new dns express zone is added , it writes the data to zxfrd.bin - It then copies from zxfrd.bin to zxfrd-tmp.bin (15sec timer) - Rename the zxfrd-tmp.bin to tmmdns.bin (database) TMM then reload the database from tmmdns.bin - For VIPRION, csyncd monitors tmmdns.bin for any changes - Csyncd trigger tmm to reload on primary blades then populate to other blades # bigstart stop # rm -rf /var/db/{tmmdns.bin,zxfrd.bin} # bigstart start tmsh modify sys db log.zxfrd.level value debug Collect qkview and full tar ball for review. #qkview –s0 #tar -czvpf /var/tmp/$HOSTNAME-logs.tgz /var/log