GTM Overview
- DNS Express (can be used to mitigate DDoS attacks such as UDP/DNS/NXDOMAIN floods and DNSSEC attacks, on DNS services)
- Windows/Infoblox as authoritative service if used internally
- ZoneRunner is authoritative service if GTM is used internally
- GTM Load balancing methods
- Static
- Dynamic
- Virtual Server Score
- Distributes DNS name resolution requests to virtual servers on LTM based on user-defined ranking. Use VS Score only on LTM systems on which you have assigned scores to each virtual server
- Virtual Server Capacity
- Distributes DNS requests to VS in a list that are weighted by the number of available VS in the pool.
- The pool with the most available virtual servers is sent more requests; however, over time all the virtual servers in all the pools are sent requests.
- If more than one VS has the same weight, then GTM distributes DNS requests among those virtual servers using the round-robin load balancing method.
- Virtual Server Score
Command line tools
- Verify if DNS transfer was successful
- Use “tail –f /var/log/tm”
- Check for entry indicating :
- “AXFR transfer of zone abc.com from 1.2.3.4 succeeded”
- Check for entry indicating :
- Use “dnsxdump” utility
- It displays the names that were transferred from BIND to BIG-IP when DNS Express is properly configured
- Use “tail –f /var/log/tm”
- Diagnose iQuery functionality issues
- iqdump
- DIG info
- Response header
- Flags
- AA – Authoritative Answer
- TC – Truncation
- RD – Resursion Desired (set in a query and copied into the response if recursion is supported)
- RA – Recursion Available (for DNSSEC only; indicates that the data was authenticated)
- CD – Checking Disabled (DNSSEC only; disables checking at the receiving server)
- Flags
-
- Response code
- 0 = NOERR, noerror
- 1 = FORMERR, format error (unable to understand the query)
- 2 = SERVFAIL, name server problem
- 3 = NXDOMAIN, domain name does not exist
- 4 = NOTIMPL, not implemented
- 5 = REFUSED (e.g., refused zone transfer requests)
- Response code
- Response header
- How to test DNSSEC validation with dig
- DNS domains that are DNSSEC signed are validated correct
- (AD flag)
- RRSIG included in response of A record query
- DNS domain with broken DNSSEC are not validated (SERVFAIL)
- non-DNSSEC domains are resolved normally
- DNS domains that are DNSSEC signed are validated correct
- GTM Default DNS Query Order
- DNS Express
- DNS Cache
- BIND
Recent Comments