GTM Overview

  • DNS Express (can be used to mitigate DDoS attacks such as UDP/DNS/NXDOMAIN floods and DNSSEC attacks,  on DNS services)
  1. Windows/Infoblox as authoritative service if used internally
  2. ZoneRunner is authoritative service if GTM is used internally
  • GTM Load balancing methods
    • Static
    • Dynamic
      • Virtual Server Score
        • Distributes DNS name resolution requests to virtual servers on LTM based on user-defined ranking. Use VS Score only on LTM systems on which you have assigned scores to each virtual server
      • Virtual Server Capacity
        • Distributes DNS requests to VS in a list that are weighted by the number of available VS in the pool.
        • The pool with the most available virtual servers is sent more requests; however, over time all the virtual servers in all the pools are sent requests.
        • If more than one VS has the same weight, then GTM distributes DNS requests among those virtual servers using the round-robin load balancing method.

Command line tools

  • Verify if DNS transfer was successful
    • Use “tail –f /var/log/tm”
      • Check for entry indicating :
        • “AXFR transfer of zone abc.com from 1.2.3.4 succeeded”
    • Use “dnsxdump” utility
      • It displays the names that were transferred from BIND to BIG-IP when DNS Express is properly configured
  • Diagnose iQuery functionality issues
    • iqdump
  • DIG info
    • Response header
      • Flags
        • AA – Authoritative Answer
        • TC – Truncation
        • RD – Resursion Desired (set in a query and copied into the response if recursion is supported)
        • RA – Recursion Available (for DNSSEC only; indicates that the data was authenticated)
        • CD – Checking Disabled (DNSSEC only; disables checking at the receiving server)
      • Response code
        • 0 = NOERR, noerror
        • 1 = FORMERR, format error (unable to understand the query)
        • 2 = SERVFAIL, name server problem
        • 3 = NXDOMAIN, domain name does not exist
        • 4 = NOTIMPL, not implemented
        • 5 = REFUSED (e.g., refused zone transfer requests)
  • How to test DNSSEC validation with dig
    1. DNS domains that are DNSSEC signed are validated correct
      1. (AD flag)
      2. RRSIG included in response of A record query
    2. DNS domain with broken DNSSEC are not validated (SERVFAIL)
    3. non-DNSSEC domains are resolved normally
  • GTM Default DNS Query Order
    • DNS Express
    • DNS Cache
    • BIND