02-15-2020 04:26 PM
Now i'm deploying a lab for integrating Infoblox as primary name server and delegate a zone to gslb service on F5. After creating a delegation zone and do test from client side, i can see that infoblox already gave the NS record and the IP of the F5, but the client does not resolve the A record of the queried domain.
Could you please give me advice on integrating Infoblox with delegated zone to F5 GSLB service
Solved! Go to Solution.
02-17-2020 04:03 AM
Is the client querying the Infoblox DNS server directly or is there another resolver/recursive DNS server in between? If the client is querying directly, then you'll need to have recursion enabled on the Infoblox DNS server (clients usually dont contact the authoritative DNS server directly when it gets a referal response). With recursion enabled, NIOS will try to resolve the query and then answer the client for delegations.
Moreover, you may also need to enable the "Don't use forwarders to resolve queries in subzones" option in the parent authritative zone of the delegation for the NIOS server to be able to contact the F5 properly. Edit the parent zone and check "settings" tab to find this option.
02-19-2020 03:30 AM
Thanks for the respond, in this case the client is querying directly to the Infoblox. What if the infoblox is set on the public, so it will become an open recursive DNS? or do you have any suggestion on it? And whats if any resolver/recursive name server present between the pc and infoblox?
02-19-2020 04:12 AM
If the client is querying directly, then it wont work if recursion is disabled (assuming its just a normal client). Typically clients expect the final answer from their DNS provider.
If the Infoblox appliance is public, I'd think twice about turning on recursion unless its an ISP DNS server or for similar application. If you really need it, there is an option to enabled recursion for specific IPs/networks/TSIG keys. Also, you can enable recursion for DNS Views individually- so if you have Internal(corporate) and External (public) views, you need to have recursion on the View in which the client falls in. Typically, most grids have recursion enabled on Internal view and have it disabled on External View.
If there is a resolver/recursive NS in between the client and IB, then that server is expected to contact the F5 after it learns of the referral (delegation). Also, the delegation is an 'NS' record, so the recursive NS should be able to resolve the name mentioned in the 'NS' record response from IB.. it does not consider the 'Additional' Section in the NS record response, most name servers will try to resolve the A record separately.
External (internet) clients will usually have their own recursive DNS provider.. like 18.104.22.168, 22.214.171.124 or the DNS servers provided by their ISP/organization, so that way public facing DNS views dont need to have recursion enabled.