For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

_NAME_3's avatar
_NAME_3
Icon for Nimbostratus rankNimbostratus
May 02, 2016

BIG IP DNS - Question about Slave zones and security

I have 2 standalone Big-IP boxes running DNS, replicating with each other. They are in a sync group so I understand how the records are replicated between the two. We also utilize our ISP's DNS to host slave zones on thier servers. I have been trying to get a better understanding of how this works by reading "https://support.f5.com/kb/en-us/products/big-ip-dns/manuals/product/bigip-dns-services-implementations-12-1-0.pdf?sr=53419323" I have also run some tests with dnsstuff.com and found some areas that need attention.

 

From what I understand we need to use the allow-transfer configuration which I was able to find in Zone Runner named configuration, listed below. It also appears that we need to use the also-notify which I have not found in my named config.

 

directory "/config/namedb"; allow-transfer { ISP IP xxx.xxx.xxx.xxx; Local Host IP xxx.xxx.xxx.xxx; localhost; };

 

So my questions are:

 

1) I don't understand why I would list the IP address along with localhost in the allow-transfer, is there a need for this? shouldn't localhost cover everything?

 

2) I cant find the also-notify setting anywhere, I know our slave zones at the ISP are updating but I don't know how this is working with out the notify statement. Is this automatic? Do slave zones check on their own? If I add the notify statement what does it look like, the same as the document shown below or do you need to put the IP of the device you want to notify? Where does the also-notify go in my named config settings?

 

also-notify { ::1 port 5353; };

 

3) I know the serial number on the zones is incrementing on changes, and working with our Slave zones, is this automatic or is there a setting in BIG-IP that controls this?

 

4) DNS stuff lists our servers as Stealth Nameservers and states that means that one or more nameservers are not listed at both the parent and authoritative nameserver. I am still trying to figure out exactly what this means.

 

5) DNS stuff reports that our servers are listing the software version which should be turned off, how do we do this in BIG IP?

 

BIG-IP DNS
security
No RepliesBe the first to reply