Forum Discussion

HosseinAmery's avatar
HosseinAmery
Icon for Nimbostratus rankNimbostratus
Dec 06, 2023

DNS Express Off-Box IXFR Takes About 20 Seconds

Hello. I have 2 BIG IP boxes in a HA cluster running (BIG-IP 17.0.0.2 Build 0.0.2 Point Release 2). I've set up DNS Express for an off-box BIND server. AXFR works great, but upon making a change in ...
application delivery
F5_Design_Engineer's avatar
F5_Design_Engineer
Icon for MVP rankMVP
Dec 08, 2023

Hi HosseinAmery,

Frequent DNS Express zone transfers prevent updated zone data from becoming available.

DNS Express performs a zone transfer more frequently than every 15 seconds.

Have you tried using dnsxdump in BASH mode

The dnsxdumputility displays the DNS Express database information.

 

The dnsxdump utility outputs directly to the console. If you have a large number of zones, or zone resource records, you can redirect the output to a text file for later review in your preferred text editor.

For example, to redirect the output to /var/tmp/my_zones.txt you would type the following command:

dnsxdump > /var/tmp/my_zones.txt

 

To see or troubleshoot zone transfers, we can refer to the /var/log/ltm log file. A quick examination of the log should show a successful zone transfer in the lab:

#tail -100 /var/log/ltm | grep zxfrd

Can you also check

dnsexpress.notifyport <value>

dnsexpress.xfrnotifydelay <value>

default value is 5 seconds

root@(F5-Design_Engg02)(cfg-sync Standalone)(Active)(/Common)(tmos)# list sys db dnsexpress.xfrnotifydelay
sys db dnsexpress.xfrnotifydelay {
value "5"
}

This DB variable controls the delay in seconds between the time the zxfrd process receives a DNS Notify message from the authoritative DNS server and the time it schedules an AXFR/IXFR.
Note: This does not mean the zone transfer occurs immediately after this delay as the start of the zone transfer also depends on the load on the BIG-IP system, the authoritative DNS server and the network between them; as well as the size of the zone transfer.

The zxfrd process manages zone transfers and writes to the zone database files. When it receives an update request, it initiates a zone transfer to the authoritative DNS server. The results of the zone transfer are then committed to the zone DB.
The zxfrd process may restart and produce a core file if:
An active zone transfer is interrupted
The interruption is between the BIG-IP system and the DNS server
The interruption is caused by a network outage
The zxfrd process may also produce a core file and restart when:
Importing a zone file that contains a WINS RR

The zxfrd process manages zone transfers and writes to the zone database files.
zxfrd listens on ::1:5353
Zone transfer uses tcp:53

search for

tailf /var/log/gtm | grep zxfrd
tmsh show ltm dns dns-express

If DNS Express not initiating Zone Transfer after receiving DNS Notify Please Verify Notify TSIG option is enabled (by default) in the DNS Express zone and waits for the TSIG key (transaction signature) to be sent from the Authoritative DNS Server

Else
Disable the Verify Notify TSIG option on the DNS zone. With this configuration, DNS Express can process a NOTIFY message without a TSIG key, even when a subsequent zone transfer requires a TSIG key.


https://my.f5.com/manage/s/article/K15468995

K45411181: Configuring DNS Express using tmsh

https://my.f5.com/manage/s/article/K45411181

Hope this Helps

🙏