DNSX/DNScache use for a recursive secondary DNS service

Hello,

 

 

I have been preparing a proof of concept DNS setup using F5 devices and would like your input.

 

 

Goal : run as a secondary DNS cluster for a large population of servers and workstations (both Windows and Linux). Primary DNS servers are mostly domains controllers, their load should be as low as possible. Requests will be mostly recursive, answer records may be in the zone transfered to the F5 but not all will.

 

 

Current setup : a pair of 3600 running TMOS 11.2.1 HF6, provisionning LTM dedicated for now, the license allows for GTM module as well.

 

 

ltm virtual test_udp {

 

destination x.x.x.x:domain

 

ip-protocol udp

 

mask 255.255.255.255

 

pool PrimaryNS_53

 

profiles {

 

dns-x { }

 

udp_gtm_dns { }

 

}

 

rules {

 

dnsx_bypass

 

}

 

snat automap

 

translate-port disabled

 

vlans-disabled

 

}

 

ltm profile dns dns-x {

 

app-service none

 

cache transparent_cache

 

defaults-from dns

 

dns64 disabled

 

enable-cache yes

 

enable-dns-express yes

 

enable-dnssec no

 

enable-gtm yes

 

process-rd yes

 

unhandled-query-action allow

 

use-local-bind no

 

}

 

ltm profile dns dns-x {

 

app-service none

 

cache transparent_cache

 

defaults-from dns

 

dns64 disabled

 

enable-cache yes

 

enable-dns-express yes

 

enable-dnssec no

 

enable-gtm yes

 

process-rd yes

 

unhandled-query-action allow

 

use-local-bind no

 

}

 

ltm dns cache transparent transparent_cache {

 

dnssec-on-miss no

 

}

 

ltm rule dnsx_bypass {

 

when DNS_REQUEST {

 

if { [DNS::question type] == "AAAA"}

 

{

 

log "[DNS::question name] [DNS::question type] : no one cares yet"

 

return

 

}

 

set rrsl [DNS::query dnsx [DNS::question name] [DNS::question type]]

 

set cnt 0

 

foreach rr [lindex $rrsl 0]

 

{ if { [DNS::type $rr] == [DNS::question type] } { incr cnt } }

 

if { $cnt == 0 }

 

{

 

log "[DNS::question name] [DNS::question type] DNSX KO : missing answer RR of the correct type"

 

DNS::disable dnsx

 

}

 

else { log "[DNS::question name] [DNS::question type] DNSX OK" }

 

}

 

}

 

 

What this taught me:

 

- DNSX does NOT handle requests to domains it holds no authority well : CNAME requests get no A records if the canonical is not in a DNSX zone, NS answers with the relevant root for any requests to unknown records. Unless I am mistaken this is BY DESIGN. These requests do not even reach the DNS Cache stage : they go straight the servers you may have set in the pool to your virtual server unless unhandled-query-action says otherwise but most options are not that usefull for this case.

 

- setting the process-rd switch to no basically disable everything since every single request in recursive nowadays. I expected this to intelligently query DNSX to answer what it can and forward what it cannot to the cache and other stages.

 

- the difference between transparent and resolver cache is not clear at all to me, maybe the documentation could be improved.

 

- the DNS profile configuration is crucial in what stage the DNS request will go through but I could not build an completly accurate picture of the flow : if I check use--local-bind will the BIND get queried before or after the Cache ? the DNSX ?

 

- the irule I pasted is my attempt to make my setup handle recursive requests while keeping some of the DNSX and Cache functionnality. I should be making use of the local BIND for recursion instead of relying on the backend DNS. The resolver Cache might also be helpfull if I can figure it out. The code can be improve by reducing the use of DNS::query when it might not be necessary and passing its results to the client instead of returning but this is good enough for now.

 

 

Ideally the irule would not be necessary and the request not handled by DNSX and DNSCache would be passed to the local BIND for full recursive resolution.

 

 

any suggestion for improvements ? remarks ?

 

 

Regards,

 

Pierre