Forum Discussion
Network > DNS Resolver - So how do you test this is working?
Hi All,
So i've configured a DNS resolver "Network > DNS Resolver" as per the instructions.
But my stats aren't incrementing.
With now 3 sorts of DNS on my BIG-IP (Kernel, GTM and now the DNS Resolver) how do I run a test into the DNS Resolver to prove this config is working before I use it in anger in production? (I'm trying to setup a socks proxy which insist on this config)
Dig for example from the cli or using things like ping uses the kernel dns settings as I've used this in the past, so how do I force something to use the DNS Resolver? (network ? DNS resolver - and see the stats increment!) This is NOT the DNS Resolver cache of DNS.
Thanks
Pete
Hello PSFletchTheTek.
When you configure a DNS Resolver, besides configuring chache size, Route Domain, etc., remember to set a forward zone, for example, using a dot ( . ) and the IPs of the DNS servers you are using for.
DNS Resolver is used just for some specific features (not the whole DNS communications):
- HTTP Explicit Proxy feature
- OCSP Validation
- BIG-IP APM
- BIG-IP AFM
- BIG-IP ASM Bot Defense feature
REF - https://support.f5.com/csp/article/K12140128
One example would be to use OCSP Validation.
Check that in menu "System > Certificate Management > Traffic Certificate Management > OCSP". You will see that a "DNS Resolver" option is requested.
In my case I have this OCSP object configured:
- Name: OCSP_myCA
- DNS Resolver: my_dns_resolver
- Responder URL: http://myocspserver.example.com
Then at "System > Certificate Management > Traffic Certificate Management > SSL Certificate List > myCert"
I have this specific OCSP checker applied to the monitoring properties of the 'myCert':
- Monitoring Type: OCSP
- Issuer Certificate: myCA
- OCSP: OCSP_myCA
This set will launch DNS requests trying to reach "myocspserver.example.com".
Regards,
Dario.
