For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

PSFletchTheTek's avatar
PSFletchTheTek
Icon for Cumulonimbus rankCumulonimbus
Aug 26, 2021

Network > DNS Resolver - So how do you test this is working?

Hi All, So i've configured a DNS resolver "Network > DNS Resolver" as per the instructions. But my stats aren't incrementing. With now 3 sorts of DNS on my BIG-IP (Kernel, GTM and now the DNS Reso...
application delivery
BIG-IP
LTM
Dario_Garrido's avatar
Dario_Garrido
Icon for Noctilucent rankNoctilucent
Aug 27, 2021

Hello PSFletchTheTek.

 

When you configure a DNS Resolver, besides configuring chache size, Route Domain, etc., remember to set a forward zone, for example, using a dot ( . ) and the IPs of the DNS servers you are using for.

 

DNS Resolver is used just for some specific features (not the whole DNS communications):

  • HTTP Explicit Proxy feature
  • OCSP Validation
  • BIG-IP APM
  • BIG-IP AFM
  • BIG-IP ASM Bot Defense feature

REF - https://support.f5.com/csp/article/K12140128

 

One example would be to use OCSP Validation.

Check that in menu "System > Certificate Management > Traffic Certificate Management > OCSP". You will see that a "DNS Resolver" option is requested.

 

In my case I have this OCSP object configured:

  • Name: OCSP_myCA
  • DNS Resolver: my_dns_resolver
  • Responder URL: http://myocspserver.example.com

 

Then at "System > Certificate Management > Traffic Certificate Management > SSL Certificate List > myCert"

I have this specific OCSP checker applied to the monitoring properties of the 'myCert':

  • Monitoring Type: OCSP
  • Issuer Certificate: myCA
  • OCSP: OCSP_myCA

 

This set will launch DNS requests trying to reach "myocspserver.example.com".

 

Regards,

Dario.