The Power of &: F5 Hybrid DNS solution
While some organizations prioritize the advantages of a SaaS solution like scalability, others value the benefits of an on-premises solution, such as data control and migration flexibility. This is why having the option to deploy a hybrid model can be beneficial, not just for redundancy, but also for allowing organizations to blend the best of both worlds.
Understanding the Architecture’s components
F5 BIG-IP DNS - (formerly BIG-IP GTM) is a well-known on-premise solution for delivering high-performance DNS services such as DNSExpress and DNS Caching. It is also recognized for offering intelligent DNS responses that are based on various factors such as LDNS’ Geolocation (GSLB) and health status of applications.
F5 Distributed Cloud DNS (F5 XC DNS) – It is F5’s SaaS-based DNS solution which is built on a global data plane, ensuring automatic scalability to meet high-volume demand. Additionally, it also provides GSLB and security such as DNS DoS protection.
On the diagram above, BIG-IP DNS will be the hidden primary DNS, acting as the source of truth for DNS records. This setup ensures centralized control and adds an extra layer of security by reducing exposure to potential attacks. F5XC DNS will function as the secondary DNS server, receiving DNS records from BIG-IP via Zone Transfer. It will be responsible for handling public DNS queries and providing domain name resolution services to clients.
In the first part of this article, we will show you how to set up and configure BIG-IP DNS as the hidden primary and F5XC DNS as the authoritative secondary DNS server. For some, this setup is sufficient for their requirements, but for others, there may be additional requirements to consider in this hybrid design. In the later part of this article, we will demonstrate how we can address these challenges by leveraging F5's platform features and capabilities!
Steps on Implementing F5 Hybrid DNS Solution
Step 1: Configure BIG-IP DNS
First, we need to configure BIG-IP DNS to be able to perform a zone transfer to F5XC DNS. For more details on the configuration, you can check this link:
https://community.f5.com/kb/technicalarticles/configuring-big-ip-for-zone-transfer-and-dnssec/330359
Step 2: Configure F5XC DNS
Now after you've configured BIG-IP DNS, we need to configure F5 XC DNS to be a secondary DNS server. For more details, check the steps below:
- Log into XC Console, select DNS Management option, click Add Zone.
- In Domain Name field, enter the domain/subdomain. In our example, it will be f5sg.com
- Zone Type: Secondary DNS Configuration
- Under the Secondary DNS Configuration field, click Configure
- On the DNS primary server IP field, enter the public IP address of the Primary DNS. In our example it will be the Public IP of BIG-IP DNS.
- On TSIG key, enter the name we used to generate TSIG earlier in BIG-IP. In our example, used example.
- On the TSIG Key algorithm field and select an algorithm from the drop-down. Select hmac-sha256.
- Click Configure in the TSIG key value in base 64 format section, On the Secret Type field, select Clear Secret and paste the secret in the Secret field. Use the same secret we generated earlier in BIG-IP DNS.
- Click Apply.
You should see the DNS records transferred from BIG-IP DNS to F5XC DNS
Step 3: Configure Domain Registrar
In this example, the domain registrar I'm using is Namecheap. I'll configure it so that the authoritative name server for the domain f5sg.com is set to F5XC (ns1.f5clouddns.com and ns2.f5clouddns.com).
The steps will vary depending on which domain registrar you are using. Refer to the documentation of your registrar. See the screenshots below for how I configured it in Namecheap.
F5 XC DNS should now be able to answer DNS queries since it is set to be the authoritative DNS. Now, let's do some testing! On my local machine, I will perform a dig on the f5sg.com domain. See below:
You can see that on the dig result, the NS for f5sg.com is set to ns1.f5clouddns.com & ns2.f5clouddns.com!
I can also resolve sales.f5sg.com!
We have successfully implemented BIG-IP as Hidden Primary and F5XC as Authoritative Secondary DNS!
Challenges and Considerations
Now let's discuss the additional requirements or challenges that we might encounter with this hybrid setup solution:
- Security: We need to comply with security compliance. Nowadays, there are laws requiring the implementation of DNSSEC (DNS Security Extensions). We need to consider this in the design and implement it without adding complexity.
- Resiliency: Although F5XC DNS Infrastructure is built to be resilient, we still want a backup plan to failover to the BIG-IP Primary DNS in case of unforeseen events. This process will be manual, as we need to change the NS records at the registrar to promote the hidden BIG-IP Primary DNS as the authoritative NS for the domain once F5XC is unavailable.
- Synchronization: BIG-IP will not be able to synchronize the GSLB functionality with F5XC because Wide-IP records are non-standard and cannot be transferred as part of zone transfers.
Solution to Challenges
Now comes the fun part: tackling the challenges we’ve laid out! Fortunately, F5 Distributed Cloud is an API-first platform that enables us to automate configuration. At the same time, we have the power of the BIG-IP platform, where you can run custom scripts that will enable us to integrate it with F5XC through API.
Solution to Challenge #1:
This is easy. DNSSEC records like RRSIG, DNSKEY, DS, NSEC, and NSEC3 are standardized and can be synchronized as part of a zone transfer. Since BIG-IP DNS is our primary DNS and supports DNSSEC, we can enable it. The records will synchronize to F5XC DNS and still respond with signed records, maintaining the integrity and security of our DNS infrastructure.
How do you enable it? Check the last part of the technical article below:
https://community.f5.com/kb/technicalarticles/configuring-big-ip-for-zone-transfer-and-dnssec/330359
Solution to Challenge #2:
We need to automate failover! But when automating tasks, you need two things: a trigger and an action. In our scenario, our trigger should be the availability of F5XC DNS to resolve DNS queries, and the action should be to change our nameserver to BIG-IP on the domain registrar.
If you can create and run a script in BIG-IP, it means you can continuously monitor the health of F5XC DNS, allowing us to determine the trigger.
But what about the action to change the domain name server records in the registrar? It's easy—check if it can be configured via API, then the problem is solved! Let's explore using Namecheap as our registrar for this example.
- We will use the BIG-IP EAV (external) monitor to run the script. If you're unfamiliar with the BIG-IP external monitor and its capabilities, check this out → https://my.f5.com/manage/s/article/K71282813
- A dummy pool configured with an external monitor will run at intervals. The attached script is designed to monitor F5XC and check if it can resolve DNS queries. If it cannot, the script will trigger an API call to Namecheap (our domain registrar) to change the nameservers back to BIG-IP DNS. Simultaneously, the script will update the domain's NS records from F5XC to BIG-IP.
Step 1: Create an external monitor using the custom script.
Refer to article K71282813 how to create the external monitor. See the codeshare link for the sample custom script I used: Namecheap and BIG-IP Integration via API | DevCentral
Step 2: Create a dummy pool and attach the custom external monitor
Let's do some tests! See the results in the later part of this article.
Solution to Challenge #3:
We can't use Zone Transfer to synchronize GSLB configurations? No problem! Instead, we'll harness the power of APIs. We can run a custom script in BIG-IP to convert Wide-IP configurations into F5XC DNSLB records via API. Let's see below how we can do this.
- On BIG-IP DNS, configure the zone records for the domain f5sg.com to delegate the subdomains needed for GSLB.
For example, we need to perform GSLB for www.f5sg.com, we will configure the zone like below:
www.f5sg.com CNAME www.gslb.f5sg.com
gslb.f5sg.com NS ns1.f5clouddns.com - On BIG-IP we will create Wide-IP configuration for www.gslb.f5sg.com which should hold the A records.
- These Wide-IP configurations can be converted by a script to F5XC DNSLB configurations. Check the sample script on this codeshare link: BIG-IP Wide-IP to F5XC DNSLB converter | DevCentral
Testing and Result
Challenge #2: Failover Testing
To simulate the scenario in which F5XC is unable to respond to DNS queries, we designed the script to execute a dig command to F5XC for a TXT record. If F5XC responds with "RESPONSE-OK," no further action is needed. However, if it fails to respond correctly or does not respond at all, the script will trigger a failover action.
Scenario 1: When F5XC responds to DNS queries (TXT record value is RESPONSE-OK)
Namecheap dashboard shows F5XC nameservers
BIG-IP DNS zone records shows F5XC nameservers
F5XC zone records shows F5XC nameservers
Result when performing dig to resolve sales.f5sg.com -> it shows that F5XC nameservers are Authoritative
Scenario: When F5XC doesn't respond to DNS queries (TXT record value is RESPONSE-NOT-OK)
We changed the TXT record value to 'RESPONSE-NOT-OK,' which should mark the monitor as down.
The dummy pool went down, which means the script inside the monitor detected that the dig result was not what it expected.
You can see from the zone records below that the NS records have now changed to GTM (gtm1.f5sg.com and gtm2.f5sg.com)
When we check our domain registrar, Namecheap, we can see that the nameservers are now automatically set to BIG-IP GTMs.
When I issue a dig command from my workstation, I can see that the nameserver responding to my query is gtm1.f5sg.com
Online DNS tools (like MXToolbox) also report that gtm1.f5sg.com is the authoritative NS that responds to the DNS queries for sales.f5sg.com, which resolves to 2.2.2.2
We have now solved one of the challenges by implementing a backup failover plan using custom monitors and automations, made possible by the power of BIG-IP and APIs!
Challenge #3: Synchronization Testing
Using this script, we can convert and synchronize the BIG-IP Wide-IP configuration to its F5XC equivalent configuration
Note: The sample script is limited to handling a Wide-IP with a single GTM pool. Inside the pool is where you will define the IP addresses that you want to load balance. The pool load balancing method is also limited to Round Robin, Ratio, Static Persist, and Global Availability.
The script is designed to run at intervals. There are several ways to execute it: you can use external monitors (as we did earlier) or utilize a cronjob, etc. For testing and simplicity, I will use a cronjob set to run every 10 minutes.
Let's begin creating our GSLB configuration. If you've configured BIG-IP GTM/DNS before, one of the first objects you need to create is a GTM server.
I've configured two Generic Servers representing the application in two different Data Centers.
Next is we create a GTM Pool which we will associate the Virtual Server inside the GTM server we created earlier.
(i.e. I'm assigning 1.1.1.1 and 2.2.2.2 as the members of the pool)
Lastly, we will create the Wide-IP record and attach the GTM Pool we created earlier
After this, the script should get triggered and convert this BIG-IP DNS Wide-IP configuration into F5XC DNS configuration.
We should see that a new Primary Zone will be created in F5XC (gslb.f5sg.com)
When you view the resource records, we should see a DNSLB record which has the record name equivalent to the subdomain of the wide-IP record.
(BIG-IP DNS Wide-IP record is www.glsb.f5sg.com, In F5XC DNS zone gslb.f5sg.com, the record name is www and pointing to DNSLB object)
The load balancing rules should have the DNSLB pool (pool-www) which is the equivalent of the GTM Pool (pool_www) configured in BIG-IP DNS
The DNSLB pool members will include the same IP addresses we defined as GTM Pool members in BIG-IP DNS.
There are four load balancing methods available in F5XC, and there is an equivalent BIG-IP DNS load balancing method. The script was created to match this methods but if you configure the BIG-IP DNS pool load balancing method to something other than these four, it will default to Round Robin.
BIG-IP DNS | F5XC DNS |
Round Robin | Round-Robin |
Ratio | Ratio-Member |
Static Persist | Static-Persist |
Global Availability | Priority |
Based on the results above, we have successfully converted and synchronize BIG-IP DNS Wide-IP configuration into F5XC DNSLB records!
Conclusion
We have resolved DNS challenges using the power and integration of F5 solutions! By utilizing both BIG-IP and F5XC platforms, which can sign and serve DNSSEC records, we can seamlessly implement DNSSEC in a hybrid setup without complexity. Furthermore, our scalable F5XC Cloud DNS will shield you from myriad DNS DoS attacks, which are continually evolving, especially with the rise of AI. In terms of DNS resiliency, with the power of our API-first platforms and automation, we can create a DNS hybrid solution capable of automatically failing over from Cloud DNS to on-prem DNS. Lastly, we can synchronize the configurations of both platforms using standards like Zone Transfer and APIs. This capability allows us to convert and synchronize GSLB configurations between our on-prem DNS and Cloud DNS, making administration easier, and establishing a single source of truth.