Configuring the F5 BIG-IP to Perform Name Resolution Using a DNS Resolver Cache
After feedback on both DevCentral and direct email, it seems as though there is still confusion or a lack of clarity around how to configure the BIG-IP to perform name resolution. A common scenario of my own customers is to configure the BIG-IP as an authoritative DNS server as well as a transparent DNS server that forwards lookups to another source. With that, I wanted to take some time to walk through the steps of configuring the BIG-IP to be a resolving cache DNS server. However, before we get started I wanted to provide the F5 support definition of each cache type provided by the BIG-IP.
About the transparent DNS cache
You can configure a transparent cache on the BIG-IP® system to use external DNS resolvers to resolve queries, and then cache the responses from the resolvers. The next time the system receives a query for a response that exists in the cache, the system immediately returns the response from the cache. The transparent cache contains messages and resource records.
About the resolver DNS cache
You can configure a resolver cache on the BIG-IP® system to resolve DNS queries and cache the responses. The next time the system receives a query for a response that exists in the cache, the system returns the response from the cache. The resolver cache contains messages, resource records, and the name servers the system queries to resolve DNS queries.
About the validating resolver DNS cache
You can configure a validating resolver cache on the BIG-IP® system to recursively query public DNS servers, validate the identity of the DNS server sending the responses, and then cache the responses. The next time the system receives a query for a response that exists in the cache, the system returns the DNSSEC-compliant response from the cache. The validating resolver cache contains messages, resource records, the nameservers the system queries to resolve DNS queries, and DNSSEC keys.
Ok, now with that out of the way, let's get started!
Prerequisites
- BIG-IP DNS licensed and provisioned.
- An external internet route.
Create a Resolver Cache
- Navigate to DNS >> Caches >> Cache List.
- Click Create.
- Name: demo_resolver_cache
- Resolver Type: Resolver
- Click Finished
Note: If Root Hints is left default it will use the F5 defined default root hints. If this is an air-gapped or classified network, you will need to define your network's root hint servers.
Also if you plan to use only root hints, you may experience some timeouts during name resolution. To improve name resolution, we will create a Forward Zone which allows us to define another authoritative source to do lookups against.
- Click the cache created in the previous steps.
- Click the Forward Zones tab.
- Click Add.
- Name: .
- Nameservers: 8.8.8.8 & 9.9.9.9
- Click Finished.
Create a DNS Profile
- Navigate to DNS >> Delivery >> Profiles >> DNS.
- Click Create.
- Name: demo_dns_profile
- DNS Cache: Enabled
- DNS Cache Name: demo_resolver_cache
- Use BIND Server on BIG-IP: Disabled
- Click Finished.
Create a DNS Listener
- Navigate to DNS >> Delivery >> Listeners >> Listener List.
- Click Create.
- Name: demo_dns_listener
- Destination: 10.1.20.153
- Source Address Translation: Auto Map
- DNS Profile: demo_dns_profile
- Click Finished.
Validate Successful Name Resolution
- Navigate to a workstation that will be using the BIG-IP to resolve queries.
- Launch a command prompt.
- Type nslookup.
- Type server 10.1.20.153
- Attempt to query external domain names. (e.g. nfl.com, nba.com, nhl.com, abcmouse.com)
- From the BIG-IP itself, you can also run a dig which is an extremely useful tool.
Validate Cache
- Launch a ssh session to your BIG-IP using putty or the client of your choice.
- Run the following command.
tmsh show ltm dns cache records rrset cache demo_resolver_cache
You have now successfully configured your BIG-IP instance to perform name resolution as a recursive DNS server as well as cache DNS responses for faster name resolution. I really hope between this article and others it helps clarify some of the questions out there regarding recursive and authoritative DNS capabilities the BIG-IP provides.
- PK123_378843Nimbostratus
Nice and useful information.Thanks!!
- AndreasWallNimbostratus
Hi,
Nice, clean configuration and explanation.
One question.
I have created a dns cache with forward zones. Each zone has a set of different nameservers configured.
The cache looks like this:
ltm dns cache resolver dns_cache_1 {
answer-default-zones yes
forward-zones {
. {
nameservers {
10.10.10.10:53 { }
10.10.10.11:53 { }
}
}
zone1.com. {
nameservers {
10.11.11.10:53 { }
10.11.11.11:53 { }
}
}
zone2.com. {
nameservers {
10.11.11.10:53 { }
10.11.11.11:53 { }
}
}
}
partition DNS_RESOLVER
route-domain /Common/100
}
At the moment, from what I can tell, the F5 will use the self IP address of the egress interface when querying those nameservers.
Is it possible to tweak this in to using another address? I tried using source-address-translation under the dns listener but no luck.
It does not have to be different IP address source depending on which set of nameservers to query. Just that it uses another IP address then the self IP's.
Is an iRule the way to go here?
We have the F5 set up in a one-armed fashion.
Thanks in advance for any comments, suggestions and solutions.