DNS Services Architecture
F5 has been in the DNS business for quite some time, beginning with the 3-DNS GSLB product introduced in 1998. While steadily growing the GSLB market through product advances, the platform is incredibly feature rich now, offering far more than GSLB services. Some of the other services added over the years (articles written on services in parentheses):
- Standard name services via BIND, as a fallback or as primary domain auth
- Local SLB for DNS
- DNSSEC (Configuring GTM’s DNS Security Extensions)
- Geolocation data (New Geolocation Capabilities, Heatmaps)
- DNS Express (DNS Express Part 1, DNS Express Part 2)
- IP Anycast
- DNS 64
As the service offering has grown, the underlying architecture supporting DNS has changed as well to improve performance and scale. Through versions 10.2.x, GTM services were handled outside of TMM in Linux. That means that GTM prior to version 11 had no access to the multi-processor benefits of TMM. Screening mode was introduced in GTM version 10.2, which allowed GTM to load balance DNS services with limited LTM functions. Reference Figure 1 below.
BIG-IP version 11 (see Figure 2 below) introduced a true DNS proxy running natively in TMM. Not only does this deliver a major performance improvement, TMM also understands the DNS traffic if the virtual has a DNS profile attached, it’s no longer just a packet. This means the queries/responses must meet some minimum protocol sanity checks. The DNS proxy also enables (depending on profile configuration) the DNS iRules commands, DNS 64, DNS Express, etc.
The DNS profile options can be seen below in Figure 3. Notice you can enable the services that a particular virtual server will handle, and disable the remaining ones.
Finally, in the most recent v11.1 release, the only change to the architecture was to move the server-side ingress iRules handling (the DNS_RESPONSE event) to the client side of the proxy. This was moved so that responses generated by GTM or DNS Express can be captured/acted upon.
In my next article, I’ll delve into the DNS request/response handling workflows in version 11.1 and cover the new DNS iRules extensions.
Update: These services require either a GTM or a DNS services license to function.