How to Split DNS with Managed Namespace on F5 Distributed Cloud (XC) Part 2 – TCP & UDP

Re-Introduction

In Part 1, we covered the deployment of the DNS workloads to our Managed Namespace and creating an HTTPS Load Balancer and Origin Pool for DNS over HTTPS. If you missed Part 1, feel free to jump over and give it a read.

In Part 2, we will cover creating a TCP and UDP Load Balancer and Origin Pools for standard TCP & UDP DNS.

TCP Origin Pool

First, we need to create an origin pool. On the left menu, under Manage, Load Balancers, click Origin Pools.

 

Let’s give our origin pool a name, and add some Origin Servers, so under Origin Servers, click Add Item.

In the Origin Server settings, we want to select K8s Service Name of Origin Server on given Sites as our type, and enter our service name, which will be the service name from Part 1 and our namespace, so “servicename.namespace”.

For the Site, we select one of the sites we deployed the workload to, and under Select Network on the Site, we want to seledt vK8s Networks on the Site, then click Apply.

Do this for each site we deployed to so we have several servers in our Origin Pool.

In Part 1, our Services defined the targetPort as 5553. So, we set Port to 5553 on the origin. This is all we need to configure for our TCP Origin, so click Save and Exit.

TCP Load Balancer

Next, we are going to make a TCP Load Balancer, since its less steps (and quicker) than a UDP Load Balancer (today). On the left menu under Manage, Load Balancers, select TCP Load Balancers.

 

Let’s set a name for our TCP LB and set our listen port, 53 is a reserved port on Customer Edge Sites so we need to use something else, so let’s use 5553 again, under origin pools we set the origin that we created previously, and then we get to the important piece, which is Where to Advertise.

In Part 1 we advertised to the internet with some extra steps on how to advertise to an internal network, in this part we will advertise internally. Select Advertise Custom, then click edit configuration. Then under Custom Advertise VIP Configuration, click Add Item.

We want to select the Site where we are going to advertise, the network interface we will advertise. Click Apply, then Apply again. We don’t need to configure anything else, so click Save and Exit.

UDP Load Balancer

For UDP Load Balancers we need to jump to the Load Balancer section again, but instead of a load balancer, we are going to create a Virtual Host which are not listed in the Distributed Applications tile, so from the top drop down “Select Service” choose the Load Balancers tile.

 

In the left menu under Manage, we go to Virtual Hosts instead of Load Balancers. The first thing we will configure is an Advertise Policy, so let’s select that.

Advertise Policy

 

Let’s give the policy a name, select the location we want to advertise on the Site Local Inside Network, and set the port to 5553.

Save and Exit.

Endpoints

Now back to Manage, Virtual Hosts, and Endpoints so we can add an endpoint.

Name the endpoint and specify based on the screenshot below. 

  • Endpoint Specifier: Service Selector Info
  • Discovery: Kubernetes
  • Service: Service Name
  • Service Name: service-name.namespace
  • Protocol: UDP
  • Port: 5553
  • Virtual Site or Site or Network: Site
  • Reference: Site Name
  • Network Type: Site Local Service Network

Save and Exit.

Cluster

The Cluster configuration will be simple, from Manage, Virtual Hosts, Clusters, add Cluster. We just need a name and select the Origin Servers / Endpoints and select the endpoint we just created. Save and Exit.

Route

The Route configuration will be simple as well, from Manage, Virtual Hosts, Routes, add Route. Name the route and under List of Routes click Configure, then Add Item. Leave most settings as they are, and under Actions, choose Destination List, then click Configure. Under Origin Pools and Weights, click Add Item. Under Cluster with Weight and Priority select the cluster we created previously, leave Weight as null for this configuration, then click Apply, apply again, apply again, Apply again, Save and Exit.

 

Now we can Finally create a Virtual Host. 

Virtual Host

Under Manage, Virtual Host, Select Virtual Host, then Click Add Virtual Host.

There are a ton of options here, but we only care about a couple. Give the Virtual Host a name.

  • Proxy Type: UDP Proxy
  • Advertise Policy: previously created policy

Moment of Truth, Again

Now that we have our services published we can give them a test.  Since they are currently on a non standard port, and most systems dont let us specify a port in default configurations we need to test with dig, nslookup, etc.

To test TCP with nslookup:

nslookup -port=5553 -vc google.com 192.168.125.229       
Server:		192.168.125.229
Address:	192.168.125.229#5553

Non-authoritative answer:
Name:	google.com
Address: 142.251.40.174

To test UDP with nslookup:

nslookup -port=5553 google.com 192.168.125.229 
Server:		192.168.125.229
Address:	192.168.125.229#5553

Non-authoritative answer:
Name:	google.com
Address: 142.251.40.174

 

IP Tables for Non-Standard DNS Ports

If we wanted to use the nonstandard port tcp/udp dns on Linux or MacOS, we can use IPTABLES to forward all the traffic for us.  There isnt a way to set this up in Windows OS today, but as in Part 1, Windows Server 2022 supports encrypted DNS over HTTPS, and it can be pushed as policy through Group Policy as well.

iptables -t nat -A PREROUTING -i eth0 -p udp –dport 53 -j DNAT –to XXXXXXXXXX:5553
iptables -t nat -A PREROUTING -i eth0 -p udp –dport 53 -j DNAT –to XXXXXXXXXX:5553
iptables -t nat -A PREROUTING -i eth0 -p tcp –dport 53 -j DNAT –to XXXXXXXXXX:5553
iptables -t nat -A PREROUTING -i eth0 -p tcp –dport 53 -j DNAT –to XXXXXXXXXX:5553​

Conclusion

I hope this helps with a common use-case we are hearing every day, and shows how simple it is to deploy workloads into our Managed Namespaces.

Updated Nov 15, 2022
Version 2.0
  • Thanks for the article Coleman! I have followed this multiple times now over the last year.

  • UPDATE: As of May Release, you can now advertise on port 53 on a CE on a custom VIP/IP.