Replacing a DNS Server with F5 BIG-IP DNS
First things first, you have decided to deploy F5 BIG-IP DNS to replace a BIND server after receiving notifications from your information assurance officer or your friendly LinkedIn community that additional CVE's have been identified for the version of BIND you are running. In this particular instance you already have a BIG-IP in your DMZ acting as your reverse proxy. You have purchased the best bundle though have only deployed what you know, APM and LTM (common scenario).
After upgrading to version 13 after its release in February 2017 and then determining the latest hotfix using https://support.f5.com/csp/article/K9502, you navigate within the TMUI to System > Resource Provisioning and simply provision DNS.
Once complete you will need to configure your existing BIND server to allow zone transfers to the BIG-IP. In this case, we will define a self-IP on the BIG-IP.
Without the BIG-IP Self IP Defined "allow-transfer { localhost;};"
With the BIG-IP Self IP Defined "allow-transfer { localhost; 10.10.10.2;};"
Once you have allowed the zone transfer, you will create the zone on the BIG-IP and perform the zone transfer.
- On the Main tab, click DNS > Zones > ZoneRunner > Zone List . The Zone List screen opens.
- Click Create.The New Zone screen opens.
- From the View Name list, select the view that you want this zone to be a member of. Note: The default view is external.
- In the Zone Name field, type a name for the zone file in this format, including the trailing dot: db.[viewname].[zonename]. For example, db.external.lyons.demo.com.
- From the Zone Type list, select Master.
- From the Records Creation Method list, select Transfer from Server.
- Within Options, include the following
allow-update { localhost;}; allow-transfer { localhost; }; also-notify { ::1 port 5353; };
- In the Records Creation area, type the values for the SOA and NS record parameters.
- Click Finished
Ok, so you might be asking yourself right about now, "I thought ZoneRunner was a BIND instance?" In this scenario you are correct which is why we are going to slave from on-box BIND to ensure BIND is never accessible externally and we only respond to DNS queries using DNSExpress. Now can you slave from an off-box DNSExpress instance, of course though that is outside the scope of this article.
Prior to creating our DNS profile and listeners, we are going to configure DNS logging. For this use case, we are going to configure logging to the on-box syslog instance.
- In the GUI, navigate to: System > Logs > Configuration > Log Publishers: Create
- Create a new DNS Log Publisher using the defaults unless defined below.
Name: dns-local-syslog
Destinations: Move local-syslog to the Selected column
- In the GUI, navigate to: DNS > Delivery > Profiles > Other > DNS Logging: Create
- Create a new DNS Profile using the defaults unless defined below.
Name: dns-logging
Log Publisher: Select dns-local-syslog
Log Responses: Enabled
Include Query ID: Enabled
Note: For the purposes of this article, we are going to enable all DNS logging options.
Now that we have logging set up to use by our DNS profile, we are going to going ahead and create that object.
- In the GUI, navigate to: DNS > Delivery > Profiles > DNS: Create Create a new DNS profile as shown in the table below. Keep the defaults if not noted in the table.
Name: AuthoritativeNS
Unhandled Query Action: Drop
Use BIND Server on Big-IP: Disabled
Logging: Enabled
Logging Profile: dns-logging
Now that we have created our DNS profile, we are going create our DNS listeners. Remember, F5 is a default deny device so without creating something to listen on all attempts to connect to or query the BIG-IP will be denied.
We are going to create external Listeners that will be our target IP address when querying BIG-IP DNS.
- In the GUI, navigate to: DNS > Delivery > Listeners > Listener List: Create
- Create a two new listeners using the defaults unless defined below.
Name: external-listener-UDP
Destination: Host: 10.1.100.53
VLAN Traffic: Enabled on..
VLANs and Tunnels: external
DNS Profile: AuthoritativeNS
Name: external-listener-TCP
Destination: Host: 10.1.100.53
VLAN Traffic: Enabled on..
VLANs and Tunnels: external
Protocol: TCP
DNS Profile: AuthoritativeNS
So up to this point we have configured your legacy DNS server to perform a DNS transfer with the BIG-IP, created a zone within ZoneRunner, performed the zone transfer from your legacy DNS device, created a DNS profile and listeners on the BIG-IP. Ok, bear with me we are almost done. Our next step is configuring the local device as a name server and then create a DNSExpress zone that you will be performing a zone transfer to using the on-box BIND instance. So let's begin.
- In the GUI, navigate to: DNS > Delivery > Nameservers > Nameserver List: Create
- In this case we will simply provide a Name and leave all other defaults.
Name: BIG-IP1
- Select Finish
In the GUI, navigate to: DNS > Zones > Zones > Zone List: Create
Name: lyons.demo.com
Server: BIG-IP1
Notify Action: Consume
Verify Notify TSIG: Uncheck
Zone Transfer Clients: Move BIG-IP1 from Available to Active
Select Finish
In the GUI, navigate to: DNS > Zones > Zones > Zone List: Create
Name: 198.199.10.in-addr.arpa
Server: BIG-IP1
Notify Action: Consume
Verify Notify TSIG: Uncheck
Zone Transfer Clients: Move BIG-IP1 from Available to Active
Select Finish
Now, our final step...validation. From the cli, simply run a dnsxdump to ensure records have been transferred to DNSExpress as shown below. If you would like to see zone transfers in actions, simply create a resource record within ZoneRunner and run a tail -f on the /var/log/ltm.
You are now complete and have a fully functional authoritative DNS server for your organization without the vulnerabilities of BIND or in an effort to simply consolidate services. If you have any problems at all, please don't ever hesitate to reach out directly. Now my answer may be contact support though I have no problem walking through a scenario or troubleshooting attempt with you.
Reference Documentation
Published Feb 23, 2018
Version 1.0
Thank you for taking the time to provide feedback. Next article is just around the corner!
FMA_199355Nimbostratus
Looks like images attached are from a VPN tutorial :)
Very strange. Just uploaded a new SSL VPN tutorial though it maybe modified the photo's in my existing article. Anyway, seems to be resolved now. Thanks.
- TJ_Vreugdenhil
Cirrus
Great article Steve! One note, The DNS profile name in the text does not match some of the screenshots shown. It may confuse others.
Thanks TJ! This is my ADD. When trying to write, and screenshot I forget to hit save/update/finish and use a different name that I may have used in the past when going back to recreate after my session expires. This is great feedback though. Certainly items I can validate in the future!
ePratik_284320What happends if the name server specified here (Hidden Master) goes down ? Can I specify multiple server for redundancy by any means ?
dragonflymrCirrostratus
Hi, Very good article! I am not DNS pro so I have problem with understanding last configuration steps:
- Creating Nameserver
- Creating DNSExpres Zone
What exactly those are used for? How they fit into DNS traffic flow?
Thanks in advance, Piotr
@ePratik, I apologize for the delayed response. While within the configuration options it only allows you to select a single DNS server, I don't see why this couldn't be a VS on the BIG-IP with multiple DNS servers as pool members. Then to ensure only when the primary fails would the secondary master take over you could use something like priority group activation.
@Piotr, thanks for the question. To clarify what my use case is, I am using an old off box bind server to perform a zone transfer with ZoneRunner on the BIG-IP. ZoneRunner is the BIG-IP's on box bind. From a security perspective I don't want to expose bind to external users who will be hitting my authoritative DNS server which is why I am provisioning DNSExpress to perform this function. As for the name server, I am simply configuring that to accept zone transfers from the on box bind to DNSExpress. The last screenshot shows a log that stats successful zone transfer from 127.0.0.1 which is the transfer from ZoneRunner to DNSExpress. Hope this helps.
- dragonflymr
Hi, Thanks for explanation. Still not clear :-(. Assuming we have some authoritative bind server in internal VLAN. This is set to allow zone transfer from BIG-IP Self IP (10.10.10.2).
Then zone transfer is triggered, by what BIG-IP object - Nameserver (BIG-IP1)?
If so how BIG-IP1 know to which internal bind server connect? From NS records created in Zone (DNS > Zones > ZoneRunner > Zone List)?
Or maybe BIG-IP1 is working as authoritative hidden master (not some external bind srv on internal VLAN) that is source for zone transfer to DNSExpress?
Sorry for dumb questions but I am really lost :-(
