Replacing a DNS Server with F5 BIG-IP DNS

First things first, you have decided to deploy F5 BIG-IP DNS to replace a BIND server after receiving notifications from your information assurance officer or your friendly LinkedIn community that additional CVE's have been identified for the version of BIND you are running. In this particular instance you already have a BIG-IP in your DMZ acting as your reverse proxy. You have purchased the best bundle though have only deployed what you know, APM and LTM (common scenario).

After upgrading to version 13 after its release in February 2017 and then determining the latest hotfix using https://support.f5.com/csp/article/K9502, you navigate within the TMUI to System > Resource Provisioning and simply provision DNS.

Once complete you will need to configure your existing BIND server to allow zone transfers to the BIG-IP. In this case, we will define a self-IP on the BIG-IP.

Without the BIG-IP Self IP Defined "allow-transfer { localhost;};"
With the BIG-IP Self IP Defined "allow-transfer { localhost; 10.10.10.2;};"

Once you have allowed the zone transfer, you will create the zone on the BIG-IP and perform the zone transfer.

  1. On the Main tab, click DNS > Zones > ZoneRunner > Zone List . The Zone List screen opens.
  2. Click Create.The New Zone screen opens.
  3. From the View Name list, select the view that you want this zone to be a member of. Note: The default view is external.
  4. In the Zone Name field, type a name for the zone file in this format, including the trailing dot: db.[viewname].[zonename]. For example, db.external.lyons.demo.com.
  5. From the Zone Type list, select Master.
  6. From the Records Creation Method list, select Transfer from Server.
  7. Within Options, include the following
allow-update { localhost;};
allow-transfer { localhost; };
also-notify { ::1 port 5353; };
  1. In the Records Creation area, type the values for the SOA and NS record parameters.
  2. Click Finished

Ok, so you might be asking yourself right about now, "I thought ZoneRunner was a BIND instance?" In this scenario you are correct which is why we are going to slave from on-box BIND to ensure BIND is never accessible externally and we only respond to DNS queries using DNSExpress. Now can you slave from an off-box DNSExpress instance, of course though that is outside the scope of this article.

Prior to creating our DNS profile and listeners, we are going to configure DNS logging. For this use case, we are going to configure logging to the on-box syslog instance.

  1. In the GUI, navigate to: System > Logs > Configuration > Log Publishers: Create
  2. Create a new DNS Log Publisher using the defaults unless defined below.

Name: dns-local-syslog

Destinations: Move local-syslog to the Selected column

DN1

  1. In the GUI, navigate to: DNS > Delivery > Profiles > Other > DNS Logging: Create
  2. Create a new DNS Profile using the defaults unless defined below.

Name: dns-logging

Log Publisher: Select dns-local-syslog

Log Responses: Enabled

Include Query ID: Enabled

Note: For the purposes of this article, we are going to enable all DNS logging options.

DN2

Now that we have logging set up to use by our DNS profile, we are going to going ahead and create that object.

  1. In the GUI, navigate to: DNS > Delivery > Profiles > DNS: Create Create a new DNS profile as shown in the table below. Keep the defaults if not noted in the table.

Name: AuthoritativeNS

Unhandled Query Action: Drop

Use BIND Server on Big-IP: Disabled

Logging: Enabled

Logging Profile: dns-logging

DN3

Now that we have created our DNS profile, we are going create our DNS listeners. Remember, F5 is a default deny device so without creating something to listen on all attempts to connect to or query the BIG-IP will be denied.

We are going to create external Listeners that will be our target IP address when querying BIG-IP DNS.

  1. In the GUI, navigate to: DNS > Delivery > Listeners > Listener List: Create
  2. Create a two new listeners using the defaults unless defined below.

Name: external-listener-UDP

Destination: Host: 10.1.100.53

VLAN Traffic: Enabled on..

VLANs and Tunnels: external

DNS Profile: AuthoritativeNS

DN4

Name: external-listener-TCP

Destination: Host: 10.1.100.53

VLAN Traffic: Enabled on..

VLANs and Tunnels: external

Protocol: TCP

DNS Profile: AuthoritativeNS

DN5

So up to this point we have configured your legacy DNS server to perform a DNS transfer with the BIG-IP, created a zone within ZoneRunner, performed the zone transfer from your legacy DNS device, created a DNS profile and listeners on the BIG-IP. Ok, bear with me we are almost done. Our next step is configuring the local device as a name server and then create a DNSExpress zone that you will be performing a zone transfer to using the on-box BIND instance. So let's begin.

  1. In the GUI, navigate to: DNS > Delivery > Nameservers > Nameserver List: Create
  2. In this case we will simply provide a Name and leave all other defaults.

Name: BIG-IP1

  1. Select Finish

DN6

In the GUI, navigate to: DNS > Zones > Zones > Zone List: Create

Name: lyons.demo.com

Server: BIG-IP1

Notify Action: Consume

Verify Notify TSIG: Uncheck

Zone Transfer Clients: Move BIG-IP1 from Available to Active

Select Finish

DN7

In the GUI, navigate to: DNS > Zones > Zones > Zone List: Create

Name: 198.199.10.in-addr.arpa

Server: BIG-IP1

Notify Action: Consume

Verify Notify TSIG: Uncheck

Zone Transfer Clients: Move BIG-IP1 from Available to Active

Select Finish

This image is not available because: You don’t have the privileges to see it, or it has been removed from the system

Now, our final step...validation. From the cli, simply run a dnsxdump to ensure records have been transferred to DNSExpress as shown below. If you would like to see zone transfers in actions, simply create a resource record within ZoneRunner and run a tail -f on the /var/log/ltm.

This image is not available because: You don’t have the privileges to see it, or it has been removed from the system

DN9

You are now complete and have a fully functional authoritative DNS server for your organization without the vulnerabilities of BIND or in an effort to simply consolidate services. If you have any problems at all, please don't ever hesitate to reach out directly. Now my answer may be contact support though I have no problem walking through a scenario or troubleshooting attempt with you.

Reference Documentation

https://support.f5.com/kb/en-us/products/big-ip-dns/manuals/product/bigip-dns-implementations-13-0-0/6.html

https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/bigip-dns-services-implementations-13-0-0/1.html

Published Feb 23, 2018
Version 1.0