For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Replacing a DNS Server with F5 BIG-IP DNS

First things first, you have decided to deploy F5 BIG-IP DNS to replace a BIND server after receiving notifications from your information assurance officer or your friendly LinkedIn community that ad...
Published Feb 23, 2018
Version 1.0
application delivery
BIG-IP
BIG-IP DNS
dns
gtm
Steve_Lyons's avatar
Ret. Employee
My name is Steve Lyons and I reside in Tampa, FL with my 3 children, wife and Frenchie. We live the typical Florida life of swimming, fishing, boating, and BBQ. I started my F5 journey as a customer in 2009 where I was first introduced to it as a "load balancer." I have since deployed and maintained all modules realizing the BIG-IP is so much more. I joined F5 in 2015 where I have made it a personal mission to educate as many people as I can so they too can take advantage of the tremendous potential of the BIG-IP.
View Profile
Steve_Lyons's avatar
Ret. Employee
My name is Steve Lyons and I reside in Tampa, FL with my 3 children, wife and Frenchie. We live the typical Florida life of swimming, fishing, boating, and BBQ. I started my F5 journey as a customer in 2009 where I was first introduced to it as a "load balancer." I have since deployed and maintained all modules realizing the BIG-IP is so much more. I joined F5 in 2015 where I have made it a personal mission to educate as many people as I can so they too can take advantage of the tremendous potential of the BIG-IP.
View Profile
Misty_Spillers's avatar
Misty_Spillers
Icon for Nimbostratus rankNimbostratus
Oct 30, 2018

That would stop all traffic though, I just wanted to stop recursion. Almost seems like I would have to have 2 listeners. One for DNSExpress to answer for zones it is authoritative for and one for normal DNS queries that our customers would use. IS that how it works? I really don't want the Internet to have access to recursion. When I had BIND accessible it was respecting the named.conf settings on recursion

 

EDIT: Actually it looks like this is the kind of iRule I need. It's a bit of reading. https://devcentral.f5.com/articles/dns-irules-protect-yourself-from-amplification-attacks