For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Unbreaking the Internet and Converting Protocols

When CloudFlare took over 1.1.1.1 for their DNS service; this got me thinking about a couple of issues: A. What do you do if you’ve been using 1.1.1.1 on your network, how do you unbreak the ...
Published Apr 09, 2018
Version 1.0
application delivery
BIG-IP DNS
iRulesLX
security
dragonflymr's avatar
dragonflymr
Icon for Cirrostratus rankCirrostratus
Apr 12, 2018

Hi,

 

Very good article. But I have to admit it's quite a challenge for me to figure out everything described. For example resolving first issue. My assumptions for setup involving BIG-IP are:

 

  • Internet router is still configured with static route 1.1.1.1/32 gw 192.168.1.66 (probably 1.1.1.1 is configured on Linux loopback here?)
  • You actually cheating a bit :-) as with above config you are really not able to send DNS request to 1.1.1.1 on the Internet, sure if 1.0.0.1 is as well DNS it's working but what if not? With such router setup it's not possible to really send traffic destined to 1.1.1.1 to the Internet - or I am missing something here?

DNS over TLS

 

Sorry for lame question but I am by far no DNS expert. As far as I understand DNS caches on BIG-IP for your setup two VS are required:

 

  • VS (DNS_vs - my name here) to accept actual client DNS request (over UDP?) with DNS profile attached. Profile has DNS cache enabled with your resolver cache selected (CF)
  • VS (dns_over_tls) doing TLS encryption (one configured in resolver cache Forwarding Zones tab)

Now how UDP is converted to TCP? dns_over_tls VS is TCP protocol, so it will not accept UDP packets. Will DNS_vs respond to clients requesting resending DNS queries over TCP? Some other way?

 

DNS over HTTPS

 

This is hard because I am not familiar with both RFC and JavaScript (iRuleLX - know the basic but never used).

 

I am not sure how previously configured (192.168.1.254) is used by iRuleLX - as proxy to send HTTPS request to cloudflare-dns.com?

 

So rule is just generating HTTP request with DNS binary (base64 encoded) inserted as HTTP payload and VS is just encrypting it and sending to cloudflare? Then response from cloudflare is decrypted by VS returned back to rule, HTTP payload extracted (being binary DNS response) and returned to iRule and then to requesting client - is that more or less how it works?

 

Is the same configuration as for DNS over TLS used by 192.168.1.254 VS or it has to be updated? What actually is in the VS Pool - list of DNS servers accepting TLS (or HTTPS) encrypted DNS requests?

 

Piotr