Unbreaking the Internet and Converting Protocols

When CloudFlare took over 1.1.1.1 for their DNS service; this got me thinking about a couple of issues: A. What do you do if you’ve been using 1.1.1.1 on your network, how do you unbreak the ...
Published Apr 09, 2018
Version 1.0
application delivery
BIG-IP DNS
iRulesLX
security
Karim's avatar
Karim
Icon for Cirrostratus rankCirrostratus
Nov 26, 2019

After reading this very good article, I wanted to implement DNS over TLS using the BIG-IP in my lab environment. I decided to write this comment in case anyone is having the same trouble that I had and to make sure that I got everything correct. 

So, The idea is the following: 

  • configure a simple virtual server listenning on port UDP 53 (dns_listener) . Assign to that virtual server a DNS Profile that in turn references a Cache Resolver profile
  • configure the Cache Resolver profile to send DNS queries in TCP only
  • configure a simple virtual server (kabe_vs_DNSoTLS) that listens on TCP port 853 and assign a Pool and SSL server profile to it. 
  • configure the Cache Resolver profile to forward the zone "." (everything) to the IP address of the TCP virtual server (kabe_vs_DNSoTLS)

please find below my configuration. Feel free to ask question or to give me suggestions.

ltm dns cache resolver /Common/kabe_cache_resolver {
    forward-zones {
        . {
            nameservers {
                10.10.1.51:53 { }
            }
        }
    }
    route-domain /Common/0
    use-udp no
}
 
ltm profile dns /Common/kabe_dns_profile {
    app-service none
    cache /Common/kabe_cache_resolver
    defaults-from /Common/dns
    enable-cache yes
}
 
 
ltm virtual /Common/dns_listener {
    creation-time 2019-11-25:21:06:30
    destination /Common/10.10.1.50:53
    ip-protocol udp
    last-modified-time 2019-11-25:22:42:12
    mask 255.255.255.255
    profiles {
        /Common/kabe_dns_profile { }
        /Common/udp_gtm_dns { } /* this is a standard UDP layer 4 profile */
    }
    source 0.0.0.0/0
    translate-address disabled
    translate-port disabled
}
 
ltm pool /Common/kabe_DNSoTLS {
    members {
        /Common/1.1.1.1:853 {
            address 1.1.1.1
        }
    }
    monitor /Common/gateway_icmp
}
 
 
ltm virtual /Common/kabe_vs_DNSoTLS {
    creation-time 2019-11-25:21:14:12
    destination /Common/10.10.1.51:53
    ip-protocol tcp
    last-modified-time 2019-11-25:23:44:16
    mask 255.255.255.255
    pool /Common/kabe_DNSoTLS
    profiles {
        /Common/f5-tcp-lan {
            context clientside
        }
        /Common/f5-tcp-wan {
            context serverside
        }
        /Common/serverssl { /*I used the default Server SSL profile */
            context serverside
        }
    }
    source 0.0.0.0/0
    source-address-translation {
        type automap
    }
    translate-address enabled
    translate-port enabled
}

hope it helps,

Many thanks