After feedback on both DevCentral and direct email, it seems as though there is still confusion or a lack of clarity around how to configure the BIG-IP to perform name resolution. A common scenario of my own customers is to configure the BIG-IP as an authoritative DNS server as well as a transparent DNS server that forwards lookups to another source. With that, I wanted to take some time to walk through the steps of configuring the BIG-IP to be a resolving cache DNS server. However, before we get started I wanted to provide the F5 support definition of each cache type provided by the BIG-IP.
About the transparent DNS cache
You can configure a transparent cache on the BIG-IP® system to use external DNS resolvers to resolve queries, and then cache the responses from the resolvers. The next time the system receives a query for a response that exists in the cache, the system immediately returns the response from the cache. The transparent cache contains messages and resource records.
About the resolver DNS cache
You can configure a resolver cache on the BIG-IP® system to resolve DNS queries and cache the responses. The next time the system receives a query for a response that exists in the cache, the system returns the response from the cache. The resolver cache contains messages, resource records, and the name servers the system queries to resolve DNS queries.
About the validating resolver DNS cache
You can configure a validating resolver cache on the BIG-IP® system to recursively query public DNS servers, validate the identity of the DNS server sending the responses, and then cache the responses. The next time the system receives a query for a response that exists in the cache, the system returns the DNSSEC-compliant response from the cache. The validating resolver cache contains messages, resource records, the nameservers the system queries to resolve DNS queries, and DNSSEC keys.
Ok, now with that out of the way, let's get started!
BIG-IP DNS licensed and provisioned.
An external internet route.
Create a Resolver Cache
Navigate to DNS >> Caches >> Cache List.
Resolver Type: Resolver
Note: If Root Hints is left default it will use the F5 defined default root hints. If this is an air-gapped or classified network, you will need to define your network's root hint servers.
Also if you plan to use only root hints, you may experience some timeouts during name resolution. To improve name resolution, we will create a Forward Zone which allows us to define another authoritative source to do lookups against.
Click the cache created in the previous steps.
Click the Forward Zones tab.
Nameservers: 126.96.36.199 & 188.8.131.52
Create a DNS Profile
Navigate to DNS >> Delivery >> Profiles >> DNS.
DNS Cache: Enabled
DNS Cache Name: demo_resolver_cache
Use BIND Server on BIG-IP: Disabled
Create a DNS Listener
Navigate to DNS >> Delivery >> Listeners >> Listener List.
Source Address Translation: Auto Map
DNS Profile: demo_dns_profile
Validate Successful Name Resolution
Navigate to a workstation that will be using the BIG-IP to resolve queries.
From the BIG-IP itself, you can also run a dig which is an extremely useful tool.
Launch a ssh session to your BIG-IP using putty or the client of your choice.
Run the following command.
tmsh show ltm dns cache records rrset cache demo_resolver_cache
You have now successfully configured your BIG-IP instance to perform name resolution as a recursive DNS server as well as cache DNS responses for faster name resolution. I really hope between this article and others it helps clarify some of the questions out there regarding recursive and authoritative DNS capabilities the BIG-IP provides.