Configuring the F5 BIG-IP to Perform Name Resolution Using a DNS Resolver Cache

Steve_Lyons · ‎06-Dec-2018

After feedback on both DevCentral and direct email, it seems as though there is still confusion or a lack of clarity around how to configure the BIG-IP to perform name resolution. A common scenario of my own customers is to configure the BIG-IP as an authoritative DNS server as well as a transparent DNS server that forwards lookups to another source. With that, I wanted to take some time to walk through the steps of configuring the BIG-IP to be a resolving cache DNS server. However, before we get started I wanted to provide the F5 support definition of each cache type provided by the BIG-IP.

About the transparent DNS cache

You can configure a transparent cache on the BIG-IP® system to use external DNS resolvers to resolve queries, and then cache the responses from the resolvers. The next time the system receives a query for a response that exists in the cache, the system immediately returns the response from the cache. The transparent cache contains messages and resource records.

About the resolver DNS cache

You can configure a resolver cache on the BIG-IP® system to resolve DNS queries and cache the responses. The next time the system receives a query for a response that exists in the cache, the system returns the response from the cache. The resolver cache contains messages, resource records, and the name servers the system queries to resolve DNS queries.

About the validating resolver DNS cache

You can configure a validating resolver cache on the BIG-IP® system to recursively query public DNS servers, validate the identity of the DNS server sending the responses, and then cache the responses. The next time the system receives a query for a response that exists in the cache, the system returns the DNSSEC-compliant response from the cache. The validating resolver cache contains messages, resource records, the nameservers the system queries to resolve DNS queries, and DNSSEC keys.

Ok, now with that out of the way, let's get started!

Prerequisites

BIG-IP DNS licensed and provisioned.

An external internet route.

Create a Resolver Cache

Navigate to DNS >> Caches >> Cache List.
Click Create.

Name: demo_resolver_cache
Resolver Type: Resolver
Click Finished

Note: If Root Hints is left default it will use the F5 defined default root hints. If this is an air-gapped or classified network, you will need to define your network's root hint servers.

Also if you plan to use only root hints, you may experience some timeouts during name resolution. To improve name resolution, we will create a Forward Zone which allows us to define another authoritative source to do lookups against.

Click the cache created in the previous steps.
Click the Forward Zones tab.
Click Add.

Name: .
Nameservers: 8.8.8.8 & 9.9.9.9
Click Finished.

Create a DNS Profile

Navigate to DNS >> Delivery >> Profiles >> DNS.
Click Create.

Name: demo_dns_profile
DNS Cache: Enabled
DNS Cache Name: demo_resolver_cache
Use BIND Server on BIG-IP: Disabled

Click Finished.

Create a DNS Listener

Navigate to DNS >> Delivery >> Listeners >> Listener List.
Click Create.

Name: demo_dns_listener
Destination: 10.1.20.153
Source Address Translation: Auto Map

DNS Profile: demo_dns_profile
Click Finished.

Validate Successful Name Resolution

Navigate to a workstation that will be using the BIG-IP to resolve queries.
Launch a command prompt.
Type nslookup.
Type server 10.1.20.153
Attempt to query external domain names. (e.g. nfl.com, nba.com, nhl.com, abcmouse.com)

From the BIG-IP itself, you can also run a dig which is an extremely useful tool.

Validate Cache

Launch a ssh session to your BIG-IP using putty or the client of your choice.
Run the following command.

tmsh show ltm dns cache records rrset cache demo_resolver_cache

You have now successfully configured your BIG-IP instance to perform name resolution as a recursive DNS server as well as cache DNS responses for faster name resolution. I really hope between this article and others it helps clarify some of the questions out there regarding recursive and authoritative DNS capabilities the BIG-IP provides.

PK123_378843 · ‎09-Dec-2018

Nice and useful information.Thanks!!

AndreasWall · ‎26-Mar-2021

Hi,

Nice, clean configuration and explanation.

One question.

I have created a dns cache with forward zones. Each zone has a set of different nameservers configured.

The cache looks like this:

ltm dns cache resolver dns_cache_1 {

answer-default-zones yes

forward-zones {

. {

nameservers {

10.10.10.10:53 { }

10.10.10.11:53 { }

}

zone1.com. {

nameservers {

10.11.11.10:53 { }

10.11.11.11:53 { }

}

zone2.com. {

nameservers {

10.11.11.10:53 { }

10.11.11.11:53 { }

}

partition DNS_RESOLVER

route-domain /Common/100

}

At the moment, from what I can tell, the F5 will use the self IP address of the egress interface when querying those nameservers.

Is it possible to tweak this in to using another address? I tried using source-address-translation under the dns listener but no luck.

It does not have to be different IP address source depending on which set of nameservers to query. Just that it uses another IP address then the self IP's.

Is an iRule the way to go here?

We have the F5 set up in a one-armed fashion.

Thanks in advance for any comments, suggestions and solutions.