on 06-Dec-2018 03:00
After feedback on both DevCentral and direct email, it seems as though there is still confusion or a lack of clarity around how to configure the BIG-IP to perform name resolution. A common scenario of my own customers is to configure the BIG-IP as an authoritative DNS server as well as a transparent DNS server that forwards lookups to another source. With that, I wanted to take some time to walk through the steps of configuring the BIG-IP to be a resolving cache DNS server. However, before we get started I wanted to provide the F5 support definition of each cache type provided by the BIG-IP.
You can configure a transparent cache on the BIG-IP® system to use external DNS resolvers to resolve queries, and then cache the responses from the resolvers. The next time the system receives a query for a response that exists in the cache, the system immediately returns the response from the cache. The transparent cache contains messages and resource records.
You can configure a resolver cache on the BIG-IP® system to resolve DNS queries and cache the responses. The next time the system receives a query for a response that exists in the cache, the system returns the response from the cache. The resolver cache contains messages, resource records, and the name servers the system queries to resolve DNS queries.
You can configure a validating resolver cache on the BIG-IP® system to recursively query public DNS servers, validate the identity of the DNS server sending the responses, and then cache the responses. The next time the system receives a query for a response that exists in the cache, the system returns the DNSSEC-compliant response from the cache. The validating resolver cache contains messages, resource records, the nameservers the system queries to resolve DNS queries, and DNSSEC keys.
Ok, now with that out of the way, let's get started!
Note: If Root Hints is left default it will use the F5 defined default root hints. If this is an air-gapped or classified network, you will need to define your network's root hint servers.
Also if you plan to use only root hints, you may experience some timeouts during name resolution. To improve name resolution, we will create a Forward Zone which allows us to define another authoritative source to do lookups against.
tmsh show ltm dns cache records rrset cache demo_resolver_cache
You have now successfully configured your BIG-IP instance to perform name resolution as a recursive DNS server as well as cache DNS responses for faster name resolution. I really hope between this article and others it helps clarify some of the questions out there regarding recursive and authoritative DNS capabilities the BIG-IP provides.
Hi,
Nice, clean configuration and explanation.
One question.
I have created a dns cache with forward zones. Each zone has a set of different nameservers configured.
The cache looks like this:
ltm dns cache resolver dns_cache_1 {
answer-default-zones yes
forward-zones {
. {
nameservers {
10.10.10.10:53 { }
10.10.10.11:53 { }
}
}
zone1.com. {
nameservers {
10.11.11.10:53 { }
10.11.11.11:53 { }
}
}
zone2.com. {
nameservers {
10.11.11.10:53 { }
10.11.11.11:53 { }
}
}
}
partition DNS_RESOLVER
route-domain /Common/100
}
At the moment, from what I can tell, the F5 will use the self IP address of the egress interface when querying those nameservers.
Is it possible to tweak this in to using another address? I tried using source-address-translation under the dns listener but no luck.
It does not have to be different IP address source depending on which set of nameservers to query. Just that it uses another IP address then the self IP's.
Is an iRule the way to go here?
We have the F5 set up in a one-armed fashion.
Thanks in advance for any comments, suggestions and solutions.