cancel
Showing results for 
Search instead for 
Did you mean: 
Login & Join the DevCentral Connects Group to watch the Recorded LiveStream (May 12) on Basic iControl Security - show notes included.
ltwagnon
Legacy Employee
Legacy Employee

This is the third in a series of DNS articles that I'm writing. The first two are:

  1. Let's Talk DNS on DevCentral
  2. DNS The F5 Way: A Paradigm Shift

 

DNS Express is a relatively new feature (showed up in v11.1), and it's one of the more powerful features offered by the BIG-IP. DNS Express allows you to transfer DNS zones from your current infrastructure to the BIG-IP. The BIG-IP can then answer requests for those zones...and do it at blazingly fast speeds! Another benefit of DNS Express is that it doesn't run full BIND, so it's not as vulnerable as a typical BIND infrastructure. Related note: as of the date of this article, BIND alone had 71 different CVE vulnerabilities (41 of those were DoS-specific).

With all this greatness at our fingertips, I want to show you how to provision the Global Traffic Manager (GTM), create a zone, configure DNS Express, and show a successful zone transfer. I'll be using BIND from the GTM as the Master server (disclaimer: I'm doing this in my virtual lab setup, but you wouldn't normally do this in a production environment).

 

 

Provision GTM

First, navigate to System >> Resource Provisioning and check the box for Global Traffic (GTM). Make sure that this module is licensed (keep in mind that you will have to restart your BIG-IP once you provision GTM). See the screenshot below for details.

If GTM is not licensed, then talk to your Sales Engineer. By the way, you can take advantage of our new Good, Better, Best licensing model and save yourself time and money. If you get the "Best" option, then you basically get all the modules F5 has to offer!

 

 

0151T000003d64mQAA.jpg

 

 

 

Create a Listener

Once GTM is provisioned, it's time to create a listener for the DNS requests (navigate to Global Traffic >> Listeners). I used the address from my external VLAN as the listener address, but in a production environment you would choose a different listener address.

When creating a Listener, you need to choose a DNS Profile that has DNS Express enabled. I verified that DNS Express was enabled on the profile listed below (dns). You can enable/disable options like IPv6 to IPv4 translation, DNS Express, DNSSEC, etc in the DNS profile. So, make sure you configure your DNS profile correctly prior to selecting it when creating a Listener.

 

 

0151T000003d64nQAA.jpg

 

 

 

Configure ZoneRunner

Now that the listener is created and configured, you can use the ZoneRunner utility to manage your DNS zones and resource records. You can do several things with ZoneRunner including:

  • configuring a zone
  • configuring the resource records that make up that zone
  • configure a view for access control
  • configure options in the named.conf file

I created a master zone and named it "dnstest.com" and then configured the SOA Record and NS Record details (TTL values, server names, etc). I also created two A records (www.dnstest.com and ftp.dnstest.com) and associated IP addresses with each. You can see the details of the zone in the screenshot below:

 

 

0151T000003d64oQAA.jpg

 

 

After I created the zone, I configured the Named Configuration file to allow for zone transfer from the local host. You can view/modify the named.conf file directly from the GUI by navigating to Global Traffic >> ZoneRunner >> Named Configuration. The named configuration file will also automatically update as you make changes in the other areas of the ZoneRunner utility, so you don't always have to configure it directly. In my case, I simply viewed the file to ensure the "allow-transfer localhost" was there...and it was! This entry was required for the BIND server to transfer the zone information for dnstest.com to the DNS Express module. In my lab setup, I used BIND from GTM as the Master server, but in a production environment, the Master BIND server would probably reside on an external server.

 

 

0151T000003d64pQAA.jpg

 

In a typical setup where you host zones external to the BIG-IP, you would have to add the following code to the zone file. In my case, I didn't have to add this code because I set up everything on the BIG-IP.

 

zone "dnstest.com" 
 { 
   type master; 
   file "var/lib/bind/dnstest.com.hosts"; 
   also-notify {1.1.1.1;}; //where 1.1.1.1 is the listener address 
   allow-transfer {1.1.1.2;}; //where 1.1.1.2 is the self IP 
 }; 

 

 

DNS Express

DNS Express provides the ability for a BIG-IP to act as a high speed, authoritative secondary DNS server. This allows the BIG-IP to perform zone transfers from multiple primary DNS servers that are responsible for different zones, perform a zone transfer from the local BIND server on the BIG-IP, and serve DNS records faster than the primary DNS servers and the local BIND server.

To use DNS Express, you need to create a DNS Express zone. Then, you can transfer zone records from the local BIND server or back-end DNS servers to DNS Express. In order to set up a DNS Express Zone, navigate to Local Traffic >> DNS Express Zones >> DNS Express Zone List and create a new zone. Note that DNS Express is configured under "Local Traffic" as part of the Local Traffic Manager (LTM). The best practice is to use the name that appears at the apex of a BIND zone file (in my case, dnstest.com). The name must begin with a letter and can contain only letters, numbers, and the underscore character (it doesn't have to contain each of these, but it can't contain anything other than these characters). The Target IP Address is for the DNS server from which you want to transfer records. In my setup, I used the default value (127.0.0.1) which is for the BIND server on the BIG-IP. The Notify Action setting of "consume" means that NOTIFY queries are only seen by DNS Express...you can think of it like DNS Express "consumes" all the NOTIFY queries and the backend DNS resources never have to handle them. This is the default setting...and it's awesome!

 

 

The Test...

After everything had been configured, the zone records should have been transferred to DNS Express. In order to test this, I used the "dnsxdump" command from the CLI to verify that all the records were in the DNS Express database. As you can see in the screenshot below, all the records transferred correctly!

 

0151T000003d64qQAA.png

 

 

In addition, I checked out /var/log/ltm to look for the zone transfer message. As you can see in the screenshot below, the zone transfer (AXFR Transfer of zone dnstest.com) succeeded!

0151T000003d64rQAA.png

 

 

Now that you know how to configure DNS Express, you have no reason to not use it...so get out there, get it configured, and let the BIG-IP provide you with the best DNS performance you've ever experienced!

 

I also created a quick video showing how to do all the things I just wrote about in this article (provision GTM, create a listener, create a zone, etc). So, if you're more of a "hands-on, visual learner" check out the video...it's located here: https://devcentral.f5.com/s/videos/dns-express-and-zone-transfers

 

Well, that wraps it up for this article. I'll be back soon with more BIG-IP and GTM articles, so check back often!

Comments
Mohamed_Lrhazi
Altocumulus
Altocumulus
I thought DNS Express was a feature of LTM, not GTM.
ltwagnon
Legacy Employee
Legacy Employee
Mohamed, I wanted to clarify the DNS Express question. DNS Express is not a feature of LTM...it either comes in BIG-IP GTM (or DNS SKUs) or it comes in the DNS Services add-on module to LTM. So it’s available on LTM either as GTM add-on, DNS Services add-on module, or it comes in a standalone GTM/DNS. I hope this clarifies for you. (and, thanks to Jonathan George for the awesome info on this answer!)
kva_178637
Nimbostratus
Nimbostratus
John, thank you for a great article. I do have a related question - maybe you can point me it the right direction. For internal DNS we sync our GTMs' DNS Express with AD Integrated DNS that is managed by another team. By default, CNAMES that point to the names of servers in AWS are not being resolved to an IP by DNS Express (in contrast to the behavior of the AD integrated DNS). Would there be some way to allow these to be resolved, besides using Irules or Wide IPs? (Thinking along the lines of some Notify Action setting or an unhandled query action) I am looking for something that would not require us to touch DNS entries after they are added to AD integrated DNS by the server team, but still be able to use the great performance boost of DNS Express.
John_Heyer_1508
Cirrostratus
Cirrostratus
kva - I just left a reply on your thread: https://devcentral.f5.com/s/feed/0D51T00006i7ZshSAE
Marius_Schmid_2
Nimbostratus
Nimbostratus

For those that are using this article as a resource for getting familar with BIG-IP DNS and therefore are using the same setup (BIG-IP running BIND as the master and DNS Express as slave on the same machine), one short hint:

 

To be able to automatically update DNS Express through NOTIFY-Messages from the local BIND, you have to use the following command in the configruation of named.conf, otherwise it won't work:

 

also-notify { ::1 port 5353; };

Also notice that it really needs to be ::1, since 127.0.0.1 did not work for me, even if I was just using IPv4 for all the listeners and stuff. See also the following link, section "Configuring local BIND to send NOTIFY messages to DNS Express":

 

https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/dns-services-implementations-11-5-0/1.html
Marfex
Nimbostratus
Nimbostratus

Thank you Marius! You point me right to what I was looking for.

 

ramnath_318378
Nimbostratus
Nimbostratus

Hi John

 

Unfortunately i cannot see the DNS Express configs under the "Local Traffic >> DNS Express Zones >> DNS Express Zone List" , And I run 90 days evaluation copy of BIG IP with 12.1.2.0.0.249 Version. and GTM module Enabled as Nominal.

 

Am I missing Something ?

 

Please clarify. Thanks

 

brad_11480
Nimbostratus
Nimbostratus

Wondering what version this was following. I'm on 13 and it doesn't match up. DNS Express Zones is not offered under Local Traffic. And checking my version 12 GSLB it also doesn't show it under LTM.

 

Actually it seems 'hidden' on the Big-IP DNS section as well.

 

Mihir_Joshi
Nimbostratus
Nimbostratus

​Can you please update article again with Pictures? After recent migration of DevCentral, pictures not visible on this article.

 

Thanks,

 

Mihir

ltwagnon
Legacy Employee
Legacy Employee
Mihir_Joshi
Nimbostratus
Nimbostratus

​@John Wagnon​  - Thanks. 

patonbike
Cirrus
Cirrus

How do you force a transfer from local bind to DNS Express after a change is made to ZoneRunner zone? It seems to run hourly for me. It should run immediately?

 

 

Sep 25 15:44:47 localhost notice zxfrd[7278]: 0153102c:5: IXFR Transfer of zone somedomain.com with SOA Serial 2019092501 from 127.0.0.1 succeeded.

Sep 25 17:44:47 localhost notice zxfrd[7278]: 0153102c:5: IXFR Transfer of zone somedomain.com with SOA Serial 2019092504 from 127.0.0.1 succeeded.

 

DrLight
Nimbostratus
Nimbostratus

was the DNS Express and Zone Transfers with dnssec are recommend in one appliance ?

 

Version history
Last update:
‎27-Feb-2014 18:45
Updated by:
Contributors