on 23-Feb-2018 05:00
First things first, you have decided to deploy F5 BIG-IP DNS to replace a BIND server after receiving notifications from your information assurance officer or your friendly LinkedIn community that additional CVE's have been identified for the version of BIND you are running. In this particular instance you already have a BIG-IP in your DMZ acting as your reverse proxy. You have purchased the best bundle though have only deployed what you know, APM and LTM (common scenario).
After upgrading to version 13 after its release in February 2017 and then determining the latest hotfix using https://support.f5.com/csp/article/K9502, you navigate within the TMUI to System > Resource Provisioning and simply provision DNS.
Once complete you will need to configure your existing BIND server to allow zone transfers to the BIG-IP. In this case, we will define a self-IP on the BIG-IP.
Without the BIG-IP Self IP Defined "allow-transfer { localhost;};"
With the BIG-IP Self IP Defined "allow-transfer { localhost; 10.10.10.2;};"
Once you have allowed the zone transfer, you will create the zone on the BIG-IP and perform the zone transfer.
allow-update { localhost;}; allow-transfer { localhost; }; also-notify { ::1 port 5353; };
Ok, so you might be asking yourself right about now, "I thought ZoneRunner was a BIND instance?" In this scenario you are correct which is why we are going to slave from on-box BIND to ensure BIND is never accessible externally and we only respond to DNS queries using DNSExpress. Now can you slave from an off-box DNSExpress instance, of course though that is outside the scope of this article.
Prior to creating our DNS profile and listeners, we are going to configure DNS logging. For this use case, we are going to configure logging to the on-box syslog instance.
Name: dns-local-syslog
Destinations: Move local-syslog to the Selected column
Name: dns-logging
Log Publisher: Select dns-local-syslog
Log Responses: Enabled
Include Query ID: Enabled
Note: For the purposes of this article, we are going to enable all DNS logging options.
Now that we have logging set up to use by our DNS profile, we are going to going ahead and create that object.
Name: AuthoritativeNS
Unhandled Query Action: Drop
Use BIND Server on Big-IP: Disabled
Logging: Enabled
Logging Profile: dns-logging
Now that we have created our DNS profile, we are going create our DNS listeners. Remember, F5 is a default deny device so without creating something to listen on all attempts to connect to or query the BIG-IP will be denied.
We are going to create external Listeners that will be our target IP address when querying BIG-IP DNS.
Name: external-listener-UDP
Destination: Host: 10.1.100.53
VLAN Traffic: Enabled on..
VLANs and Tunnels: external
DNS Profile: AuthoritativeNS
Name: external-listener-TCP
Destination: Host: 10.1.100.53
VLAN Traffic: Enabled on..
VLANs and Tunnels: external
Protocol: TCP
DNS Profile: AuthoritativeNS
So up to this point we have configured your legacy DNS server to perform a DNS transfer with the BIG-IP, created a zone within ZoneRunner, performed the zone transfer from your legacy DNS device, created a DNS profile and listeners on the BIG-IP. Ok, bear with me we are almost done. Our next step is configuring the local device as a name server and then create a DNSExpress zone that you will be performing a zone transfer to using the on-box BIND instance. So let's begin.
Name: BIG-IP1
In the GUI, navigate to: DNS > Zones > Zones > Zone List: Create
Name: lyons.demo.com
Server: BIG-IP1
Notify Action: Consume
Verify Notify TSIG: Uncheck
Zone Transfer Clients: Move BIG-IP1 from Available to Active
Select Finish
In the GUI, navigate to: DNS > Zones > Zones > Zone List: Create
Name: 198.199.10.in-addr.arpa
Server: BIG-IP1
Notify Action: Consume
Verify Notify TSIG: Uncheck
Zone Transfer Clients: Move BIG-IP1 from Available to Active
Select Finish
Now, our final step...validation. From the cli, simply run a dnsxdump to ensure records have been transferred to DNSExpress as shown below. If you would like to see zone transfers in actions, simply create a resource record within ZoneRunner and run a tail -f on the /var/log/ltm.
You are now complete and have a fully functional authoritative DNS server for your organization without the vulnerabilities of BIND or in an effort to simply consolidate services. If you have any problems at all, please don't ever hesitate to reach out directly. Now my answer may be contact support though I have no problem walking through a scenario or troubleshooting attempt with you.
Reference Documentation
Thank you for taking the time to provide feedback. Next article is just around the corner!
Very strange. Just uploaded a new SSL VPN tutorial though it maybe modified the photo's in my existing article. Anyway, seems to be resolved now. Thanks.
Great article Steve! One note, The DNS profile name in the text does not match some of the screenshots shown. It may confuse others.
Thanks TJ! This is my ADD. When trying to write, and screenshot I forget to hit save/update/finish and use a different name that I may have used in the past when going back to recreate after my session expires. This is great feedback though. Certainly items I can validate in the future!
What happends if the name server specified here (Hidden Master) goes down ? Can I specify multiple server for redundancy by any means ?
Hi, Very good article! I am not DNS pro so I have problem with understanding last configuration steps:
What exactly those are used for? How they fit into DNS traffic flow?
Thanks in advance, Piotr
@ePratik, I apologize for the delayed response. While within the configuration options it only allows you to select a single DNS server, I don't see why this couldn't be a VS on the BIG-IP with multiple DNS servers as pool members. Then to ensure only when the primary fails would the secondary master take over you could use something like priority group activation.
@Piotr, thanks for the question. To clarify what my use case is, I am using an old off box bind server to perform a zone transfer with ZoneRunner on the BIG-IP. ZoneRunner is the BIG-IP's on box bind. From a security perspective I don't want to expose bind to external users who will be hitting my authoritative DNS server which is why I am provisioning DNSExpress to perform this function. As for the name server, I am simply configuring that to accept zone transfers from the on box bind to DNSExpress. The last screenshot shows a log that stats successful zone transfer from 127.0.0.1 which is the transfer from ZoneRunner to DNSExpress. Hope this helps.
Hi, Thanks for explanation. Still not clear :-(. Assuming we have some authoritative bind server in internal VLAN. This is set to allow zone transfer from BIG-IP Self IP (10.10.10.2).
Then zone transfer is triggered, by what BIG-IP object - Nameserver (BIG-IP1)?
If so how BIG-IP1 know to which internal bind server connect? From NS records created in Zone (DNS > Zones > ZoneRunner > Zone List)?
Or maybe BIG-IP1 is working as authoritative hidden master (not some external bind srv on internal VLAN) that is source for zone transfer to DNSExpress?
Sorry for dumb questions but I am really lost 😞
These are not dumb questions at all. If I have left anyone not 100% confident on the how and why I need to provide more details.
Assuming we have some authoritative bind server in internal VLAN. This is set to allow zone transfer from BIG-IP Self IP (10.10.10.2).
Steve: Not transfer from the BIG-IP, transfer to the BIG-IP Self IP. The BIG-IP is the client in this case as we reference receiving zone transfers from an external Bind server. This is the initial step to update the zone on the local BIG-IP Bind instance. The transfer between on box (BIG-IP) Bind and DNSExpress occurs later and is the reason for the also-notify message in the named.conf. That also notify is referring to DNSExpress.
Then zone transfer is triggered, by what BIG-IP object - Nameserver (BIG-IP1)?
Steve: The zone transfer is triggered when you create the zone in ZoneRunner. Once the zone is created, an unsolicited zone transfer request is sent from the on box (BIG-IP) Bind instance. Moving forward, in your case where you still have a hidden master, any updates will generate a NOTIFY message which is sent to the BIG-IP and the BIG-IP will request a zone transfer with those updates.
If so how BIG-IP1 know to which internal bind server connect? From NS records created in Zone (DNS > Zones > ZoneRunner > Zone List)?
Steve: Yes sir. If you notice near the top of the article it asks in the newly created zone to create NS and SOA records. This is how the BIG-IP BIND instance knows what the authoritative DNS server for that zone and where to request the zone transfers from.
Or maybe BIG-IP1 is working as authoritative hidden master (not some external bind srv on internal VLAN) that is source for zone transfer to DNSExpress?
Steve: I hope the comments above helped clarify the last question.
Keep the questions coming if it is still not clear. I can assure you I don't mind a bit and just want to help other engineers and admins feel more comfortable with the BIG-IP and its capabilities.
Hi,
Wow!! Thanks for in depth explanation. I think I understand most but still have some issues 😞
Sure I know that zone transfer will be sourced from off-box bind, what I menat was that on off-box bind zone transfers from BIG-IP self ip has to be allowed (on off-box bind) - sorry for not being precise.
You say:
The zone transfer is triggered when you create the zone in ZoneRunner.
So after saving zone DNSExpress on BIG-IP initiates zone transfer using self IP as source and configured NS IP as destination? If above is true then why to create nameserver BIG-IP1? Or BIG-IP1 is in fact responsible for doing zone transfer from off-box bind.
So flow is:
Is above correct or I mixed thing up completely?
I am especially confused why BIG-IP1 (on-box bind) is necessary here? Is that because DNSExpress is not able to send zone transfer request to off-box directly and needs on-box bind for that? Or some other reason?
Piotr
Piotr, we are on the same page now. So this article is specific to actually replacing a BIND box and no longer using an off box bind server as the authoritative DNS server in a master/slave relationship. With that, in order to provide administrators a UI to create/modify/delete records, zones, etc. you must use ZoneRunner. If you are simply trying to configure DNSExpress to accept zone transfers and respond to DNS queries versus the hidden master, you are correct that ZoneRunner is not needed. Check out the solution article below. This actually provides guidance to the question above about having multiple Authoritative DNS Servers. It covers creating a pool of DNS Servers. Hope this clarifies everything.
https://support.f5.com/csp/article/K13940auth1
Replacing DNS Server 1. Zone created in ZoneRunner (On-box bind instance), zone transfer requested by ZoneRunner to Off-box bind. 2. Off-box bind sends zone to ZoneRunner 3. Also-Notify initiates zone transfer to DNSExpress 4. Changes in ZoneRunner initiate a notify message to DNSExpress for additions, changes, deletions, etc.
Using Hidden Master 1. Zone created in DNSExpress, zone transfer requested by DNSExpress to Off-box bind. 2. Off-box bind sends zone info to DNSExpress 3. Changes on off-box bind generate notify message to send zone changes directly to DNSExpress
Hi,
I really appreciate your time and effort to explain this. Seems that I really need to refresh my knowledge about DNS on BIG-IP instead of asking no so smart questions.
I browsed trough docs I have and maybe I am a bit closer:
In this article off-box bind is used to initially feed on-box bind with existing zone data from off-box bind. After we can forget off-box bind - Am I right?
Then:
If above is correct then on-box bind is used to keep zone data on disk in opposite to DNSExpress. That is necessary to feed DNSExpress with zone data for example after BIG-IP reboot.
Am I closer to the truth now?
I assume that naming zone in ZoneRunner with db. prefix is mandatory for some reason?
What still puzzles me is if I really get why on-box bind is necessary - just to store zone file on disk?
Piotr
In this article off-box bind is used to initially feed on-box bind with existing zone data from off-box bind. After we can forget off-box bind - Am I right?
Steve: Correct
If above is correct then on-box bind is used to keep zone data on disk in opposite to DNSExpress. That is necessary to feed DNSExpress with zone data for example after BIG-IP reboot. Am I closer to the truth now?
Steve: Yes the zone data is held and managed by zonerunner. The only thing DNSExpress is doing at this point is actually responding to DNS queries for performance and security purposes.
I assume that naming zone in ZoneRunner with db. prefix is mandatory for some reason?
Steve: This is not an F5 naming convention but rather Bind in general to include all flavors.
What still puzzles me is if I really get why on-box bind is necessary - just to store zone file on disk?
Steve: DNSExpress was never designed to be a DNS management tool but rather a proprietary implementation to server up DNS responses. ZoneRunner was put in place in the event an organization does not want to interface with an off box bind or any other DNS server for that matter and let F5 perform all functions to include managing zones and records.
Off the top of my head I'll be honest I am not sure. I did some research and I personally was not able to find official numbers since much of this is based on memory resources available to the BIG-IP itself. Therefor a lot will depend on platform and DNS provisioning (dedicated, nominal or minimum). With that, I can tell you one of our teams tested up to 100k zones with memory to spare. I know this is not the answer you are looking for so I will continue to try and find more official sizing information though I cannot promise it exists.
Hi steve,
Hi Steve, my question expands a little on the last one (with no answer)
Here is what I'm thinking the answer to the first part is. When you define a zone in DNS Express it will answer the clients, not bind. At least this is what it looks like.
My question is this:
Our DNS servers need to be fully functional as there will be people using them directly for DNS. When I disable "use BIND Server on BIG-IP" recursion no longer works and it won't answer for zones it doesn't know about. (I really hope I'm saying that correctly) Is that expected? Do I have to enable "use BIND Server on BIG-IP" for this to work?
Hi Misty! I apologize for the delayed response on each of these. So, let's take a look at the different use cases.
Authoritative - Client queries BIG-IP for authoritative DNS response based on a zone it currently owns or has been granted delegation to.
High-level different configuration options. 1. DNS Express consumes zone from off box bind. 2 DNS Express consumes zone from on box bind when managed by on box bind. 3. DNS Express consumes zone from on box bind which is performing zone transfers from off box bind or other BIG-IP DNS instance.
Within the DNS profile, it is recommended to disable the use of Bind to ensure DNS Express is the only component responding to queries. Likely this will be a separate virtual server than what you are using for recursive lookups and therefore using a different DNS profile.
Recursive DNS - Client or DNS server queries BIG-IP DNS and BIG-IP DNS then queries a separate DNS instance for an authoritative DNS response and BIG-IP then provides that response to the client.
High-level different configuration options. 1. DNS Express handles recursion with no DNS caching. 2. DNS Express handles recursion with DNS caching. 3. On box bind handles DNS recursion with no DNS caching. 4. On box bind handles DNS recursion with DNS caching.
I still recommend disabling Bind here though for functionality purposes it is not required. Things to validate. Process Recursion Desired is enabled in the DNS profile which is done so by default. If you are using Bind forwarders, ensure they are configured in System > Configuration > DNS > BIND Forwarder Server List. Also if using Bind ensure recursion is enabled in the named.conf file. If you are using a pool of DNS servers (recommended), ensure it is assigned to the listener or Virtual Server. Please let me know your results and I will help get this working with you. Don't forget tools like dig, nslookup and tcpdump. I prefer dig and tcpdump when troubleshooting any DNS related issue. tcpdump ensures the client is actually hitting my DNS listener and dig validates DNS resolution. Let me know.
Hi Steve,
Great recap, thanks a lot. You mentioned using Bind forwarders - could you explain a bit how those work and when it makes sense to use them. I was always curious about this option when configuring DNS on BIG-IP. Tried to find some good explanation but failed 😞
Piotr
Hi Piotr. I probably don't have a great answer for you but I will do my best. Also, it seems as though some of the questions/responses have been mixed together with different use cases. With that, I attempt to never use the Bind Forwarders Server List. It provides no high availability or health checking of what you are performing name resolution against. It has and will likely always be a recommended best practice to use pools when configuring the BIG-IP to act as a recursive DNS server. Also, this isn't documented and may be my own experience though I have experienced times when I expect name resolution attempts to continue down the list of BIND Forwarders and DNS servers in the system general settings though it doesn't and name resolution fails on the first attempt. This behavior was not expected from me so therefor I really like the use of DNS pools with DNS health monitors to validate the members are available. I know this probably isn't what you were looking for but I hope it convinces you to use DNS pools! 🙂
Well, not a great answer indeed 🙂 but thanks a lot for answer!
What I am actually trying to figure out is difference between entering IP in DNS Lookup Server List and BIND Forwarder Server List.
I assume that both are used by BIG-IP to perform queries (like to resolve NTP server FQDN to IP or other FQDNs BIG-IP itself has to resolve) - hope I am right here?
If is main difference between this two config options that second one allows BIG-IP to store responses in local BIND cache? So in compare to first option not every request has to be send to external DNS (if response already exist in local BIND cache)?
Or I totally misunderstand how this options work?
Piotr
Hahahaha, why didn't you say so! J/K
Sure, the DNS lookup server list specifies the name servers that the system uses to validate DNS lookups, and resolve host names.
The BIND forwarder server list specifies BIND servers that the system can use to perform DNS lookups. BIND allows you to cache and store DNS requests and responses on a local server and minimize DNSserver requests, and bandwidth.
So what this is really saying is that the DNS lookup server list is for system specific name resolution. The BIND forwarder server list is for name resolution for external entities if using the BIG-IP as a name resolution source.
Couldn't resist :-))
Wow, so my understanding was totally wrong 😞 To be 100% sure if I am getting things right - if for example FQDN nodes are used then DNS servers configured in DNS lookup server list will be used (never from BIND forwarder server list) - right?
Then if we will configure DNS listener without Pool and there are entries in BIND forwarder server list those will be used to resolve request coming to configured DNS resolver - right?
If above is correct I would never, ever figure it out from build-in help description 😞
Piotr
Hopefully these screenshots help clarify.
First I configured google DNS in the BIND forwarder server list and I am unable to resolve. I then configured it in the DNS lookup server list and can successfully resolve.
Here you can see based on name of the pool I am using different configurations. First pool I have no DNS configured and when attempting to save based on fqdn pool I receive an error to configure DNS. In the 2nd pool I configured google DNS in my BIND forwarder server list and receive an error to configure DNS when trying to save a fqdn pool. Lastly, I configured google dns in my DNS server list and can successfully create an fqdn pool.
Hope this helps clarify! Let me know.
Wow, thanks a lot for your time and effort, really appreciate!
From above it's clear that anything configured in BIND Forwarder Server list is not used by BIG-IP for internal name resolution - that is 100% clear now.
Still I am not sure in what situation IPs configured in BIND Forwarder Server list are used. Maybe some small real life example that you can share?
Thanks again,
Piotr
We really would like F5 to be an all in one DNS solution, unless you have a really good reason why it should not be. We won't have 1000s of people doing recursive DNS but we need to do it. So CAN DNS Express do recursion, with cache to the on box BIND, if yes how? I have followed your steps, but if I disable "use BIND Server on BIG-IP" recursion no longer works.
I have successfully configured DNS Express to respond to authoritative zones using the on box BIND by follow the steps in your original post. I can disable "use BIND Server on BIG-IP" and this works. just not sure about recursion. Thank you so much for all your time on this, it's been a little difficult finding someone to help with architecture, mainly because these are so many options.
All good Misty. Give me some time to create it again in my own lab and I will shoot you my config.
Misty, see the screenshots above. This is a functional recursive configuration. It really takes very little.
I'm missing something. What's in "DNSPool" I'm not sure how to reference the "on box BIND." Local address in named.conf 127.0.0.1?
Thank you again!
Ahhhh, I see. Forget about BIND altogether for recursion (my recommendation of course). Create an LTM pool with the servers your BIG-IP should be using for resolution. Attach that pool to your listener and boom. You are really just a reverse proxy for DNS lookups. I may have created older documentation which shows the BIND configuration options but again, disregard and disable BIND. Use a pool of DNS servers. Let me know.
Also, updated the comment above with screenshots to include one with the servers I have in my DNS Pool. For demo purposes I am using google and quad 9 though your organization may have other external servers to perform queries against.
I have always understood that setup, but our DNS servers are very old and we were hoping F5 could handle everything and, of course, we were told that it could, you know how it goes 🙂 So essentially we are building this from scratch and I'm hearing I need acquire additional actual DNS servers for a "recommended setup with recursion"
As for on box BIND recursion seems to work fine but it's not under any load at all. I wonder what the limitations are? We are not google, only a very small set of customers would be allowed to do recursion.
So, yes these boxes can be an all in one DNS solution with nothing more. You don't need to buy anything else. It's all about your use case. So, my typical use case is completely different from yours as my customers MUST point to a specific server for actual resolution. AD Integrated DNS > F5 Recursive DNS > Required Recursive > Internet. Now that I think it's defined, you want recursion and the BIG-IP to do all name resolution for you, the BIG-IP will use root hints to do the lookup. Give me a sec and I will send you what that looks like.
Create a resolver cache.
Code
Assign the resolver cache to the DNS profile and assign the profile to your DNS listener. The cache resolver will use root hints.
Wow, I think after all this time (I been working on this with other F5 folks) I think this is what I was looking for. Just like your profile "use BIND Server on BIG-IP" is now disable, recursion is working. As per your original profile I also set the "Unhandled Query Actions" to "drop" This also seems to work.
Thank you so much
Nice work Steve answering these requests.
Couple extra pieces of information that may support the question:
Recursive Resolver Lab Material: https://clouddocs.f5.com/training/community/dns/html/class2/module5/module5.html
There is also a great F5 DNS INE course which covers various Design and Architectures for F5 DNS in Section 1: https://streaming.ine.com/c/exam-302-big-ip-dns-specialist
Hi,
"There is also a great F5 DNS INE course which covers various Design and Architectures for F5 DNS in Section 1"
Link seems to be broken, or you have to be registered user at https://members.ine.com/auth/login?
Piotr
@Steve - DNS Cache solution is working great (did such setups in the past) but I wonder how to use to as well provide local resolution via for example DNS Express. Something like:
All Internet related queries will use root hints All queries fro company.com will use DNS Express feed from BIND - so it would be possible to manage company.com zone directly on BIG-IP. If I am not wrong it's only possible if zone is handled by local BIND?
Piotr
Steve, one more question for you.
Now that I have set up a DNS cache, it seems to be letting anyone on the Internet do recursion. I need to limit this to a couple of IP blocks. In the configuration we discussed what is the best way to do this?
Thank you!
@Piotr - You can try this link: https://ine.com/collections/f5-networks/products/exam-302-big-ip-dns-specialist
@Misty, well there are several ways to accomplish this within LTM alone. Within the listener you can define a source subnet. You can also configure allow specific vlans in the listener. If you have several subnets that you would like to allow I would recommend using an iRule to allow subnets with a default action of drop. I shared this iRule a few weeks ago on LinkedIn.
That would stop all traffic though, I just wanted to stop recursion. Almost seems like I would have to have 2 listeners. One for DNSExpress to answer for zones it is authoritative for and one for normal DNS queries that our customers would use. IS that how it works? I really don't want the Internet to have access to recursion. When I had BIND accessible it was respecting the named.conf settings on recursion
EDIT: Actually it looks like this is the kind of iRule I need. It's a bit of reading. https://devcentral.f5.com/articles/dns-irules-protect-yourself-from-amplification-attacks
@Misty, yes as mentioned in previous comments it is HIGHLY recommended to use separate virtual servers for authoritative lookups and recursive lookups. This allows you to define different security policies for both. Most large enterprises do not allow internal users to hit their external authoritative DNS servers and they certainly do not allow external users to access their recursive DNS servers. In fact many organizations have separate servers for these functions but because F5 is a full proxy and allows for granular security per virtual server you can host both functions on a single BIG-IP. With all of this you as an organization need to determine your security requirements and implement your BIG-IP in a manner that allows you to meet those requirements. F5 as a product can perform an unbelievable amount of technical functions though the engineers developing the solution should determine how and if you should.
Ok now with all of that if you really want to use a single virtual server to restrict recursive lookups only then yes you can still create an iRule. Please check out DevCentrals code share and iRule content to see how. Hope this helps.
Hi Steve,
It's me again 🙂 I guess I figured out most of the art of moving External DNS (EDNS) to BIG-IP (either to DNS Express or on BIG-IP BIND). There is few little things lest and I will really appreciate if you help mi to figure those out:
Last question is about manually (via CLI) converting BIND Slave zone to Master. Is that possible or maybe rather is that safe? My idea was to:
Is there a chance it will work? I know that .jnl files are created for Zones - seems that those are containing changes to Zone file done via GUI. Periodically those changes are synced with zone db file. So I am not sure if I should remove .jnl or left it.
Thanks in advance, Piotr