Technical Articles
F5 SMEs share good practice.
cancel
Showing results for 
Search instead for 
Did you mean: 
Steve_Lyons
Legacy Employee
Legacy Employee

First things first, you have decided to deploy F5 BIG-IP DNS to replace a BIND server after receiving notifications from your information assurance officer or your friendly LinkedIn community that additional CVE's have been identified for the version of BIND you are running. In this particular instance you already have a BIG-IP in your DMZ acting as your reverse proxy. You have purchased the best bundle though have only deployed what you know, APM and LTM (common scenario).

After upgrading to version 13 after its release in February 2017 and then determining the latest hotfix using https://support.f5.com/csp/article/K9502, you navigate within the TMUI to System > Resource Provisioning and simply provision DNS.

Once complete you will need to configure your existing BIND server to allow zone transfers to the BIG-IP. In this case, we will define a self-IP on the BIG-IP.

Without the BIG-IP Self IP Defined "allow-transfer { localhost;};"
With the BIG-IP Self IP Defined "allow-transfer { localhost; 10.10.10.2;};"

Once you have allowed the zone transfer, you will create the zone on the BIG-IP and perform the zone transfer.

  1. On the Main tab, click DNS > Zones > ZoneRunner > Zone List . The Zone List screen opens.
  2. Click Create.The New Zone screen opens.
  3. From the View Name list, select the view that you want this zone to be a member of. Note: The default view is external.
  4. In the Zone Name field, type a name for the zone file in this format, including the trailing dot: db.[viewname].[zonename]. For example, db.external.lyons.demo.com.
  5. From the Zone Type list, select Master.
  6. From the Records Creation Method list, select Transfer from Server.
  7. Within Options, include the following
allow-update { localhost;};
allow-transfer { localhost; };
also-notify { ::1 port 5353; };
  1. In the Records Creation area, type the values for the SOA and NS record parameters.
  2. Click Finished

Ok, so you might be asking yourself right about now, "I thought ZoneRunner was a BIND instance?" In this scenario you are correct which is why we are going to slave from on-box BIND to ensure BIND is never accessible externally and we only respond to DNS queries using DNSExpress. Now can you slave from an off-box DNSExpress instance, of course though that is outside the scope of this article.

Prior to creating our DNS profile and listeners, we are going to configure DNS logging. For this use case, we are going to configure logging to the on-box syslog instance.

  1. In the GUI, navigate to: System > Logs > Configuration > Log Publishers: Create
  2. Create a new DNS Log Publisher using the defaults unless defined below.

Name: dns-local-syslog

Destinations: Move local-syslog to the Selected column

DN1

  1. In the GUI, navigate to: DNS > Delivery > Profiles > Other > DNS Logging: Create
  2. Create a new DNS Profile using the defaults unless defined below.

Name: dns-logging

Log Publisher: Select dns-local-syslog

Log Responses: Enabled

Include Query ID: Enabled

Note: For the purposes of this article, we are going to enable all DNS logging options.

DN2

Now that we have logging set up to use by our DNS profile, we are going to going ahead and create that object.

  1. In the GUI, navigate to: DNS > Delivery > Profiles > DNS: Create Create a new DNS profile as shown in the table below. Keep the defaults if not noted in the table.

Name: AuthoritativeNS

Unhandled Query Action: Drop

Use BIND Server on Big-IP: Disabled

Logging: Enabled

Logging Profile: dns-logging

DN3

Now that we have created our DNS profile, we are going create our DNS listeners. Remember, F5 is a default deny device so without creating something to listen on all attempts to connect to or query the BIG-IP will be denied.

We are going to create external Listeners that will be our target IP address when querying BIG-IP DNS.

  1. In the GUI, navigate to: DNS > Delivery > Listeners > Listener List: Create
  2. Create a two new listeners using the defaults unless defined below.

Name: external-listener-UDP

Destination: Host: 10.1.100.53

VLAN Traffic: Enabled on..

VLANs and Tunnels: external

DNS Profile: AuthoritativeNS

DN4

Name: external-listener-TCP

Destination: Host: 10.1.100.53

VLAN Traffic: Enabled on..

VLANs and Tunnels: external

Protocol: TCP

DNS Profile: AuthoritativeNS

DN5

So up to this point we have configured your legacy DNS server to perform a DNS transfer with the BIG-IP, created a zone within ZoneRunner, performed the zone transfer from your legacy DNS device, created a DNS profile and listeners on the BIG-IP. Ok, bear with me we are almost done. Our next step is configuring the local device as a name server and then create a DNSExpress zone that you will be performing a zone transfer to using the on-box BIND instance. So let's begin.

  1. In the GUI, navigate to: DNS > Delivery > Nameservers > Nameserver List: Create
  2. In this case we will simply provide a Name and leave all other defaults.

Name: BIG-IP1

  1. Select Finish

DN6

In the GUI, navigate to: DNS > Zones > Zones > Zone List: Create

Name: lyons.demo.com

Server: BIG-IP1

Notify Action: Consume

Verify Notify TSIG: Uncheck

Zone Transfer Clients: Move BIG-IP1 from Available to Active

Select Finish

DN7

In the GUI, navigate to: DNS > Zones > Zones > Zone List: Create

Name: 198.199.10.in-addr.arpa

Server: BIG-IP1

Notify Action: Consume

Verify Notify TSIG: Uncheck

Zone Transfer Clients: Move BIG-IP1 from Available to Active

Select Finish

This image is not available because: You don’t have the privileges to see it, or it has been removed from the system

Now, our final step...validation. From the cli, simply run a dnsxdump to ensure records have been transferred to DNSExpress as shown below. If you would like to see zone transfers in actions, simply create a resource record within ZoneRunner and run a tail -f on the /var/log/ltm.

This image is not available because: You don’t have the privileges to see it, or it has been removed from the system

DN9

You are now complete and have a fully functional authoritative DNS server for your organization without the vulnerabilities of BIND or in an effort to simply consolidate services. If you have any problems at all, please don't ever hesitate to reach out directly. Now my answer may be contact support though I have no problem walking through a scenario or troubleshooting attempt with you.

Reference Documentation

https://support.f5.com/kb/en-us/products/big-ip-dns/manuals/product/bigip-dns-implementations-13-0-0...

https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/bigip-dns-services-implementatio...

Comments
Steve_Lyons
Legacy Employee
Legacy Employee

Thank you for taking the time to provide feedback. Next article is just around the corner!

 

FMA_199355
Nimbostratus
Nimbostratus

Looks like images attached are from a VPN tutorial 🙂

 

Steve_Lyons
Legacy Employee
Legacy Employee

Very strange. Just uploaded a new SSL VPN tutorial though it maybe modified the photo's in my existing article. Anyway, seems to be resolved now. Thanks.

 

Great article Steve! One note, The DNS profile name in the text does not match some of the screenshots shown. It may confuse others.

 

Steve_Lyons
Legacy Employee
Legacy Employee

Thanks TJ! This is my ADD. When trying to write, and screenshot I forget to hit save/update/finish and use a different name that I may have used in the past when going back to recreate after my session expires. This is great feedback though. Certainly items I can validate in the future!

 

ePratik_284320
Nimbostratus
Nimbostratus

What happends if the name server specified here (Hidden Master) goes down ? Can I specify multiple server for redundancy by any means ?

 

dragonflymr
Cirrostratus
Cirrostratus

Hi, Very good article! I am not DNS pro so I have problem with understanding last configuration steps:

 

  • Creating Nameserver
  • Creating DNSExpres Zone

What exactly those are used for? How they fit into DNS traffic flow?

 

Thanks in advance, Piotr

 

Steve_Lyons
Legacy Employee
Legacy Employee

@ePratik, I apologize for the delayed response. While within the configuration options it only allows you to select a single DNS server, I don't see why this couldn't be a VS on the BIG-IP with multiple DNS servers as pool members. Then to ensure only when the primary fails would the secondary master take over you could use something like priority group activation.

 

Steve_Lyons
Legacy Employee
Legacy Employee

@Piotr, thanks for the question. To clarify what my use case is, I am using an old off box bind server to perform a zone transfer with ZoneRunner on the BIG-IP. ZoneRunner is the BIG-IP's on box bind. From a security perspective I don't want to expose bind to external users who will be hitting my authoritative DNS server which is why I am provisioning DNSExpress to perform this function. As for the name server, I am simply configuring that to accept zone transfers from the on box bind to DNSExpress. The last screenshot shows a log that stats successful zone transfer from 127.0.0.1 which is the transfer from ZoneRunner to DNSExpress. Hope this helps.

 

dragonflymr
Cirrostratus
Cirrostratus

Hi, Thanks for explanation. Still not clear :-(. Assuming we have some authoritative bind server in internal VLAN. This is set to allow zone transfer from BIG-IP Self IP (10.10.10.2).

 

Then zone transfer is triggered, by what BIG-IP object - Nameserver (BIG-IP1)?

 

If so how BIG-IP1 know to which internal bind server connect? From NS records created in Zone (DNS > Zones > ZoneRunner > Zone List)?

 

Or maybe BIG-IP1 is working as authoritative hidden master (not some external bind srv on internal VLAN) that is source for zone transfer to DNSExpress?

 

Sorry for dumb questions but I am really lost 😞

 

Steve_Lyons
Legacy Employee
Legacy Employee

These are not dumb questions at all. If I have left anyone not 100% confident on the how and why I need to provide more details.

 

Assuming we have some authoritative bind server in internal VLAN. This is set to allow zone transfer from BIG-IP Self IP (10.10.10.2).

 

Steve: Not transfer from the BIG-IP, transfer to the BIG-IP Self IP. The BIG-IP is the client in this case as we reference receiving zone transfers from an external Bind server. This is the initial step to update the zone on the local BIG-IP Bind instance. The transfer between on box (BIG-IP) Bind and DNSExpress occurs later and is the reason for the also-notify message in the named.conf. That also notify is referring to DNSExpress.

 

Then zone transfer is triggered, by what BIG-IP object - Nameserver (BIG-IP1)?

 

Steve: The zone transfer is triggered when you create the zone in ZoneRunner. Once the zone is created, an unsolicited zone transfer request is sent from the on box (BIG-IP) Bind instance. Moving forward, in your case where you still have a hidden master, any updates will generate a NOTIFY message which is sent to the BIG-IP and the BIG-IP will request a zone transfer with those updates.

 

If so how BIG-IP1 know to which internal bind server connect? From NS records created in Zone (DNS > Zones > ZoneRunner > Zone List)?

 

Steve: Yes sir. If you notice near the top of the article it asks in the newly created zone to create NS and SOA records. This is how the BIG-IP BIND instance knows what the authoritative DNS server for that zone and where to request the zone transfers from.

 

Or maybe BIG-IP1 is working as authoritative hidden master (not some external bind srv on internal VLAN) that is source for zone transfer to DNSExpress?

 

Steve: I hope the comments above helped clarify the last question.

 

Keep the questions coming if it is still not clear. I can assure you I don't mind a bit and just want to help other engineers and admins feel more comfortable with the BIG-IP and its capabilities.

 

dragonflymr
Cirrostratus
Cirrostratus

Hi,

 

Wow!! Thanks for in depth explanation. I think I understand most but still have some issues 😞

 

Sure I know that zone transfer will be sourced from off-box bind, what I menat was that on off-box bind zone transfers from BIG-IP self ip has to be allowed (on off-box bind) - sorry for not being precise.

 

You say:

 

The zone transfer is triggered when you create the zone in ZoneRunner.

 

So after saving zone DNSExpress on BIG-IP initiates zone transfer using self IP as source and configured NS IP as destination? If above is true then why to create nameserver BIG-IP1? Or BIG-IP1 is in fact responsible for doing zone transfer from off-box bind.

 

So flow is:

 

  • BIG-IP1 is sending zone transfer request to off-box bind
  • BIG-IP1 is sending notify to DNSExpress
  • DNSExpress initiates zone transfer from BIG-IP1
  • Off-box is sending notify to BIG-IP1 (I think configuring notify on off-box bind was not mentioned in article?)
  • BIG-IP1 sends zone transfer request to off-box bind
  • BIG-IP1 sends notify to DNSExpres
  • DNSExpress sends zone transfer request to BIG-IP1

Is above correct or I mixed thing up completely?

 

I am especially confused why BIG-IP1 (on-box bind) is necessary here? Is that because DNSExpress is not able to send zone transfer request to off-box directly and needs on-box bind for that? Or some other reason?

 

Piotr

 

Steve_Lyons
Legacy Employee
Legacy Employee

Piotr, we are on the same page now. So this article is specific to actually replacing a BIND box and no longer using an off box bind server as the authoritative DNS server in a master/slave relationship. With that, in order to provide administrators a UI to create/modify/delete records, zones, etc. you must use ZoneRunner. If you are simply trying to configure DNSExpress to accept zone transfers and respond to DNS queries versus the hidden master, you are correct that ZoneRunner is not needed. Check out the solution article below. This actually provides guidance to the question above about having multiple Authoritative DNS Servers. It covers creating a pool of DNS Servers. Hope this clarifies everything.

 

https://support.f5.com/csp/article/K13940auth1

 

Replacing DNS Server 1. Zone created in ZoneRunner (On-box bind instance), zone transfer requested by ZoneRunner to Off-box bind. 2. Off-box bind sends zone to ZoneRunner 3. Also-Notify initiates zone transfer to DNSExpress 4. Changes in ZoneRunner initiate a notify message to DNSExpress for additions, changes, deletions, etc.

 

Using Hidden Master 1. Zone created in DNSExpress, zone transfer requested by DNSExpress to Off-box bind. 2. Off-box bind sends zone info to DNSExpress 3. Changes on off-box bind generate notify message to send zone changes directly to DNSExpress

 

dragonflymr
Cirrostratus
Cirrostratus

Hi,

 

I really appreciate your time and effort to explain this. Seems that I really need to refresh my knowledge about DNS on BIG-IP instead of asking no so smart questions.

 

I browsed trough docs I have and maybe I am a bit closer:

 

  • ZoneRunner is just GUI to manage both DNS zone files and the BIND configuration file
  • DNSExpress is DNS in the RAM on BIG-IP
  • On-box bind is place to keep zone data persistent

In this article off-box bind is used to initially feed on-box bind with existing zone data from off-box bind. After we can forget off-box bind - Am I right?

 

Then:

 

  • On-box bind zone data is managed using ZoneRunner
  • After change to on-box bind zone (via ZoneRunner GUI) Notify is send to DNSExpress
  • Then DNSExpress initiates zone transfer from on-box bind

If above is correct then on-box bind is used to keep zone data on disk in opposite to DNSExpress. That is necessary to feed DNSExpress with zone data for example after BIG-IP reboot.

 

Am I closer to the truth now?

 

I assume that naming zone in ZoneRunner with db. prefix is mandatory for some reason?

 

What still puzzles me is if I really get why on-box bind is necessary - just to store zone file on disk?

 

Piotr

 

Steve_Lyons
Legacy Employee
Legacy Employee

In this article off-box bind is used to initially feed on-box bind with existing zone data from off-box bind. After we can forget off-box bind - Am I right?

 

Steve: Correct

 

If above is correct then on-box bind is used to keep zone data on disk in opposite to DNSExpress. That is necessary to feed DNSExpress with zone data for example after BIG-IP reboot. Am I closer to the truth now?

 

Steve: Yes the zone data is held and managed by zonerunner. The only thing DNSExpress is doing at this point is actually responding to DNS queries for performance and security purposes.

 

I assume that naming zone in ZoneRunner with db. prefix is mandatory for some reason?

 

Steve: This is not an F5 naming convention but rather Bind in general to include all flavors.

 

What still puzzles me is if I really get why on-box bind is necessary - just to store zone file on disk?

 

Steve: DNSExpress was never designed to be a DNS management tool but rather a proprietary implementation to server up DNS responses. ZoneRunner was put in place in the event an organization does not want to interface with an off box bind or any other DNS server for that matter and let F5 perform all functions to include managing zones and records.

 

Raphael1
Nimbostratus
Nimbostratus

How many dns zones can DNS Express support in V13.1?

 

Steve_Lyons
Legacy Employee
Legacy Employee

Off the top of my head I'll be honest I am not sure. I did some research and I personally was not able to find official numbers since much of this is based on memory resources available to the BIG-IP itself. Therefor a lot will depend on platform and DNS provisioning (dedicated, nominal or minimum). With that, I can tell you one of our teams tested up to 100k zones with memory to spare. I know this is not the answer you are looking for so I will continue to try and find more official sizing information though I cannot promise it exists.

 

dirome
Cirrus
Cirrus

Hi steve,

 

  • If you are going to on-box BIND, why in the profile DNS the "use bind in server bigip" is disable? and
  • What will be the procedure to fill with all zones that reside in the off-box bind to the on-box bind?
Misty_Spillers
Nimbostratus
Nimbostratus

Hi Steve, my question expands a little on the last one (with no answer)

 

Here is what I'm thinking the answer to the first part is. When you define a zone in DNS Express it will answer the clients, not bind. At least this is what it looks like.

 

My question is this:

 

Our DNS servers need to be fully functional as there will be people using them directly for DNS. When I disable "use BIND Server on BIG-IP" recursion no longer works and it won't answer for zones it doesn't know about. (I really hope I'm saying that correctly) Is that expected? Do I have to enable "use BIND Server on BIG-IP" for this to work?

 

Steve_Lyons
Legacy Employee
Legacy Employee

Hi Misty! I apologize for the delayed response on each of these. So, let's take a look at the different use cases.

 

Authoritative - Client queries BIG-IP for authoritative DNS response based on a zone it currently owns or has been granted delegation to.

 

High-level different configuration options. 1. DNS Express consumes zone from off box bind. 2 DNS Express consumes zone from on box bind when managed by on box bind. 3. DNS Express consumes zone from on box bind which is performing zone transfers from off box bind or other BIG-IP DNS instance.

 

Within the DNS profile, it is recommended to disable the use of Bind to ensure DNS Express is the only component responding to queries. Likely this will be a separate virtual server than what you are using for recursive lookups and therefore using a different DNS profile.

 

Recursive DNS - Client or DNS server queries BIG-IP DNS and BIG-IP DNS then queries a separate DNS instance for an authoritative DNS response and BIG-IP then provides that response to the client.

 

High-level different configuration options. 1. DNS Express handles recursion with no DNS caching. 2. DNS Express handles recursion with DNS caching. 3. On box bind handles DNS recursion with no DNS caching. 4. On box bind handles DNS recursion with DNS caching.

 

I still recommend disabling Bind here though for functionality purposes it is not required. Things to validate. Process Recursion Desired is enabled in the DNS profile which is done so by default. If you are using Bind forwarders, ensure they are configured in System > Configuration > DNS > BIND Forwarder Server List. Also if using Bind ensure recursion is enabled in the named.conf file. If you are using a pool of DNS servers (recommended), ensure it is assigned to the listener or Virtual Server. Please let me know your results and I will help get this working with you. Don't forget tools like dig, nslookup and tcpdump. I prefer dig and tcpdump when troubleshooting any DNS related issue. tcpdump ensures the client is actually hitting my DNS listener and dig validates DNS resolution. Let me know.

 

dragonflymr
Cirrostratus
Cirrostratus

Hi Steve,

 

Great recap, thanks a lot. You mentioned using Bind forwarders - could you explain a bit how those work and when it makes sense to use them. I was always curious about this option when configuring DNS on BIG-IP. Tried to find some good explanation but failed 😞

 

Piotr

 

Steve_Lyons
Legacy Employee
Legacy Employee

Hi Piotr. I probably don't have a great answer for you but I will do my best. Also, it seems as though some of the questions/responses have been mixed together with different use cases. With that, I attempt to never use the Bind Forwarders Server List. It provides no high availability or health checking of what you are performing name resolution against. It has and will likely always be a recommended best practice to use pools when configuring the BIG-IP to act as a recursive DNS server. Also, this isn't documented and may be my own experience though I have experienced times when I expect name resolution attempts to continue down the list of BIND Forwarders and DNS servers in the system general settings though it doesn't and name resolution fails on the first attempt. This behavior was not expected from me so therefor I really like the use of DNS pools with DNS health monitors to validate the members are available. I know this probably isn't what you were looking for but I hope it convinces you to use DNS pools! 🙂

 

dragonflymr
Cirrostratus
Cirrostratus

Well, not a great answer indeed 🙂 but thanks a lot for answer!

 

What I am actually trying to figure out is difference between entering IP in DNS Lookup Server List and BIND Forwarder Server List.

 

I assume that both are used by BIG-IP to perform queries (like to resolve NTP server FQDN to IP or other FQDNs BIG-IP itself has to resolve) - hope I am right here?

 

If is main difference between this two config options that second one allows BIG-IP to store responses in local BIND cache? So in compare to first option not every request has to be send to external DNS (if response already exist in local BIND cache)?

 

Or I totally misunderstand how this options work?

 

Piotr

 

Steve_Lyons
Legacy Employee
Legacy Employee

Hahahaha, why didn't you say so! J/K

 

Sure, the DNS lookup server list specifies the name servers that the system uses to validate DNS lookups, and resolve host names.

 

The BIND forwarder server list specifies BIND servers that the system can use to perform DNS lookups. BIND allows you to cache and store DNS requests and responses on a local server and minimize DNSserver requests, and bandwidth.

 

So what this is really saying is that the DNS lookup server list is for system specific name resolution. The BIND forwarder server list is for name resolution for external entities if using the BIG-IP as a name resolution source.

 

dragonflymr
Cirrostratus
Cirrostratus

Couldn't resist :-))

 

Wow, so my understanding was totally wrong 😞 To be 100% sure if I am getting things right - if for example FQDN nodes are used then DNS servers configured in DNS lookup server list will be used (never from BIND forwarder server list) - right?

 

Then if we will configure DNS listener without Pool and there are entries in BIND forwarder server list those will be used to resolve request coming to configured DNS resolver - right?

 

If above is correct I would never, ever figure it out from build-in help description 😞

 

Piotr

 

Steve_Lyons
Legacy Employee
Legacy Employee

Hopefully these screenshots help clarify.

 

First I configured google DNS in the BIND forwarder server list and I am unable to resolve. I then configured it in the DNS lookup server list and can successfully resolve. 0691T000006Aqq2QAC.png

 

Here you can see based on name of the pool I am using different configurations. First pool I have no DNS configured and when attempting to save based on fqdn pool I receive an error to configure DNS. In the 2nd pool I configured google DNS in my BIND forwarder server list and receive an error to configure DNS when trying to save a fqdn pool. Lastly, I configured google dns in my DNS server list and can successfully create an fqdn pool.

 

Hope this helps clarify! Let me know. 0691T000006Aqq3QAC.png

 

dragonflymr
Cirrostratus
Cirrostratus

Wow, thanks a lot for your time and effort, really appreciate!

 

From above it's clear that anything configured in BIND Forwarder Server list is not used by BIG-IP for internal name resolution - that is 100% clear now.

 

Still I am not sure in what situation IPs configured in BIND Forwarder Server list are used. Maybe some small real life example that you can share?

 

Thanks again,

 

Piotr

 

Misty_Spillers
Nimbostratus
Nimbostratus

We really would like F5 to be an all in one DNS solution, unless you have a really good reason why it should not be. We won't have 1000s of people doing recursive DNS but we need to do it. So CAN DNS Express do recursion, with cache to the on box BIND, if yes how? I have followed your steps, but if I disable "use BIND Server on BIG-IP" recursion no longer works.

 

I have successfully configured DNS Express to respond to authoritative zones using the on box BIND by follow the steps in your original post. I can disable "use BIND Server on BIG-IP" and this works. just not sure about recursion. Thank you so much for all your time on this, it's been a little difficult finding someone to help with architecture, mainly because these are so many options.

 

Steve_Lyons
Legacy Employee
Legacy Employee

All good Misty. Give me some time to create it again in my own lab and I will shoot you my config.

 

Steve_Lyons
Legacy Employee
Legacy Employee

0691T000006Aqq4QAC.png

 

0691T000006Aqq5QAC.png

 

0691T000006Aqq6QAC.png

 

0691T000006Aqq7QAC.png

 

0691T000006Aqq8QAC.png

 

Steve_Lyons
Legacy Employee
Legacy Employee

Misty, see the screenshots above. This is a functional recursive configuration. It really takes very little.

 

Misty_Spillers
Nimbostratus
Nimbostratus

I'm missing something. What's in "DNSPool" I'm not sure how to reference the "on box BIND." Local address in named.conf 127.0.0.1?

 

Thank you again!

 

Steve_Lyons
Legacy Employee
Legacy Employee

Ahhhh, I see. Forget about BIND altogether for recursion (my recommendation of course). Create an LTM pool with the servers your BIG-IP should be using for resolution. Attach that pool to your listener and boom. You are really just a reverse proxy for DNS lookups. I may have created older documentation which shows the BIND configuration options but again, disregard and disable BIND. Use a pool of DNS servers. Let me know.

 

Steve_Lyons
Legacy Employee
Legacy Employee

Also, updated the comment above with screenshots to include one with the servers I have in my DNS Pool. For demo purposes I am using google and quad 9 though your organization may have other external servers to perform queries against.

 

Misty_Spillers
Nimbostratus
Nimbostratus

I have always understood that setup, but our DNS servers are very old and we were hoping F5 could handle everything and, of course, we were told that it could, you know how it goes 🙂 So essentially we are building this from scratch and I'm hearing I need acquire additional actual DNS servers for a "recommended setup with recursion"

 

As for on box BIND recursion seems to work fine but it's not under any load at all. I wonder what the limitations are? We are not google, only a very small set of customers would be allowed to do recursion.

 

Steve_Lyons
Legacy Employee
Legacy Employee

So, yes these boxes can be an all in one DNS solution with nothing more. You don't need to buy anything else. It's all about your use case. So, my typical use case is completely different from yours as my customers MUST point to a specific server for actual resolution. AD Integrated DNS > F5 Recursive DNS > Required Recursive > Internet. Now that I think it's defined, you want recursion and the BIG-IP to do all name resolution for you, the BIG-IP will use root hints to do the lookup. Give me a sec and I will send you what that looks like.

 

Steve_Lyons
Legacy Employee
Legacy Employee

Create a resolver cache.

 

0691T000006Aqq9QAC.png Code

 

Assign the resolver cache to the DNS profile and assign the profile to your DNS listener. The cache resolver will use root hints.

 

0691T000006AqqAQAS.png

 

Misty_Spillers
Nimbostratus
Nimbostratus

Wow, I think after all this time (I been working on this with other F5 folks) I think this is what I was looking for. Just like your profile "use BIND Server on BIG-IP" is now disable, recursion is working. As per your original profile I also set the "Unhandled Query Actions" to "drop" This also seems to work.

 

Thank you so much

 

Steve_Lyons
Legacy Employee
Legacy Employee

No problem! Glad this is working for you.

 

Nice work Steve answering these requests.

 

Couple extra pieces of information that may support the question:

 

Recursive Resolver Lab Material: https://clouddocs.f5.com/training/community/dns/html/class2/module5/module5.html

 

There is also a great F5 DNS INE course which covers various Design and Architectures for F5 DNS in Section 1: https://streaming.ine.com/c/exam-302-big-ip-dns-specialist

 

dragonflymr
Cirrostratus
Cirrostratus

Hi,

 

"There is also a great F5 DNS INE course which covers various Design and Architectures for F5 DNS in Section 1"

 

Link seems to be broken, or you have to be registered user at https://members.ine.com/auth/login?

 

Piotr

 

dragonflymr
Cirrostratus
Cirrostratus

@Steve - DNS Cache solution is working great (did such setups in the past) but I wonder how to use to as well provide local resolution via for example DNS Express. Something like:

 

All Internet related queries will use root hints All queries fro company.com will use DNS Express feed from BIND - so it would be possible to manage company.com zone directly on BIG-IP. If I am not wrong it's only possible if zone is handled by local BIND?

 

Piotr

 

Misty_Spillers
Nimbostratus
Nimbostratus

Steve, one more question for you.

 

Now that I have set up a DNS cache, it seems to be letting anyone on the Internet do recursion. I need to limit this to a couple of IP blocks. In the configuration we discussed what is the best way to do this?

 

Thank you!

 

Steve_Lyons
Legacy Employee
Legacy Employee

@Misty, well there are several ways to accomplish this within LTM alone. Within the listener you can define a source subnet. You can also configure allow specific vlans in the listener. If you have several subnets that you would like to allow I would recommend using an iRule to allow subnets with a default action of drop. I shared this iRule a few weeks ago on LinkedIn.

 

0691T000006AqqBQAS.jpg

 

Misty_Spillers
Nimbostratus
Nimbostratus

That would stop all traffic though, I just wanted to stop recursion. Almost seems like I would have to have 2 listeners. One for DNSExpress to answer for zones it is authoritative for and one for normal DNS queries that our customers would use. IS that how it works? I really don't want the Internet to have access to recursion. When I had BIND accessible it was respecting the named.conf settings on recursion

 

EDIT: Actually it looks like this is the kind of iRule I need. It's a bit of reading. https://devcentral.f5.com/articles/dns-irules-protect-yourself-from-amplification-attacks

 

Steve_Lyons
Legacy Employee
Legacy Employee

@Misty, yes as mentioned in previous comments it is HIGHLY recommended to use separate virtual servers for authoritative lookups and recursive lookups. This allows you to define different security policies for both. Most large enterprises do not allow internal users to hit their external authoritative DNS servers and they certainly do not allow external users to access their recursive DNS servers. In fact many organizations have separate servers for these functions but because F5 is a full proxy and allows for granular security per virtual server you can host both functions on a single BIG-IP. With all of this you as an organization need to determine your security requirements and implement your BIG-IP in a manner that allows you to meet those requirements. F5 as a product can perform an unbelievable amount of technical functions though the engineers developing the solution should determine how and if you should.

 

Ok now with all of that if you really want to use a single virtual server to restrict recursive lookups only then yes you can still create an iRule. Please check out DevCentrals code share and iRule content to see how. Hope this helps.

 

dragonflymr
Cirrostratus
Cirrostratus

Hi Steve,

 

It's me again 🙂 I guess I figured out most of the art of moving External DNS (EDNS) to BIG-IP (either to DNS Express or on BIG-IP BIND). There is few little things lest and I will really appreciate if you help mi to figure those out:

 

  • Why there is no way (at least from GUI) to convert Slave ZoneRunner Zone to Master? It would really help in smooth transition form testing to production. Idea here is to first create Slave type and enable receiving NOTIFY from EDNS and initiate IXFRs - so Slave Zone is all the time up-to-date. Then this slave zone sends NOTIFY to DNS Express Zone. Result is DNS Express Zone is as well up-to-date during test. Then after test are over and Zone management should be transfered to BIG-IP, ZoneRunner Zone is changed to Master - but this seems to be not possible via GUI.
  • As far as I understand standards Master ZoneRunner Zone can't accept NOTIFY or initiate IXRFs - because it's Master. So after initial AXFR any change on EDNS are not transfered to Master ZoneRunner Zone - Am I right?
  • Last and most painful thing is making this work with Route Domains (RD). Seems that this is not working at all. I know that there is option to set Route Domain when defining Namesever but all my test (13.1.1.3 and 4) suggest that this setting is ignored. AXFR and IXFR is always send via Self IP defined on VLAN in Common RD0 - did you ever tried setup with Route Domains? I was not able to find any KB or Bug Tracker with info that this feature is not working :-(. I tried:
    • Route Domain RD1 in Common with VLAN to EDNS assigned to it; All DNS objects created in Common; RD1 selected in Nameserver
    • Route Domain RD100 created in partition TEST and set as default RD; VLAN to EDNS assigned to RD100; All DNS objects created in TEST partition

Last question is about manually (via CLI) converting BIND Slave zone to Master. Is that possible or maybe rather is that safe? My idea was to:

 

  • Stop named daemon, edit named.conf (db files for Slave and Master seems to be exactly the same so no mods necessary)
  • Edit named.conf with appropriate changes to Slave Zone definition
  • Save edited named.conf and start named daemon

Is there a chance it will work? I know that .jnl files are created for Zones - seems that those are containing changes to Zone file done via GUI. Periodically those changes are synced with zone db file. So I am not sure if I should remove .jnl or left it.

 

Thanks in advance, Piotr

 

Version history
Last update:
‎23-Feb-2018 05:00
Updated by:
Contributors