Help
Technical Forum
Ask questions. Discover Answers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions

Network > DNS Resolver - So how do you test this is working?

PSFletchTheTek
MVP
MVP

‎26-Aug-2021 06:24

Hi All,

So i've configured a DNS resolver "Network > DNS Resolver" as per the instructions.

But my stats aren't incrementing.

With now 3 sorts of DNS on my BIG-IP (Kernel, GTM and now the DNS Resolver) how do I run a test into the DNS Resolver to prove this config is working before I use it in anger in production? (I'm trying to setup a socks proxy which insist on this config)

Dig for example from the cli or using things like ping uses the kernel dns settings as I've used this in the past, so how do I force something to use the DNS Resolver? (network ? DNS resolver - and see the stats increment!) This is NOT the DNS Resolver cache of DNS.

 

Thanks

 

Pete

 

Labels:
0 Kudos
1 REPLY 1

Dario_Garrido
MVP
MVP

‎27-Aug-2021 02:04

Hello PSFletchTheTek.

 

When you configure a DNS Resolver, besides configuring chache size, Route Domain, etc., remember to set a forward zone, for example, using a dot ( . ) and the IPs of the DNS servers you are using for.

 

DNS Resolver is used just for some specific features (not the whole DNS communications):

  • HTTP Explicit Proxy feature
  • OCSP Validation
  • BIG-IP APM
  • BIG-IP AFM
  • BIG-IP ASM Bot Defense feature

REF - https://support.f5.com/csp/article/K12140128

 

One example would be to use OCSP Validation.

Check that in menu "System > Certificate Management > Traffic Certificate Management > OCSP". You will see that a "DNS Resolver" option is requested.

 

In my case I have this OCSP object configured:

  • Name: OCSP_myCA
  • DNS Resolver: my_dns_resolver
  • Responder URL: http://myocspserver.example.com

 

Then at "System > Certificate Management > Traffic Certificate Management > SSL Certificate List > myCert"

I have this specific OCSP checker applied to the monitoring properties of the 'myCert':

  • Monitoring Type: OCSP
  • Issuer Certificate: myCA
  • OCSP: OCSP_myCA

 

This set will launch DNS requests trying to reach "myocspserver.example.com".

 

Regards,

Dario.

Regards,
Dario.
0 Kudos
Copyright © 2023 Khoros, LLC