cancel
Showing results for 
Search instead for 
Did you mean: 
Login & Join the DevCentral Connects Group to watch the Recorded LiveStream (May 12) on Basic iControl Security - show notes included.

Network > DNS Resolver - So how do you test this is working?

PSFletchTheTek
Cirrostratus
Cirrostratus

Hi All,

So i've configured a DNS resolver "Network > DNS Resolver" as per the instructions.

But my stats aren't incrementing.

With now 3 sorts of DNS on my BIG-IP (Kernel, GTM and now the DNS Resolver) how do I run a test into the DNS Resolver to prove this config is working before I use it in anger in production? (I'm trying to setup a socks proxy which insist on this config)

Dig for example from the cli or using things like ping uses the kernel dns settings as I've used this in the past, so how do I force something to use the DNS Resolver? (network ? DNS resolver - and see the stats increment!) This is NOT the DNS Resolver cache of DNS.

 

Thanks

 

Pete

 

1 REPLY 1

Hello PSFletchTheTek.

 

When you configure a DNS Resolver, besides configuring chache size, Route Domain, etc., remember to set a forward zone, for example, using a dot ( . ) and the IPs of the DNS servers you are using for.

 

DNS Resolver is used just for some specific features (not the whole DNS communications):

  • HTTP Explicit Proxy feature
  • OCSP Validation
  • BIG-IP APM
  • BIG-IP AFM
  • BIG-IP ASM Bot Defense feature

REF - https://support.f5.com/csp/article/K12140128

 

One example would be to use OCSP Validation.

Check that in menu "System > Certificate Management > Traffic Certificate Management > OCSP". You will see that a "DNS Resolver" option is requested.

 

In my case I have this OCSP object configured:

  • Name: OCSP_myCA
  • DNS Resolver: my_dns_resolver
  • Responder URL: http://myocspserver.example.com

 

Then at "System > Certificate Management > Traffic Certificate Management > SSL Certificate List > myCert"

I have this specific OCSP checker applied to the monitoring properties of the 'myCert':

  • Monitoring Type: OCSP
  • Issuer Certificate: myCA
  • OCSP: OCSP_myCA

 

This set will launch DNS requests trying to reach "myocspserver.example.com".

 

Regards,

Dario.

Regards,
Dario.