Scribd
Upload
885 views102 pages

F5 DNS Guide PDF

Uploaded by

Rohan
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
885 views102 pages

F5 DNS Guide PDF

Uploaded by

Rohan
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 102

agility_dns_docs_17 Documentation

Release 0.1

Agility DNS team

Oct 06, 2017


Contents

1 Lab Environment 3
1.1 Ravello Cloud . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
1.2 IPv4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
1.3 Orientation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

2 GSLB 15
2.1 Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
2.2 Listeners . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
2.2.1 Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
2.2.2 DNS Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
2.2.3 UDP Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
2.2.4 TCP Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
2.2.5 UDP IP Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
2.2.6 TCP IP Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
2.3 Datacenters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
2.3.1 Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
2.3.1.1 gtm1.site1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
2.3.1.2 gtm1.site2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
2.3.1.3 site1_ha-pair . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
2.3.1.4 site2_ha-pair . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
2.3.2 Device Trust . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
2.3.3 Sync Group Formation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
2.3.4 LTM Virtuals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
2.3.5 Links . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
2.3.6 Auto Discover . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
2.4 Pools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
2.5 FQDN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
2.6 Delegation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
2.6.1 A Records . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
2.6.2 Sub Domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
2.6.3 CNAME . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
2.7 Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
2.7.1 Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
2.7.2 tcpdump . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
2.7.3 Analytics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
2.7.4 Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66

i
3 Cache 67
3.1 Transparent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
3.2 Resolver . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
3.3 RPZ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
3.4 Forward Zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69

4 DNS Services Beyond GSLB with BIG-IP DNS (201) 71


4.1 AUTHORITATIVE NS: SLAVE FROM OFF-BOX BIND . . . . . . . . . . . . . . . . . . . . . . . 71
4.1.1 Configuring DNS Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
4.1.2 Create a new DNS Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
4.1.3 Create DNS Listeners . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
4.1.4 Create a Nameserver for Hidden Master . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
4.1.5 Create a zone to transfer from Hidden Master . . . . . . . . . . . . . . . . . . . . . . . . . 73
4.1.6 Enable DNSSEC for the zone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
4.2 Authoritative Name Server: slave from ON-BOX BIND . . . . . . . . . . . . . . . . . . . . . . . . 77
4.2.1 Create a new DNS Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
4.2.2 Edit DNS Listeners . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
4.2.3 Create a Student1.com zone using ZoneRunner . . . . . . . . . . . . . . . . . . . . . . . . 78
4.2.4 Create a Nameserver for on-box BIND . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
4.2.5 Create a DNS Express zone to transfer from ZoneRunner . . . . . . . . . . . . . . . . . . . 80
4.3 Slaving off of DNS Express . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
4.3.1 Create a new DNS Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
4.3.2 Edit DNS Listeners . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
4.3.3 Create Nameservers for Zone Transfer Clients . . . . . . . . . . . . . . . . . . . . . . . . . 82
4.3.4 Edit Student2 Zones on BIGIP2 to allow Zone transfers . . . . . . . . . . . . . . . . . . . . 82
4.3.5 Add Student2.com zone to DNS Express on BIGIP1 . . . . . . . . . . . . . . . . . . . . . 83
4.4 Transparent Caching . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
4.4.1 Create a DNS Cache . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
4.4.2 Create a new DNS Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
4.4.3 Create a DNS Monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
4.4.4 Create a Resolver Pool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
4.4.5 Create a new External DNS Listener . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
4.5 Resolver Cache . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
4.5.1 Create a new DNS Cache . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
4.5.2 Create a new DNS Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
4.5.3 Edit DNS Listener . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
4.6 DNSSEC Validating Resolver . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
4.6.1 Create a new DNS Cache . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
4.6.2 Create a new DNS Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
4.6.3 Edit DNS Listener . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
4.7 Forwarders . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
4.7.1 Add Forwarder to Existing Cache . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
4.8 DNS 201 class is complete ! Thanks for attending! . . . . . . . . . . . . . . . . . . . . . . . . . . . 98

ii
agility_dns_docs_17 Documentation, Release 0.1

https://github.com/bwesterf5/agility_dns_docs_17
http://agility-dns-docs-17.readthedocs.io/en/latest/

Contents 1
agility_dns_docs_17 Documentation, Release 0.1

2 Contents
CHAPTER 1

Lab Environment

• Connect to a Windows jumpbox in the cloud.


• From the Windows jumpbox students will configure F5 devices across two datacenters and a branch office.
• The Windows jumpbox is in the branch office along with an Active Directory domain controller.

3
agility_dns_docs_17 Documentation, Release 0.1

1.1 Ravello Cloud

The lab environment is hosted in cloud environments managed by Ravello Systems. Login to the Ravello training
portal using a browser.
Ask an instructor for the login information
- TODO insert updated Ravello screenshots
Once logged in, you will find the URL for your windows jumpbox.
NOTE: All the VMs should be in a STARTED state.
Copy the FQDN located under the DNS section.
Open a remote desktop client on your workstation and connect to the jumpbox.
Username: user Password: Agility1

4 Chapter 1. Lab Environment


agility_dns_docs_17 Documentation, Release 0.1

1.1. Ravello Cloud 5


agility_dns_docs_17 Documentation, Release 0.1

1.2 IPv4

Management IP Addresses:

Host Managment
bigip1.site1 10.1.10.11
bigip2.site1 10.1.10.12
gtm1.site1 10.1.10.13
bigip1.site2 10.1.10.21
bigip2.site2 10.1.10.22
gtm1.site2 10.1.10.23
router01.branch01 10.1.10.31

Service IP Addresses:

Site 1 Site 2
www.example.com = 203.0.113.9 www.example.com = 198.51.100.41
vpn.example.com = 203.0.113.10 vpn.example.com = 198.51.100.42

1.3 Orientation

1. Open the command prompt on the Windows jumpbox and execute the following command:
dig www.example.com. Examine the output, and observe that an A record exists.

1. Open Internet Explorer and access www.example.com. Note that you accessed a web server in site1.

6 Chapter 1. Lab Environment


agility_dns_docs_17 Documentation, Release 0.1

TODO Create content server page and add screenshot


2. RDP to the domain controller using: EXAMPLE\user, password Agility1.
Start –> Remote Desktop Connection –> 10.1.70.200.

1.3. Orientation 7
agility_dns_docs_17 Documentation, Release 0.1

8 Chapter 1. Lab Environment


agility_dns_docs_17 Documentation, Release 0.1

1. Click on Server Manager, and in the top right corner choose Tools and then DNS.

1.3. Orientation 9
agility_dns_docs_17 Documentation, Release 0.1

1. Double click on EXAMPLE.COM and examine DNS records.

10 Chapter 1. Lab Environment


agility_dns_docs_17 Documentation, Release 0.1

1.3. Orientation 11
agility_dns_docs_17 Documentation, Release 0.1

12 Chapter 1. Lab Environment


agility_dns_docs_17 Documentation, Release 0.1

1. Connect to https://bigip1.site1.example.com and list the virtual server (203.0.113.9). Use Internet Explorer
Browser on the jumpbox to log in via the GUI, or use Putty for SSH to get a shell.
GUI username = admin/admin
CLI username = root/default

1. Connect to https://bigip1.site2.example.com and list the virtual servers (198.51.100.41). Use Internet Explorer
Browser on the jumpbox to log in via the GUI, or use Putty for SSH to get a shell.
GUI username = admin/admin
CLI username = root/default

1.3. Orientation 13
agility_dns_docs_17 Documentation, Release 0.1

14 Chapter 1. Lab Environment


CHAPTER 2

GSLB

• Students will configure F5 DNS servers to support GSLB services on a single device in site1.
• Join an additional F5 DNS server in site2 to the GSLB cluster.
• A Windows AD DNS server is authoritative for the zone example.com and contains a static A record for
“www.example.com”, which resolves to 203.0.113.9.
• Students will add glue records and delegate gslb.example.com to the F5 GSLB DNS servers.
• Convert the A record “www.example.com” to be a CNAME record pointing to www.gslb.example.com.
At the end of the lab students will have configured F5 GSLB DNS servers to alternately resolve www.example.com to
203.0.113.9 and 198.51.100.41.
• Where were you when v9 was released ?

15
agility_dns_docs_17 Documentation, Release 0.1

2.1 Settings

Configure the global settings for GSLB according to the following table:
Log into gtm1.site1 and complete the following task in the UI or cli
Navigate to: DNS ›› Settings : GSLB : General
https://gtm1.site1.example.com/tmui/Control/jspmap/tmui/dns/settings/gslb/properties_general.jsp

Setting Value Description


Synchronize checked Not on by default
Group Name EXAMPLE_group Org specific
Synchronize DNS Zone checked BIND zone file updates
Files

tmsh modify gtm global-settings general synchronization yes synchronization-group-


˓→name EXAMPLE_group synchronize-zone-files yes

16 Chapter 2. GSLB
agility_dns_docs_17 Documentation, Release 0.1

References

2.2 Listeners

A listener object is an spcialized virtual server that is configured to respond to DNS queries.
We will be creating both TCP and UDP based listeners.

2.2.1 Logging

Configure DNS query and response logging.


Navigate to DNS > Delivery > Profiles > Other > DNS Logging: Create
https://gtm1.site1.example.com/tmui/Control/jspmap/tmui/dns/profile/dns_log/list.jsp
https://gtm1.site2.example.com/tmui/Control/jspmap/tmui/dns/profile/dns_log/list.jsp

Note: It is required to complete the following task on both gtm1.site and gtm1.site2

2.2. Listeners 17
agility_dns_docs_17 Documentation, Release 0.1

Create a new DNS logging profile as shown in the table below. Retain the defaults if not noted in the table.

Setting Value
Name example_dns_logging_profile
Log Publisher sys-db-access-publisher
Log Responses enabled
Include Query ID enabled

TMSH command for both gtm1.site1 and gtm1.site2:


tmsh create ltm profile dns-logging example_dns_logging_profile enable-response-
˓→logging yes include-query-id yes log-publisher local-db-publisher

References

2.2.2 DNS Profile

A DNS profile controls the way a listener processes a query.


Navigate to: DNS > Delivery > Profiles > DNS: Create
https://gtm1.site1.example.com/tmui/Control/jspmap/tmui/dns/profile/dns/list.jsp
https://gtm1.site2.example.com/tmui/Control/jspmap/tmui/dns/profile/dns/list.jsp?

Note: It is required to complete the following task on both gtm1.site and gtm1.site2

Create a new DNS profile as shown in the following table.

Setting Value
Name example.com_dns_profile
Unhandled Query Action Drop
Use BIND Server on Big-IP Disabled
Logging Enabled
Logging Profile example_dns_logging_profile
AVR statistics Sample Rate Enabled, 1/1 queries sampled

TMSH command for both gtm1.site1 and gtm1.site2:


tmsh create ltm profile dns example.com_dns_profile use-local-bind no unhandled-query-
˓→action drop log-profile example_dns_logging_profile enable-logging yes avr-dnsstat-

˓→sample-rate 1

References

2.2.3 UDP Profile

A UDP profile is associated with a listener.


Navigate to: DNS ›› Delivery : Profiles : Protocol : UDP
https://gtm1.site1.example.com/tmui/Control/jspmap/tmui/dns/profile/udp/list.jsp?

18 Chapter 2. GSLB
agility_dns_docs_17 Documentation, Release 0.1

2.2. Listeners 19
agility_dns_docs_17 Documentation, Release 0.1

20 Chapter 2. GSLB
agility_dns_docs_17 Documentation, Release 0.1

2.2. Listeners 21
agility_dns_docs_17 Documentation, Release 0.1

22 Chapter 2. GSLB
agility_dns_docs_17 Documentation, Release 0.1

https://gtm1.site2.example.com/tmui/Control/jspmap/tmui/dns/profile/udp/list.jsp?

Note: It is required to complete the following task on both gtm1.site and gtm1.site2

Create a new UDP profile as shown in the following table. Retain the defaults if the setting is not noted in the table.

Setting Value
Name example.com_udp-dns_profile
Parent Profile udp_gtm_dns

TMSH command for both gtm1.site1 and gtm1.site2:

tmsh create ltm profile udp example.com_udp-dns_profile defaults-from udp_gtm_dns

2.2. Listeners 23
agility_dns_docs_17 Documentation, Release 0.1

References

2.2.4 TCP Profile

A TCP profile is associated with a listener.


Navigate to: DNS ›› Delivery : Profiles : Protocol : TCP
https://gtm1.site2.example.com/tmui/Control/jspmap/tmui/dns/profile/tcp/list.jsp
https://gtm1.site2.example.com/tmui/Control/jspmap/tmui/dns/profile/tcp/list.jsp

Note: It is required to complete the following task on both gtm1.site and gtm1.site2

Create a new TCP profile as shown in the following table.

Setting Value
Name example.com_tcp-dns_profile
Parent Profile tcp-wan-optimized

TMSH Command for both gtm1.site and gtm1.site2:

tmsh create ltm profile tcp example.com_tcp-dns_profile defaults-from tcp-wan-


˓→optimized

References

2.2.5 UDP IP Address

Navigate to: DNS ›› Delivery : Listeners : Listener List


https://gtm1.site1.example.com/tmui/Control/jspmap/tmui/dns/listener/list.jsp
https://gtm1.site2.example.com/tmui/Control/jspmap/tmui/dns/listener/list.jsp

Note: It is required to complete the following task on both gtm1.site1 and gtm1.site2

Create a UDP listener.

Setting gtm1.site1 gtm1.site2


Name isp1_site1_ns1.example.com_udp_53_virtual
isp2_site2_ns2.example.com_udp_53_virtual
Destination 203.0.113.8 198.51.100.40
Protocol Profile (Client) example.com_udp-dns_profile example.com_udp-dns_profile
DNS Profile example.com_dns_profile example.com_dns_profile

24 Chapter 2. GSLB
agility_dns_docs_17 Documentation, Release 0.1

2.2. Listeners 25
agility_dns_docs_17 Documentation, Release 0.1

26 Chapter 2. GSLB
agility_dns_docs_17 Documentation, Release 0.1

2.2. Listeners 27
agility_dns_docs_17 Documentation, Release 0.1

gtm1.site1 TMSH command:

tmsh create gtm listener isp1_site1_ns1.example.com_udp_53_virtual address 203.0.113.


˓→8 ip-protocol udp mask 255.255.255.255 port 53 profiles add { example.com_dns_

˓→profile example.com_udp-dns_profile }

gtm1.site2 TMSH command:

tmsh create gtm listener isp2_site2_ns2.example.com_udp_53_virtual address 198.51.100.


˓→40 ip-protocol udp mask 255.255.255.255 port 53 profiles add { example.com_dns_

˓→profile example.com_udp-dns_profile }

References

2.2.6 TCP IP Address

Navigate to: DNS ›› Delivery : Listeners : Listener List


https://gtm1.site1.example.com/tmui/Control/jspmap/tmui/dns/listener/list.jsp
https://gtm1.site2.example.com/tmui/Control/jspmap/tmui/dns/listener/list.jsp

Note: It is required to complete the following task on both gtm1.site and gtm1.site2

Create a TCP listener.

Setting gtm1.site1 gtm1.site2


Name isp1_site1_ns1.example.com_tcp_53_virtual
isp2_site2_ns2.example.com_tcp_53_virtual
Destination 203.0.113.8 198.51.100.40
Protocol Profile (Client) example.com_tcp-dns_profile example.com_tcp-dns_profile
DNS Profile example.com_dns_profile example.com_dns_profile

28 Chapter 2. GSLB
agility_dns_docs_17 Documentation, Release 0.1

2.2. Listeners 29
agility_dns_docs_17 Documentation, Release 0.1

gtm1.site1 TMSH command:

30 Chapter 2. GSLB
agility_dns_docs_17 Documentation, Release 0.1

tmsh create gtm listener isp1_site1_ns1.example.com_tcp_53_virtual address 203.0.113.


˓→8 ip-protocol tcp mask 255.255.255.255 port 53 profiles add { example.com_dns_

˓→profile example.com_tcp-dns_profile }

gtm1.site2 TMSH command:

tmsh create gtm listener isp1_site2_ns2.example.com_tcp_53_virtual address 198.51.100.


˓→40 ip-protocol tcp mask 255.255.255.255 port 53 profiles add { example.com_dns_

˓→profile example.com_tcp-dns_profile }

References

2.3 Datacenters

Navigate to: DNS > GSLB > Data Centers > Data Center List: Create
https://gtm1.site1.example.com/tmui/Control/jspmap/xsl/gtm_dc/list

Note: The tasks in this section are to be only completed on gtm1.site1

Create two darta centers according to the table below:

Setting Value
Name site1_datacenter
Name site2_datacenter

2.3. Datacenters 31
agility_dns_docs_17 Documentation, Release 0.1

TMSH command for only site1.gtm1:

tmsh create gtm datacenter site1_datacenter


tmsh create gtm datacenter site2_datacenter

32 Chapter 2. GSLB
agility_dns_docs_17 Documentation, Release 0.1

2.3.1 Servers

2.3.1.1 gtm1.site1

Navigate to: DNS ›› GSLB : Servers : Server List https://gtm1.site1.example.com/tmui/Control/jspmap/tmui/


globallb/server/list.jsp
Create a Server Object as defined in the table below:

Setting Value
Name gtm1.site1_server
Data Center site1_datacenter
Devices Add: gtm1.site1.example.com : 203.0.113.7
Health Monitors bigip
Virtual Server Discovery Disabled

TMSH command for only site1.gtm1:

tmsh create gtm server gtm1.site1_server datacenter site1_datacenter devices add {


˓→gtm1.site1.example.com { addresses add { 203.0.113.7 } } } monitor bigip product

˓→bigip

2.3.1.2 gtm1.site2

Navigate to: DNS ›› GSLB : Servers : Server List https://gtm1.site2.example.com/tmui/Control/jspmap/tmui/


globallb/server/list.jsp
Create a Server Object as defined in the table below:

Setting Value
Name gtm1.site2_server
Data Center site2_datacenter
Devices Add: gtm1.site2.example.com : 198.51.100.39
Health Monitors bigip
Virtual Server Discovery Enabled

TMSH command for only gtm1.site1: .. code-block:: cli


tmsh create gtm server gtm1.site2_server datacenter site2_datacenter devices add {
gtm1.site2.example.com { addresses add { 198.51.100.39 } } } monitor bigip product bigip

2.3.1.3 site1_ha-pair

• Navigate to: DNS > GSLB > Servers > Server List: Create https://gtm1.site1.example.com/tmui/Control/
jspmap/tmui/globallb/server/list.jsp
• Create a Server Object as defined in the table and diagram below.

2.3. Datacenters 33
agility_dns_docs_17 Documentation, Release 0.1

34 Chapter 2. GSLB
agility_dns_docs_17 Documentation, Release 0.1

2.3. Datacenters 35
agility_dns_docs_17 Documentation, Release 0.1

Setting Value
Name site1_ha-pair
Data Center site1_datacenter
Devices Add: bigip1.site1.example.com : 203.0.113.5
Devices Add: bigip2.site1.example.com : 203.0.113.6
Health Monitors bigip
Virtual Server Discovery Enabled
Link Discovery Enabled

36 Chapter 2. GSLB
agility_dns_docs_17 Documentation, Release 0.1

2.3. Datacenters 37
agility_dns_docs_17 Documentation, Release 0.1

TMSH command for only gtm1.site1:

tmsh create gtm server site1_ha-pair datacenter site1_datacenter devices add { bigip1.
˓→site1.example.com { addresses add { 203.0.113.5 { } } } bigip2.site1.example.com {

˓→addresses add { 203.0.113.6 { } } } } link-discovery enabled monitor bigip product

˓→bigip virtual-server-discovery enabled

2.3.1.4 site2_ha-pair

• Navigate to: DNS > GSLB > Servers > Server List: Create https://gtm1.site1.example.com/tmui/Control/
jspmap/tmui/globallb/server/list.jsp
• Create a Server Object as defined in the table and diagram below.

Setting Value
Name site2_ha-pair
Data Center site2_datacenter
Device Add: bigip1.site2.example.com : 198.51.100.37
Device Add: bigip2.site2.example.com : 198.51.100.38
Health Monitors bigip
Virtual Server Discovery Enabled
Link Discovery Enabled

38 Chapter 2. GSLB
agility_dns_docs_17 Documentation, Release 0.1

2.3. Datacenters 39
agility_dns_docs_17 Documentation, Release 0.1

TMSH command for only gtm1.site2:

tmsh create gtm server site2_ha-pair datacenter site2_datacenter devices add { bigip1.
˓→site2.example.com { addresses add { 198.51.100.37 { } } } bigip2.site2.example.com

˓→{ addresses add { 198.51.100.38 { } } } } link-discovery enabled monitor bigip

˓→product bigip virtual-server-discovery enabled

Create different types of server objects.


Navigate to: DNS ›› GSLB : Servers : Server List https://gtm1.site1.example.com/tmui/Control/jspmap/tmui/
globallb/server/list.jsp

2.3.2 Device Trust

A mesh of F5 DNS servers need to exchange keys to establish a trusted mechanism for HA communications.
Lanch Putty and login to gtm1.site1.example.com username: root password: default
Run the following command:
bigip_add

40 Chapter 2. GSLB
agility_dns_docs_17 Documentation, Release 0.1

2.3. Datacenters 41
agility_dns_docs_17 Documentation, Release 0.1

In the UI you should see:


https://gtm1.site1.example.com/tmui/Control/jspmap/tmui/locallb/ssl_certificate/properties.jsp?certificate_name=
server&store=iquery

42 Chapter 2. GSLB
agility_dns_docs_17 Documentation, Release 0.1

2.3.3 Sync Group Formation

Launch Putty and log in to gtm1.site2


Run the following command:
gtm_add 203.0.113.7

2.3. Datacenters 43
agility_dns_docs_17 Documentation, Release 0.1

44 Chapter 2. GSLB
agility_dns_docs_17 Documentation, Release 0.1

2.3.4 LTM Virtuals

Virtual Servers are automatically inventoried with Auto-Discover


Navigate to DNS ›› GSLB : Servers : Server List
https://gtm1.site1.example.com/tmui/Control/jspmap/tmui/globallb/server/list.jsp

2.3.5 Links

Datacenter Links are automatically inventoried with Auto-Discovery enabled


Navigate to DNS ›› GSLB : Links : Link List
https://gtm1.site1.example.com/tmui/Control/jspmap/xsl/gtm_link/list

2.3. Datacenters 45
agility_dns_docs_17 Documentation, Release 0.1

2.3.6 Auto Discover

Auto discover can be helpful, but after initial setup it’s recomended to disable it.
Navigate to DNS ›› GSLB : Servers : Server List ›› Links : site1_ha-pair
https://gtm1.site1.example.com/tmui/Control/jspmap/tmui/globallb/server/links.jsp?&leaf_name=site1_ha-pair&
name=%2FCommon%2Fsite1_ha-pair
Disable Link Auto Discovery

46 Chapter 2. GSLB
agility_dns_docs_17 Documentation, Release 0.1

Navigate to DNS ›› GSLB : Servers : Server List ›› Virtual Servers : site1_ha-pair


https://gtm1.site1.example.com/tmui/Control/jspmap/xsl/gtm_server/virtual_servers?&leaf_name=site1_ha-pair&
name=%2FCommon%2Fsite1_ha-pair
Disable Virtual Auto Discover and delete unused objects

2.3. Datacenters 47
agility_dns_docs_17 Documentation, Release 0.1

Note: Repeat the above operations for site2_ha-pair

https://gtm1.site1.example.com/tmui/Control/jspmap/tmui/globallb/server/links.jsp?&leaf_name=site1_ha-pair&
name=%2FCommon%2Fsite1_ha-pair
https://gtm1.site1.example.com/tmui/Control/jspmap/xsl/gtm_server/virtual_servers?&leaf_name=site2_ha-pair&
name=%2FCommon%2Fsite2_ha-pair
tmsh modify gtm server site1_ha-pair link-discovery disabled virtual-server-discovery
˓→disabled

tmsh modify gtm server site2_ha-pair link-discovery disabled virtual-server-discovery


˓→disabled

tmsh modify gtm server site1_ha-pair virtual-servers delete { /Common/isp1_site1_vpn.


˓→example.com_tcp_http_virtual /Common/isp1_site1_vpn.example.com_tcp_https_virtual /

˓→Common/isp1_site1_www.example.com_tcp_http_virtual }

tmsh modify gtm server site2_ha-pair virtual-servers delete { /Common/isp2_site2_vpn.


˓→example.com_tcp_http_virtual /Common/isp2_site2_vpn.example.com_tcp_https_virtual /

˓→Common/isp2_site2_www.example.com_tcp_http_virtual }

48 Chapter 2. GSLB
agility_dns_docs_17 Documentation, Release 0.1

2.4 Pools

Navigate to: DNS ›› GSLB : Pools : Pool List


https://gtm1.site1.example.com/tmui/Control/jspmap/tmui/globallb/pool/list.jsp?
Create a GTM pool of LTM Virtuals according to the following table:

Setting Value
Name www.example.com_pool
Type A
member isp1_site1_www.example.com_tcp_https_virtual
member isp2_site2_www.example.com_tcp_https_virtual

2.4. Pools 49
agility_dns_docs_17 Documentation, Release 0.1

50 Chapter 2. GSLB
agility_dns_docs_17 Documentation, Release 0.1

2.4. Pools 51
agility_dns_docs_17 Documentation, Release 0.1

TMSH command to run on only gtm1.site1:

tmsh create gtm pool a www.example.com_pool { members add { site1_ha-pair:/Common/


˓→isp1_site1_www.example.com_tcp_https_virtual { member-order 0 } site2_ha-pair:/

˓→Common/isp2_site2_www.example.com_tcp_https_virtual { member-order 1 } } }

2.5 FQDN

F5 refers to an FQDN as a “wide-ip”, or “wip”.


Navigate to: DNS ›› GSLB : Wide IPs : Wide IP List
https://gtm1.site1.example.com/tmui/Control/jspmap/tmui/globallb/wideip/list.jsp
Create an F5 “wide IP”

Setting Value
Name www.gslb.example.com
Type A
Pool www.example.com_pool

52 Chapter 2. GSLB
agility_dns_docs_17 Documentation, Release 0.1

2.5. FQDN 53
agility_dns_docs_17 Documentation, Release 0.1

54 Chapter 2. GSLB
agility_dns_docs_17 Documentation, Release 0.1

TMSH command to run on only gtm1.site1:

tmsh create gtm wideip a www.example.com { pools add { www.example.com_pool { order 0


˓→} } }

2.6 Delegation

Log in to the Windows Domain Controller from the jumpbox, and open the DNS management UI:

2.6. Delegation 55
agility_dns_docs_17 Documentation, Release 0.1

2.6.1 A Records

Create two new A records

Setting Value
ns1.example.com 203.0.113.8
ns2.example.com 198.51.100.40

Expand “Forward Lookup Zones”, right click on EXAMPLE.COM and select “New Host”

56 Chapter 2. GSLB
agility_dns_docs_17 Documentation, Release 0.1

2.6.2 Sub Domain

2.6. Delegation 57
agility_dns_docs_17 Documentation, Release 0.1

58 Chapter 2. GSLB
agility_dns_docs_17 Documentation, Release 0.1

2.6. Delegation 59
agility_dns_docs_17 Documentation, Release 0.1

60 Chapter 2. GSLB
agility_dns_docs_17 Documentation, Release 0.1

2.6.3 CNAME

Delete the static A record for www

2.6. Delegation 61
agility_dns_docs_17 Documentation, Release 0.1

Create a new CNAME record

62 Chapter 2. GSLB
agility_dns_docs_17 Documentation, Release 0.1

2.6. Delegation 63
agility_dns_docs_17 Documentation, Release 0.1

64 Chapter 2. GSLB
agility_dns_docs_17 Documentation, Release 0.1

2.7 Results

2.7.1 Statistics

Let’s look at statistics


Navigate to Statistics ›› Module Statistics : DNS : GSLB ›› Wide IPs : www.gslb.example.com : A
https://gtm1.site1.example.com/tmui/Control/jspmap/tmui/globallb/stats/wideip/stats_detail.jsp?name=/Common/
www.gslb.example.com&type=1&identity=www.gslb.example.com

2.7. Results 65
agility_dns_docs_17 Documentation, Release 0.1

https://gtm1.site2.example.com/tmui/Control/jspmap/tmui/globallb/stats/wideip/stats_detail.jsp?name=/Common/
www.gslb.example.com&type=1&identity=www.gslb.example.com

2.7.2 tcpdump

Let’s do some tcpdump and wiresharking

2.7.3 Analytics

Let’s look at some GUI stats

2.7.4 Logs

Let’s look at some logs

66 Chapter 2. GSLB
CHAPTER 3

Cache

DNS Cache

3.1 Transparent

Log into the gateway device router01.brancho1 in the branch office


Navigate to DNS ›› Caches : Cache List
https://router.branch01.example.com/tmui/Control/jspmap/tmui/dns/cache/list.jsp
Create a Transparent Cache according to the values in the table below:

Setting Value
Name transparent_cache
Resolver Type Transparent

3.2 Resolver

Resolver cache.

3.3 RPZ

Response Policy Zone

67
agility_dns_docs_17 Documentation, Release 0.1

68 Chapter 3. Cache
agility_dns_docs_17 Documentation, Release 0.1

3.4 Forward Zones

Forward zones are available on a resolver cache.


Agility 2017 Hands-on Lab Guide
Written for: TMOS® v13.0.0
Presented by: DNS 2017 F5 Agility Team

3.4. Forward Zones 69


agility_dns_docs_17 Documentation, Release 0.1

70 Chapter 3. Cache
CHAPTER 4

DNS Services Beyond GSLB with BIG-IP DNS (201)

4.1 AUTHORITATIVE NS: SLAVE FROM OFF-BOX BIND

• Objective: In this use-case, you will configure GTM as the authoritative slave using an off-box BIND server as
the hidden master. This is a very common architecture to serve either external or internal zones with large scale
RPS via DNS Express. You will configure the following common components:
• DNS Profile and Listeners
• DNS Express
• DNS Query Logging
• DNS Statistics
• DNSSEC signing
• Estimated completion time: 25 minutes

4.1.1 Configuring DNS Logging

• You are going to configure DNS query and response logging. To do this, you must tell GTM where to send logs
to (a log publisher) and what specifically to log (DNS logging profile).
• For lab purposes, we are going to use local-syslog as our logging destination.

Note: remote high-speed logging is highly recommended for production environments.

• Log in to https://gtm1.site1.example.com from the jumpbox desktop and using user: admin password: admin
• In the GUI, navigate to: System > Logs > Configuration > Log Publishers: Create
• Create a new DNS Log Publisher as shown in the table below.

71
agility_dns_docs_17 Documentation, Release 0.1

Keep the defaults if not noted in the table.

Name dns-local-syslog
Destinations Move local-syslog to Selected column

• Click Finished to create.


• In the GUI, navigate to: DNS > Delivery > Profiles > Other > DNS Logging: Create
• Create a new DNS logging profile as shown in the table below.
Keep the defaults if not noted in the table.

Name dns-logging
Log Publisher Select dns-local-syslog
Log Responses Enabled
Include Query ID Enabled

• Click Finished to create.


• Your new dns-logging profile should now have all options enabled.

4.1.2 Create a new DNS Profile

• A DNS profile tells the DNS Listener how to process DNS traffic. We’re going to make some tweaks for our
use-case and lab environment.
• In the GUI, navigate to: DNS > Delivery > Profiles > DNS: Create
• Create a new DNS profile as shown in the table below.
Keep the defaults if not noted in the table.

Name AuthNS-offbox-BIND
Unhandled Query Action Drop
Use BIND Server on Big-IP Disabled
Logging Enabled
Logging Profile dns-logging
AVR Statistics Sampling Rate Enabled; 1/1 queries sampled

• Click Finished to create.


• For lab purposes, we are going to use sample all DNS queries with AVR.

Note: production sampling rates would be a much lower rate as this would severely impact performance.

4.1.3 Create DNS Listeners

We are going to create both UDP and TCP external listeners. The external Listener will be our target IP address when
querying GTM.
• In the GUI, navigate to: DNS > Delivery > Listeners > Listener List: Create
• Create two external Listeners as shown in the tables below.

72 Chapter 4. DNS Services Beyond GSLB with BIG-IP DNS (201)


agility_dns_docs_17 Documentation, Release 0.1

Keep the defaults if not noted in the table.

Name external-listener-UDP
Destination Host: 203.0.113.8
VLAN Traffic Enabled on..
VLANs and Tunnels External
DNS Profile AuthNS-offbox-BIND

Name external-listener-TCP
Destination Host: 203.0.113.8
VLAN Traffic Enabled on..
VLANs and Tunnels External
Protocol TCP
DNS Profile AuthNS-offbox-BIND

• For each Listener, click Finished to create.


• You should now have two UDP-based DNS Listeners and two TCP-based Listeners configured.

4.1.4 Create a Nameserver for Hidden Master

We next need to tell GTM about our Hidden Master that DNS Express will slave from.
• In the GUI, navigate to: DNS > Delivery > Nameservers > Nameserver List: Create
• Create offbox-BIND as a Nameserver as shown in the table below.
Keep the defaults if not noted in the table.

Name Offbox-BIND
Address 203.0.113.15

• Click Finished to create.

4.1.5 Create a zone to transfer from Hidden Master

We will now configure the specific zone for GTM to obtain from the Hidden Master. Note that the BIND server already
has some key configuration elements to consider:
• “Allow-transfer” (for lab purposes, any sourceIP is allowed)
• “Also-notify” for your internal Listener IP address.
• TSIG is disabled.
• Before we configure the zone, we are going to enable some debug logging so that you can see what happens
underneath the covers. SSH to your F5 BIGIP1. You should have a BIGIP1 putty icon on your desktop. Use
username: root password: default and issue the following TMSH command once logged in.

tmsh modify sys db log.zxfrd.level value "debug"

• Now, view the log file real-time by issuing this command at the SSH prompt:

tail -f /var/log/ltm

4.1. AUTHORITATIVE NS: SLAVE FROM OFF-BOX BIND 73


agility_dns_docs_17 Documentation, Release 0.1

Note: You can make the putty window larger if needed

Keep your ssh session open while performing the rest of the steps. You can break out of the tail process with <Ctrl-C>.
• In the GUI, navigate to: DNS > Zones > Zones > Zone List: Create
• Create the “dnsx.com” zone as shown in the figure below and then click Finished.

• You should see log messages in your SSH console indicating a successful transfer from the hidden master. You
can also view the state of the transfer by clicking back on the newly created zone and observing the “Availability”
as shown in the figure below.

• Issue the following command from SSH console to see specifics of the status and statistics related to the zone.
tmsh show ltm dns zone dnsx.com | more

• The dnsx.com zone is configured with a 60 second refresh interval – meaning that DNS Express will proactively
check the Master Nameserver every 60 seconds for zone updates. This very low interval is merely for lab
purposes so you can view what happens in the logs. The log messages look like this:
Jun 22 14:49:38 gtm1 debug zxfrd[4251]: 01531023:7: Scheduling zone transfer in 60s
˓→for dnsx.com from 203.0.113.15.

Jun 22 14:49:38 gtm1 debug zxfrd[4251]: 01531106:7: Availability status of dnsx.com


˓→changed from YELLOW to GREEN.

Jun 22 14:50:38 gtm1 debug zxfrd[4251]: 01531025:7: Serials equal (2017062201);


˓→transfer for zone dnsx.com complete.

Jun 22 14:50:38 gtm1 debug zxfrd[4251]: 01531008:7: Resetting transfer state for zone
˓→dnsx.com.

74 Chapter 4. DNS Services Beyond GSLB with BIG-IP DNS (201)


agility_dns_docs_17 Documentation, Release 0.1

Jun 22 14:50:38 gtm1 debug zxfrd[4251]: 01531023:7: Scheduling zone transfer in 60s
˓→for dnsx.com from 203.0.113.15.

• Now, issue the following command in the SSH console to view what is in DNS Express.

dnsxdump | more

• Open the command prompt from your windows desktop. Issue a DNS query against your external listener for a
record in the dnsx.com zone and verify that it succeeds. For example:

>dig @203.0.113.8 +short www1.dnsx.com

• Issue several more queries of different types to generate some interesting statistics. Here are some examples:

dig @203.0.113.8 +short www1.dnsx.com

dig @203.0.113.8 +short www2.dnsx.com

dig @203.0.113.8 +short www3.dnsx.com

dig @203.0.113.8 +short bigip1.dnsx.com

dig @203.0.113.8 +short bigip2.dnsx.com

dig @203.0.113.8 +short MX dnsx.com

dig @203.0.113.8 +short NS dnsx.com

• Now is a good time to check query logging. Look at ‘‘/var/log/ltm ‘‘(i.e. tail /var/log/ltm ) to ensure that you’re
properly logging queries and responses. It should look something like this:

Jun 22 14:55:14 gtm1 info tmm[10506]: 2017-06-22 14:55:14 gtm1.site1.example.com qid


˓→340 from 203.0.113.1#50316: view none: query: www3.dnsx.com IN A + (203.0.113.8%0)

Jun 22 14:55:14 gtm1 info tmm[10506]: 2017-06-22 14:55:14 gtm1.site1.example.com qid


˓→340 to 203.0.113.1#50316: [NOERROR qr,aa,rd] response: www3.dnsx.com. 100 IN A 203.

˓→0.113.103;

• In the GUI, navigate to Statistics > Analytics > DNS. Notice that you can view statics by different data points,
over different periods of time, and drill down into different aspects. Spend a few moments looking at the various
options.

Note: This may take up to 5 minutes to populate.

If no data exists, come back after the next task.

4.1.6 Enable DNSSEC for the zone

We will now sign the dnsx.com zone. In this example, we are configuring GTM to sign the zone on the fly rather than
signing the actual static zone information (which can be done starting in v11.5 but is outside the scope of this lab).
• In the GUI, navigate to: DNS > Delivery > Keys > DNSSEC Key List: Create
• Create two keys as defined in the tables below.
Keep the defaults if not noted in the table.

4.1. AUTHORITATIVE NS: SLAVE FROM OFF-BOX BIND 75


agility_dns_docs_17 Documentation, Release 0.1

Name dnsx.com_zsk
Type Zone Signing Key
Key Management Manual
Certificate default.crt
Private Key default.key

Name dnsx.com_ksk
Type Key Signing Key
Key Management Manual
Certificate default.crt
Private Key default.key

• Click Finished to create each key.


• In the GUI, navigate to: DNS > Zones > DNSSEC Zones > DNSSEC Zone List: Create
• Configure the dnsx.com zone for DNSSEC using the previously created keys as shown below.

• Test that the zone is successfully signed by issuing a DNSSEC query to the external listener. For example:

dig @203.0.113.8 +dnssec www1.dnsx.com

You should see RRSIG records indicating that the zone is signed. You will also note signing in the query logs (/var/
log/ltm)
• Finally, view some other DNS statistics related to queries, DNSSEC, zone transfers, notifies, etc.
• In the GUI, navigate to: DNS > Zone > Zones > Zone List.
• Click on the “dnsx.com” zone and then select “Statistics” from the top menu bar.
• Select the “View” Details as shown in the diagram below:

76 Chapter 4. DNS Services Beyond GSLB with BIG-IP DNS (201)


agility_dns_docs_17 Documentation, Release 0.1

• View the types of statistics available for the zone such as serial number, number of records, etc.
• In the GUI, navigate to: Statistics > Module Statistics > DNS > Zones.
• Set “Statistics Type” to “DNSSEC Zones”.
• View details as performed above. Note the various DNSSEC statistics available.
• If the graphs from task 5 weren’t available earlier, revisit Statistics > Analytics > DNS now and explore.

4.2 Authoritative Name Server: slave from ON-BOX BIND

In this use-case, you will configure GTM as an authoritative slave using on-box BIND managed by ZoneRunner.
Estimated completion time: 15 minutes

4.2.1 Create a new DNS Profile

• In the GUI, navigate to: DNS > Delivery > Profiles > DNS: Create. Create a new DNS profile as shown in the
table below.
Keep the defaults if not noted in the table.

Name AuthNS-onbox-BIND
Unhandled Query Action Drop
Use BIND Server on Big-IP Disabled
Logging Enabled
Logging Profile dns-logging
AVR Statistics Sampling Rate Enabled; 1/1 queries sampled

• Click Finished to create.


For lab purposes, we are going to sample all DNS queries with AVR.

Note: Production sampling rates would be a much lower rate.

4.2.2 Edit DNS Listeners

We need to edit the external-listeners to use the new DNS profile created above.
• In the GUI, navigate to: DNS > Delivery > Listeners > Listener List

4.2. Authoritative Name Server: slave from ON-BOX BIND 77


agility_dns_docs_17 Documentation, Release 0.1

• Edit the external-listener-UDP to use the AuthNS-onbox-BIND DNS profile.


• Edit the external-listener-TCP to use the AuthNS-onbox-BIND DNS profile.
• Click Update after change DNS profile to finish edition.

4.2.3 Create a Student1.com zone using ZoneRunner

• In the GUI, navigate to: DNS > Zones: ZoneRunner > Zone List: Create
• Add a student1.com zone with the information as shown in the following screenshot. Note the “also-notify”
message needs to be added to send a NOTIFY message to an internal GTM IP address for processing. Likewise
BIND needs to allow the transfer from the loopback address. The diagram below shows the basic operation.

78 Chapter 4. DNS Services Beyond GSLB with BIG-IP DNS (201)


agility_dns_docs_17 Documentation, Release 0.1

4.2.4 Create a Nameserver for on-box BIND

Next, we need to tell DNS Express that on-box BIND is available to use as a source for zone transfers.
• In the GUI, navigate to: DNS > Delivery > Nameservers > Nameserver List: Create
• Create a loopback as a Nameserver as shown in the table below.
Keep the defaults if not noted in the table.

Name ZoneRunner
Address 127.0.0.1

• Click Finished to create.

4.2. Authoritative Name Server: slave from ON-BOX BIND 79


agility_dns_docs_17 Documentation, Release 0.1

4.2.5 Create a DNS Express zone to transfer from ZoneRunner

We will now configure the specific zone for GTM to obtain from ZoneRunner. Note that on-box BIND already has
some key configuration elements to consider:
• “Allow-transfer” from the localhost.
• “Also-notify” for DNS Express internal Listener IP address.
• TSIG is disabled.
• In the GUI, navigate to: DNS > Zones > Zones > Zone List: Create
• Create the “student1.com” zone as shown in the figure below and then click Finished.

• Perform the same validation steps as the previous lab for validating the successful transfer of student1.com to
DNS Express
• View the details of the zone in the GUI
• Issue the following command from the ssh console:

tmsh show ltm dns zone student1.com | more

• Dump the dns express output to see the records

dnsxdump | more

• Verify logs in /var/log/ltm


• From a command prompt on your jumpbox, issue a query to the external listener for a record in the zone

dig @203.0.113.8 SOA student1.com

• Add a new record to the Student1.com zone in ZoneRunner


• In the GUI, navigate to: DNS > Zones: ZoneRunner > Resource Record List.
• Select View Name -> external
• Select Zone Name -> student1.com.

80 Chapter 4. DNS Services Beyond GSLB with BIG-IP DNS (201)


agility_dns_docs_17 Documentation, Release 0.1

• Click Create
• Enter a new A record similar to the figure below for your zone and click Finished.

• Validate the DNS Express was updated by performing a dnsxdump and/or query for your new record to the
Listener.
• Add another record using the steps above for www2.student1.com with IP address of 203.0.113.102 but before
doing this, make sure to have a putty session open to your BIG-IP1 and tail the logs using tail -f /var/
log/ltm to view the changes. By making a change to the zone on the Hidden Master (in this case ZoneRunner),
you will see a proactive update to DNS Express via a NOTIFY. Watch the /var/log/ltm file to see the update
occur. The logs should look something like this:
Jun 5 08:21:26 bigip1 notice zxfrd[6429]: 0153101c:5: Handling NOTIFY for zone
˓→student1.com.

Jun 5 08:21:26 bigip1 debug zxfrd[6429]: 01531008:7: Resetting transfer state for
˓→zone student1.com.

Jun 5 08:21:26 bigip1 debug zxfrd[6429]: 01531023:7: Scheduling zone transfer in 5s


˓→for student1.com from 127.0.0.1.

Jun 5 08:21:26 bigip1 debug zxfrd[6429]: 01531027:7: Notify response to ::1 succeeded
˓→(81:na).

Jun 5 08:21:31 bigip1 notice zxfrd[6429]: 0153101f:5: IXFR Transfer of zone student1.
˓→com from 127.0.0.1 succeeded.

Issue a dnsxdump | more command for the SSH console or a query to the listener to validate the zone file has
updated.

4.3 Slaving off of DNS Express

In this use-case, we will obtain a zone transfer from another F5’s DNS Express. This is a common deployment in a
hybrid on-premise and cloud-based DNS solution. Our purpose here is to focus on DNS Express serving zone transfer
clients. Note that zones can be signed during a transfer – but this is outside the scope of this lab
• Estimated completion time: 10 minutes

4.3.1 Create a new DNS Profile

• In the GUI, navigate to: DNS > Delivery > Profiles > DNS: Create. Create a new DNS profile as shown in the
table below.

4.3. Slaving off of DNS Express 81


agility_dns_docs_17 Documentation, Release 0.1

Keep the defaults if not noted in the table.

Name AuthNS-hybrid
Unhandled Query Action Drop
Use BIND Server on Big-IP Disabled
Zone Transfer Enabled
Logging Enabled
Logging Profile dns-logging
AVR Statistics Sampling Rate Enabled; 1/1 queries sampled

• For lab purposes, we are going to use sample all DNS queries with AVR.

Note: that production sampling rates would be a much lower rate.

4.3.2 Edit DNS Listeners

• In the GUI, navigate to: DNS > Delivery > Listeners > Listener List
• Edit the external-listener-TCP to use the AuthNS-hybrid DNS profile.
• Click Update to finish.

4.3.3 Create Nameservers for Zone Transfer Clients

• Your lab environment has a second pre-configured BIG-IP (BIGIP2) that we will use as the on-prem DNS
Express Master.
• In the GUI, navigate to: DNS > Delivery > Nameservers > Nameserver List: Create
• Create BIGIP2’s F5 as a Nameserver as shown in the table below. You will use the External SelfIP/Listener.
Keep the defaults if not noted in the table.

Name site2_gtm1_master
Address 198.51.100.39

4.3.4 Edit Student2 Zones on BIGIP2 to allow Zone transfers

• Log in to gtm1.site2 (shortcut located on desktop) using a new browser window with the following credentials:
• https://10.1.10.23
• User: admin Pass: admin
• In the GUI, navigate to: DNS > Zones > Zones > Zone List
• Edit the existing student2.com zone.
• Under Zone Transfer Clients, move gtm1.site1 (pre-defined to save time) to Active and click Update.

Note: The internal TCP listener on BIGIP2 is using the AuthNS-hybrid profile which is setup exactly like the profile
with the same name on BIGIP1. ‘Zone Transfer = Enabled’ must be set in the profile on the source for this to work
correctly.

82 Chapter 4. DNS Services Beyond GSLB with BIG-IP DNS (201)


agility_dns_docs_17 Documentation, Release 0.1

• Return to your BIGIP1 browser session

4.3.5 Add Student2.com zone to DNS Express on BIGIP1

• In the GUI on BIGIP1, navigate to: DNS > Zones > Zones > Zone List: Create
• Create the “student2.com” zone as shown in the figure below and then click Finished. Your GTM is acting as
a zone transfer client in this case (looking to receive a transfer of the on-prem student2.com local zone). This
example shows BIGIP1 adding the student2.com zone to pull from DNS Express on BIGIP2.

• Perform the same validation steps as the previous lab for validating the successful transfer of student2.com zone
• View the details of the zone in the GUI
• Issue a dnsxdump | more command from SSH console
• Verify logs in /var/log/ltm
• Issue a query to the external listener for a record in the zone

dig @203.0.113.8 SOA student2.com

• Open putty sessions to both BIGIP1 and BIGIP2 and tail the logs using tail -f /var/log/ltm. This
will allow us to see the process of adding a new record on the Master on-prem server (BIGIP2) and then it
being replicated first to DNS Express on its own box, followed by an update to the cloud GTM (BIGIP1) in this
scenario.
• Add a new record to the student2.com zone in ZoneRunner on gtm1.site2
• In the GUI, navigate to: DNS > Zones: ZoneRunner > Resource Record List
• Select View Name -> external
• Select Zone Name -> student2.com.
• Click Create
• Enter a new A record based on the picture below and click Finished.

4.3. Slaving off of DNS Express 83


agility_dns_docs_17 Documentation, Release 0.1

• Notice the logs in each F5. You will see BIGIP2 perform a zone transfer from ZR after receiving a NOTIFY.
You will then see BIGIP1 receive a NOTIFY and obtain a zone transfer.
• Notice that we didn’t have to tell GTM where to send a NOTIFY. Those messages are automatically sent to the
Zone Transfer Clients configured for the zone.
• Issue the following command from SSH console on BIGIP1 to see the status and statistics related to the zone.
Take note of the “Notifies Received” counter.

tmsh show ltm dns zone student2.com | more

• Issue the following command from SSH console on BIGIP2 to see the status and statistics related to the zone.
Take note of the “Notifies To Client” counter.

tmsh show ltm dns zone student2.com | more

• Validate DNS Express was updated by performing a dnsxdump | more and/or query for your new record to
the Listener.
Close out your browser session to gtm1.site2, we will no longer be using it.

4.4 Transparent Caching

In this use-case, you will configure GTM as a transparent cache to a pool of BIND servers.
• Estimated completion time: 10 minutes

84 Chapter 4. DNS Services Beyond GSLB with BIG-IP DNS (201)


agility_dns_docs_17 Documentation, Release 0.1

4.4.1 Create a DNS Cache

• In the GUI, navigate to: DNS > Caches > Cache List: Create
• Create a new DNS profile as shown in the table below.
Keep the defaults if not noted in the table.

Name transparent-cache
Resolver Type Transparent (none)

• Click Finished to create.

4.4.2 Create a new DNS Profile

• In the GUI, navigate to: DNS > Delivery > Profiles > DNS: Create. Create a new DNS profile as shown in the
table below.
Keep the defaults if not noted in the table.

Name Transparent
DNSSEC Disabled
GSLB Disabled
DNS Express Disabled
DNS Cache Enabled
DNS Cache Name transparent-cache
Use BIND Server on Big-IP Disabled
Logging Enabled
Logging Profile dns-logging
AVR Statistics Sampling Rate Enabled; 1/1 queries sampled

4.4. Transparent Caching 85


agility_dns_docs_17 Documentation, Release 0.1

Click Finished when complete.

4.4.3 Create a DNS Monitor

• In the GUI, navigate to: DNS > Delivery > Load Balancing > Monitors: Create. Create a new DNS monitor
as shown in the table below.
Keep the defaults if not noted in the table.

Name mon_resolver
Type DNS
Query Name www.f5.com

• Click Finished to create.

4.4.4 Create a Resolver Pool

• In the GUI, navigate to: DNS > Delivery > Load Balancing > Pools > Pools List: Create. Create a new pool
of DNS resolvers as shown in the figure below.
• Add pool called pool_resolvers with health monitor (mon_resolver) and members as shown in table and dia-
gram below:

Pool Members
198.51.100.39:53
203.0.113.15:53
198.51.100.47:53

86 Chapter 4. DNS Services Beyond GSLB with BIG-IP DNS (201)


agility_dns_docs_17 Documentation, Release 0.1

4.4.5 Create a new External DNS Listener

We are going to create a new external-facing DNS Listener to cache DNS requests and load-balance non-cached
requests to pool_resolvers.
• In the GUI, navigate to: DNS > Delivery > Listeners > Listener List: Create
• Create a Listener named ‘resolver-listener’ as shown in the figure below. Use the Listener IP of 203.0.113.9

Note: you need to be in the “Advanced” Menu to set some of the options.

4.4. Transparent Caching 87


agility_dns_docs_17 Documentation, Release 0.1

• From your workstation at a command prompt, perform several recursive queries to your new listener to test.
You will want to repeat some of the same queries multiple times We are attempting to see cache hits. Below are
some examples:

dig @10.128.10.54 www.f5.com


dig @10.128.10.54 www.wikipedia.org
dig @10.128.10.54 www.ncsu.edu

• You should have successful resolution. Now it’s time to see statistics and cache entries.
Viewing Cache Entries
• In the SSH shell, type the following command:

88 Chapter 4. DNS Services Beyond GSLB with BIG-IP DNS (201)


agility_dns_docs_17 Documentation, Release 0.1

tmsh show ltm dns cache records rrset cache transparent-cache

• Your output should look similar to below with several entries

• If you go to the TMSH console, you can see several other ways to query the cache database. Below show some
examples.
• View cache entries for a particular domain / owner:

• View cache entries of a particular RR type:

• There are other options. . . feel free to play around and familiarize yourself with the options.
Viewing Cache Statistics
• In the SSH shell, type:

4.4. Transparent Caching 89


agility_dns_docs_17 Documentation, Release 0.1

tmsh show ltm dns cache transparent transparent-cache

• Your output should look similar to below with statistics showing Hits and Misses in particular.

• In the GUI, you can find similar data as above by navigating Statistics > Module Statistics > DNS > Caches.
• Select “Statistics Type” of Caches.
• Select “View” under the Details column for transparent-cache
• Note that stats can also be reset from this view (Reset).

• Spend some time looking in the DNS Analytics to verify that AVR is graphing query stats as expected.
Deleting Cache Entries
• Specific cache entries can be deleted via the TMSH console. Entries to be deleted can be filtered by several
aspects.

90 Chapter 4. DNS Services Beyond GSLB with BIG-IP DNS (201)


agility_dns_docs_17 Documentation, Release 0.1

• In the TMSH shell, go to the DNS prompt and type

delete cache records rrset cache transparent-cache ?

• Now delete individual records by type and owner. Below show some examples.

Clearing Entire Cache


• Via the GUI, navigate to Statistics > Module Statistics > DNS > Caches
• Set “Statistics Type” to “Caches”.
• You can select the cache and click “Clear Cache” to empty the cache.

4.5 Resolver Cache

In this use case, you will configure GTM as a resolver cache which eliminates the need for the pool of resolvers. *
Estimated completion time: 10 minutes

4.5. Resolver Cache 91


agility_dns_docs_17 Documentation, Release 0.1

4.5.1 Create a new DNS Cache

• In the GUI, navigate to: DNS > Caches > Cache List: Create
• Create a new DNS Cache as shown in the table below.
Keep the defaults if not noted in the table.

Name resolver-cache
Resolver Type Resolver

4.5.2 Create a new DNS Profile

• In the GUI, navigate to: DNS > Delivery > Profiles > DNS: Create. Create a new DNS profile as shown in the
table below.
Keep the defaults if not noted in the table.

Name Resolver
DNSSEC Disabled
GSLB Disabled
DNS Express Disabled
DNS Cache Enabled
DNS Cache Name resolver-cache
Unhandled Query Action Drop
Use BIND Server on Big-IP Disabled
Logging Enabled
Logging Profile dns-logging //from previous lab
AVR Statistics Sampling Rate Enabled; 1/1 queries sampled

4.5.3 Edit DNS Listener

We will now apply the new profile to the existing DNS Listener.

92 Chapter 4. DNS Services Beyond GSLB with BIG-IP DNS (201)


agility_dns_docs_17 Documentation, Release 0.1

• In the GUI, navigate to: DNS > Delivery > Listeners > Listener List
• Select ‘resolver-listener’ and modify the following settings.
• Change the DNS profile to ‘resolver’ and uncheck “Address Translation” (under Listener Advanced options).
Click Update.
• Select “Load Balancing” from the middle menu above, and Select the Default Pool as “None” and click Update.
• Your Listener should now be setup as a caching resolver.
• From your workstation command prompt, perform several recursive queries to your external Listener to test.
You will want to repeat some of the same queries multiple times. We are attempting to see cache hits and
perform recursive queries. Below are some examples:

dig @10.128.10.54 www.cnn.com

dig @10.128.10.54 www.google.com

dig @10.128.10.54 www.umich.edu

Viewing Cache Statistics


• In the SSH shell, type the following command:

tmsh show ltm dns cache resolver resolver-cache | more

Your output should look similar to below with statistics. Bits In/Out, Packets In/Out and Connections are of particular
interest.

4.6 DNSSEC Validating Resolver

In this use case, you will configure GTM as a DNSSEC validating resolver which offloads heavy CPU computation
to traditional resolvers. This simply adds DNSSEC validation to the resolver-cache use-case previously configured. *
Estimated completion time: 10 minutes

4.6. DNSSEC Validating Resolver 93


agility_dns_docs_17 Documentation, Release 0.1

4.6.1 Create a new DNS Cache

• In the GUI, navigate to: DNS > Caches > Cache List: Create
• Create a new DNS cache as shown in the table below.
Keep the defaults if not noted in the table.

Name validating-resolver
Resolver Type Validating Resolver

• A Trust Anchor must be configured so that the validating resolver has a starting point for validation. This can be
done manually via the SSH console. You can obtain the root server DS keys by using dig and its related utilities
as follows:

Note: In the interest of time, the trust anchors are located on your desktop as a text file named TrustAnchors.txt. You
can simply cut and paste the values into the GUI. If you want to run the utilities to obtain the anchors, the commands
are below for your reference.

• Get the root name servers in DNSKEY format and output to the file “root-dnskey”

>dig +multi +noall +answer DNSKEY . >root-dnskey

• Convert the root trust anchors from DNSKEY format to DS

>dnssec-dsfromkey -f root-dnskey . >root-ds

• Output of the root DS keys

>cat ./root-ds

IN DS 19036 8 1 B256BD09DC8DD59F0E0F0D8541B8328DD986DF6E

IN DS 19036 8 2
49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32 F24E8FB5

• Each of the 2 lines in the TrustAnchor.txt file should be entered as a new trust anchor (2 total).
• In the GUI, navigate to: DNS > Caches > Cache List. Select “validating-resolver” and click on Trust Anchors
on the top menu. Click Add. Copy each line from the TrustAnchor.txt file as a Trust Anchor entry. You should
end with a total of two entries.
• The figure below shows what your configuration should look like.

4.6.2 Create a new DNS Profile

In this task we will create a dns profile to be used by a listener for DNSSEC validation. * In the GUI, navigate to:
DNS > Delivery > Profiles > DNS: Create. * Create a new DNS profile as shown in the table below.

94 Chapter 4. DNS Services Beyond GSLB with BIG-IP DNS (201)


agility_dns_docs_17 Documentation, Release 0.1

Keep the defaults if not noted in the table.

Name Validating
DNSSEC Disabled
GSLB Disabled
DNS Express Disabled
DNS Cache Enabled
DNS Cache Name validating-resolver
Unhandled Query Action Drop
Use BIND Server on Big-IP Disabled
Logging Enabled
Logging Profile dns-logging //from previous lab
AVR Statistics Sampling Rate Enabled; 1/1 queries sampled

4.6.3 Edit DNS Listener

We will now apply the new profile to the existing DNS Listener.
• In the GUI, navigate to: DNS > Delivery > Listeners > Listener List
• Select ‘resolver-listener’ and modify the DNS Profile to use “validating”.
• Your Listener should now be setup as a validating resolver.
• Use-Case: Valid Signed Zone. From your workstation, perform several recursive queries to your external
Listener to test. Perform the following command 2 or 3 times:

dig @10.128.10.54 internetsociety.org

• In the SSH shell, type the following:

tmsh show ltm dns cache validating-resolver | more

Your output should look similar to below with statistics. Response Validation and DNSSEC Key stats are of particular
interest in this use-case.

4.6. DNSSEC Validating Resolver 95


agility_dns_docs_17 Documentation, Release 0.1

• In the GUI, you can find similar data as above by navigating Statistics > Module Statistics > DNS > Caches.
• Select “Statistics Type” of Caches.
• Select “View” under the Details column for validating-resolver
• Note the size of the cache for just this single RR query. You can view what’s in the cache from the CLI with:

tmsh show ltm dns cache records rrset cache validating-resolver | more

• Use-Case: Invalid Signed Zone: From your workstation, perform several recursive queries to your external
Listener to test. Perform the following command 2 or 3 times:

dig @10.128.10.54 dnssec-failed.org

• Run the same steps above to view statistics and see the difference
• What happens when trust is broken.
• What statistic incremented?
• What was the query response to the client?

4.7 Forwarders

In this use-case, we will configure conditional forwarders with local zone information.
• Estimated completion time: 5 minutes

4.7.1 Add Forwarder to Existing Cache

• In the GUI, navigate to: DNS > Caches > Cache List. Click on validating-resolver from the previous exercise.
Click Forward Zones from the top menu.

96 Chapter 4. DNS Services Beyond GSLB with BIG-IP DNS (201)


agility_dns_docs_17 Documentation, Release 0.1

• Click Add and configure as shown in the figure below and then click Finished:

• From your workstation, perform the following recursive queries to your external Listener to test.

dig @10.128.10.54 www.forward.com

dig @10.128.10.54 mail.forward.com

• In the SSH shell, type the following tmsh command:

tmsh show ltm dns cache validating-resolver | more

Your output should look similar to below with statistics. Forwarder Activity stats are of particular interest in this
use-case.

• In the GUI, you can find similar data as above by navigating Statistics > Module Statistics > DNS > Caches.

4.7. Forwarders 97
agility_dns_docs_17 Documentation, Release 0.1

• Select “Statistics Type” of Caches.


• Select “View” under the Details column for validating-resolver

4.8 DNS 201 class is complete ! Thanks for attending!

98 Chapter 4. DNS Services Beyond GSLB with BIG-IP DNS (201)

You might also like