Applies To:

Show Versions Show Versions

Manual Chapter: Configuring DNS Express on BIG-IP Systems
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

How do I configure DNS Express?

You can configure DNS Express on BIG-IP systems to mitigate distributed denial-of-service attacks (DDoS) and increase the volume of DNS request resolutions on both the local BIND server on the BIG-IP system and any back-end DNS servers.

What is DNS Express?

DNS Express provides the ability for a BIG-IP system to act as a high-speed, authoritative secondary DNS server. This allows the system to:
  • Perform zone transfers from multiple primary DNS servers that are responsible for different zones.
  • Perform a zone transfer from the local BIND server on the BIG-IP system.
  • Serve DNS records faster than the primary DNS servers.

Task summary

Perform these tasks to configure DNS Express on your BIG-IP system.

Creating a DNS Express TSIG key

Ensure that your back-end DNS servers are configured for zone transfers using TSIG keys.
When you want to verify the identity of the authoritative server that is sending information about the zone, create a DNS Express TSIG key .
Note: This step is optional.
  1. On the Main tab, click Local Traffic > DNS Express Zones > DNS Express TSIG Key List. The DNS Express TSIG Key List screen opens.
  2. Click Create. The New DNS Express TSIG Key screen opens.
  3. In the Name field, type a name for the key.
  4. From the Algorithm list, select one of the following.
    Algorithm Name Description
    HMAC MD5 Produces a 128-bit hash sequence
    HMAC SHA-1 Produces a 160-bit hash sequence
    HMAC SHA-256 Produces a 256-bit hash sequence
  5. In the Secret field, type the phrase required for authentication of the key.
  6. Click Finished.

Creating a DNS Express zone

If you are using back-end DNS servers, ensure that those servers are configured for zone transfers.
To implement DNS Express on a BIG-IP system, create a DNS Express zone.
  1. On the Main tab, click Local Traffic > DNS Express Zones > DNS Express Zone List. The DNS Express Zone List screen opens.
  2. Click Create. The New DNS Express Zone screen opens.
  3. In the Name field, type a name for the DNS Express zone.
  4. In the Target IP Address field, type the IP address of the DNS server from which you want to transfer records. The default value 127.0.0.1 is for the BIND server on the BIG-IP system.
  5. To configure the system to verify the identity of the authoritative server that is sending information about the zone, from the TSIG Key list, select a key.
  6. To specify an action for the BIG-IP system to take when it receives a NOTIFY message from a DNS server on which a zone has been updated, from the Notify Action list, select one of the following.
    Action Description
    Consume The BIG-IP system processes the NOTIFY message and does not pass the NOTIFY message to the back end DNS server.
    Bypass The BIG-IP system does not process the NOTIFY message, but instead sends the NOTIFY message to a back end DNS server (subject to DNS profile unhandled-query-action).
    Repeat The BIG-IP system processes the NOTIFY message and sends the NOTIFY message to a back end DNS server.
  7. Click Finished.

Enabling DNS Express

Create a custom DNS profile to enable DNS Express, only if you want to use a back-end DNS server for name resolution while the BIG-IP system handles queries for wide IPs and DNS Express zones.
Note: If you plan to use the BIND server on BIG-IP GTM, you can use the default dns profile.
  1. On the Main tab, click Local Traffic > Profiles > Services > DNS. The DNS profile list screen opens.
  2. Click Create. The New DNS Profile screen opens.
  3. Name the profile dns_express. Names must begin with a letter, and can contain only letters, numbers, and the underscore (_) character.
  4. In the Parent Profile list, accept the default dns profile.
  5. Select the Custom check box. The fields in the Settings area become available for revision.
  6. In the Global Traffic Management list, accept the default value Enabled.
  7. From the DNS Express list, select Enabled.
  8. From the Unhandled Query Actions list, select how you want the BIG-IP system to handle a query that is not for a wide IP or DNS Express zone.
    Option Description
    Allow The BIG-IP system forwards the connection request to another DNS server or DNS server pool. Note that if a DNS server pool is not associated with a listener and the Use BIND Server on BIG-IP option is set to enabled, connection requests are forwarded to the local BIND server. (Allow is the default value.)
    Drop The BIG-IP system does not respond to the query.
    Reject The BIG-IP system returns the query with the REFUSED return code.
    Hint The BIG-IP system returns the query with a list of root name servers.
    No Error The BIG-IP system returns the query with the NOERROR return code.
  9. From the Use BIND Server on BIG-IP list, select Disabled.
  10. Click Finished.
Assign the profile to virtual servers or listeners.

Assigning a DNS profile to a listener

If you plan to use the BIND server on the BIG-IP system, you can assign the default DNS profile (dns) to the listener. If you plan to use a back-end DNS server and you created a custom DNS Express profile, you can assign it to the listener.
  1. On the Main tab, click Global Traffic > Listeners. The Listeners List screen opens.
  2. Click the name of the listener you want to modify.
  3. From the DNS Profile list, select either dns or the custom DNS profile you created for DNS Express.
  4. Click Finished.

Configuring the legacy DNS server to allow zone file transfers

If you are unfamiliar with how to modify DNS server files, review the fifth edition of DNS and BIND, available from O’Reilly Media.
To configure the legacy DNS server to allow zone file transfers to BIG-IP system, add to the DNS server an allow-transfer statement that specifies the IP address of the new BIG-IP system.
You can modify the following allow-transfer statement to use the IP address of your BIG-IP system: allow-transfer { localhost; <IP address of BIG-IP system>; };

Viewing information about DNS Express zones

You can view information about the zones that are protected by DNS Express.

  1. On the Main tab, click Statistics > Module Statistics > Local Traffic. The Local Traffic Statistics screen opens.
  2. From the Statistics Type list, select DNS Express Zones. Information displays about the DNS Express zones.
    Record type Description
    SOA Records Displays start of authority record information.
    Resource Records Displays the number of resource records for the zone.

Implementation result

You now have an implementation in which the BIG-IP system helps to mitigate DDoS attacks on your network and to resolve more DNS queries faster.

Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)