Applies To:

Show Versions Show Versions

Manual Chapter: Configuring DNS Express on BIG-IP Systems
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Overview: How do I configure a BIG-IP system to mitigate DDoS attacks?

You can configure DNS Express on BIG-IP Global Traffic Manager (GTM) to mitigate distributed denial-of-service attacks (DDoS) and improve performance of both the local BIND server on the BIG-IP system and any back-end DNS servers.

What is DNS Express?

DNS Express provides the ability for a BIG-IP system to act as a high-speed, authoritative secondary DNS server. This allows the system to:
  • Perform zone transfers from multiple primary DNS servers that are responsible for different zones.
  • Perform a zone transfer from the local BIND server on the BIG-IP system.
  • Serve DNS records faster than both the primary DNS servers and the local BIND server.

Task summary

Perform these tasks to configure DNS Express on your BIG-IP system.

Creating a DNS Express TSIG key

Ensure that your back-end DNS servers are configured for zone transfers using TSIG keys.

Create a DNS Express TSIG key when you want to verify the identity of the authoritative server that is sending information about the zone.

  1. On the Main tab, click Local Traffic > DNS Express Zones > DNS Express TSIG Key List. The DNS Express TSIG Key List screen opens.
  2. Click Create.
  3. In the Name field, type a name for the key.
  4. In the Secret field, type the phrase required for authentication of the key.
  5. Click Finished.

Creating a DNS Express zone

Ensure that your back-end DNS servers are configured for zone transfers.
Create a DNS Express zone when you want to protect a zone on either the local BIND server or a back-end DNS server from DDoS attacks.
  1. On the Main tab, click Local Traffic > DNS Express Zones > DNS Express Zone List. The DNS Express Zone List screen opens.
  2. Click Create.
  3. In the Name field, type a name for the zone. The best practice is to use the name that appears at the apex in a BIND zone file.
  4. In the Target IP Address field, type the IP address of the DNS server from which you want to transfer records. The default value 127.0.0.1 is for the BIND server on the BIG-IP system.
  5. To configure the system to verify the identity of the authoritative server that is sending information about the zone, from the TSIG Key list, select a key.
  6. Click Finished.

Configuring the legacy DNS server to allow zone file transfers

If you are unfamiliar with how to modify DNS server files, review the fifth edition of DNS and BIND, available from O’Reilly Media.
To configure the legacy DNS server to allow zone file transfers to BIG-IP GTM, add to the DNS server an allow-transfer statement that specifies the IP address of the new BIG-IP GTM system.
You can modify the following allow-transfer statement to use the IP address of your BIG-IP GTM: allow-transfer { localhost; <IP address of BIG-IP GTM>; };

Creating a DNS Express profile

Create a custom DNS profile to enable DNS Express, only if you want to use a back-end DNS server. If you plan to use the BIND server on BIG-IP GTM, you can use the default dns profile.
  1. On the Main tab, click Local Traffic > Profiles > Services > DNS. The DNS profile list screen opens.
  2. Click Create. The New Fast L4 Profile screen opens.
  3. Name the profile dns_express. Names must begin with a letter, and can contain only letters, numbers, and the underscore (_) character.
  4. In the Parent Profile list, accept the default dns profile.
  5. Select the Custom check box. The fields in the Settings area become available for configuring.
  6. In the Global Traffic Management list, accept the default value Enabled.
  7. From the DNS Express list, select Enabled.
  8. From the Unhandled Query Actions list, select an action to take when a query is not for a wide IP or DNS Express zone.
    Option Description
    Allow Forward the connection request to another DNS server or DNS server pool. Note that if a DNS server pool is not associated with a listener and the Use BIND Server on BIG-IP option is enabled, connection requests are forwarded to the local BIND server. (Allow is the default value.)
    Drop Do not reply.
    Reject Return the query with the REFUSED return code.
    Hint Return the query with a list of root name servers.
    No Error Return the query with the NOERROR return code.
  9. From the Use BIND Server on BIG-IP list, select Disabled.
  10. Click Finished.
Assign the DNS profile to virtual servers or listeners.

Assigning a DNS Express profile to a virtual server

If you plan to use the BIND server on BIG-IP GTM, you can assign the default DNS profile (dns) to a virtual server. If you plan to use a back-end DNS server and you created a custom DNS Express profile, you can assign it to the virtual server.
  1. On the Main tab, click Local Traffic > Virtual Servers. The Virtual Server List screen displays a list of existing virtual servers.
  2. Click the name of the virtual server you want to modify.
  3. From the DNS Profile list, select dns_express.
  4. Click Finished.
The traffic handled by this virtual server is protected by DNS Express.

Assigning a DNS Express profile to a listener

If you plan to use the BIND server on BIG-IP GTM, you can assign the default DNS profile (dns) to the listener. If you plan to use a back-end DNS server and you created a custom DNS Express profile, you can assign it to the listener.
  1. On the Main tab, click Global Traffic > Listeners . The Listeners List screen opens.
  2. Click the name of the listener you want to modify.
  3. From the DNS Profile list, select dns_express.
  4. Click Finished.

Viewing information about DNS Express zones

You can view information about the zones that are protected by DNS Express.

  1. On the Main tab, click Overview > Statistics > Local Traffic . The Local Traffic Statistics screen opens.
  2. From the Statistics Type list, select DNS Express Zones. Information displays about the zones that are protected by DNS Express.
    Record type Description
    SOA Records Displays start of authority record information.
    Resource Records Displays the number of resource records for the zone.

Implementation results

You now have an implementation in which BIG-IP GTM helps to mitigate DDoS attacks on your network.

Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)