Applies To:

Show Versions Show Versions

Manual Chapter: Introducing DNS Caching
Manual Chapter
Table of Contents   |   Next Chapter >>

About the Transparent DNS cache

You can configure a transparent cache on the BIG-IP system to use external DNS resolvers to resolve queries, and then cache the responses from the resolvers. The next time the system receives a query for a response that exists in the cache, the system immediately returns the response from the cache. The transparent cache contains messages and resource records.

A transparent cache in the BIG-IP system consolidates content that would otherwise be cached across multiple external resolvers. When a consolidated cache is in front of external resolvers (each with their own cache), it can produce a much higher cache hit percentage.

F5 Networks recommends that you configure the BIG-IP system to forward queries, which cannot be answered from the cache, to a pool of local DNS servers rather than the local BIND instance because BIND performance is slower than using multiple external resolvers.

Note: For systems using the DNS Express feature, the BIG-IP system first processes the requests through DNS Express, and then caches the responses.
Important: The DNS Cache feature is available only when the BIG-IP system is licensed for DNS Services.

About the Resolver DNS cache

You can configure a resolver cache on the BIG-IP system to resolve DNS queries and cache the responses. The next time the system receives a query for a response that exists in the cache, the system returns the response from the cache. The resolver cache contains messages, resource records, and the nameservers the system queries to resolve DNS queries.

It is important for network architects to note that it is possible to configure the local BIND instance on the BIG-IP system to act as an external DNS resolver. However, F5 Networks does not recommend this approach, because the performance of BIND is slower than using a resolver cache.

Important: The DNS Cache feature is available only when the BIG-IP system is licensed for DNS Services.

About the Validating Resolver DNS cache

You can configure a validating resolver cache on the BIG-IP system to recursively query public DNS servers, validate the identity of the DNS server sending the responses, and then cache the responses. The next time the system receives a query for a response that exists in the cache, the system returns the DNSSEC-compliant response from the cache. The validating resolver cache contains messages, resource records, the nameservers the system queries to resolve DNS queries, and DNSSEC keys.

Using the validating resolver cache, the BIG-IP system mitigates cache poisoning by validating DNS responses using DNSSEC validation. This is important, because attackers can attempt to populate a DNS cache with erroneous data that redirects clients to fake web sites, or downloads malware and viruses to client computers. When an authoritative server signs a DNS response, the validating resolver verifies the data before entering the data into the cache. Additionally, the validating resolver cache includes a built-in filter and detection mechanism that rejects unsolicited DNS responses.

Important: The DNS Cache feature is available only when the BIG-IP system is licensed for DNS Services.

Configuring DNS cache global settings

Configure the global settings on the BIG-IP system to specify how the system manages the DNS caches you create.
  1. On the Main tab, click System > Configuration > Local Traffic > DNS. The DNS Local Traffic configuration screen opens.
  2. In the Minimum TTL field, type the minimum number of seconds you want the BIG-IP system to cache DNS resource records.
    Note: When you configure this setting the BIG-IP system can cache resource records longer than the owner of the records intended.
  3. In the Maximum TTL field, type the number of seconds after which you want the BIG-IP system to re-query for resource records.
    Note: This setting allows the BIG-IP system to re-query for resource records sooner than the owner of the records intended.
  4. In the EDNS Buffer Size field, type the number of bytes you want the BIG-IP system to advertise as the EDNS buffer size in UDP queries. The default value of 4096 bytes is the default value for ENDS0.
  5. Click Update.
After you configure the DNS global settings, create at least one DNS cache.
Table of Contents   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)