You can configure DNS Express on BIG-IP systems to mitigate distributed denial-of-service attacks (DDoS) and increase the volume of DNS request resolutions on both the local BIND server on the BIG-IP system and any back-end DNS servers.
DNS Express provides the ability for a BIG-IP system to act as a high-speed, authoritative secondary DNS server. This makes if possible for the system to:
Perform these tasks to configure DNS Express on your BIG-IP system.
When you want to verify the identity of the authoritative server that is sending information about the zone, create a DNS Express TSIG key.
|HMAC MD5||Produces a 128-bit hash sequence|
|HMAC SHA-1||Produces a 160-bit hash sequence|
|HMAC SHA-256||Produces a 256-bit hash sequence|
|Consume||The BIG-IP system processes the NOTIFY message and does not pass the NOTIFY message to the back end DNS server.|
|Bypass||The BIG-IP system does not process the NOTIFY message, but instead sends the NOTIFY message to a back end DNS server (subject to DNS profile unhandled-query-action).|
|Repeat||The BIG-IP system processes the NOTIFY message and sends the NOTIFY message to a back end DNS server.|
|Allow||The BIG-IP system forwards the connection request to another DNS server or DNS server pool. Note that if a DNS server pool is not associated with a listener and the Use BIND Server on BIG-IP option is set to enabled, connection requests are forwarded to the local BIND server. (Allow is the default value.)|
|Drop||The BIG-IP system does not respond to the query.|
|Reject||The BIG-IP system returns the query with the REFUSED return code.|
|Hint||The BIG-IP system returns the query with a list of root name servers.|
|No Error||The BIG-IP system returns the query with the NOERROR return code.|
You can view information about the zones that are protected by DNS Express.
|SOA Records||Displays start of authority record information.|
|Resource Records||Displays the number of resource records for the zone.|