Applies To:

Show Versions Show Versions

Manual Chapter: Configuring DNS Express
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Configuring DNS Express

How do I configure DNS Express?

You can configure DNS Express™ on BIG-IP® systems to mitigate distributed denial-of-service attacks (DDoS) and increase the volume of DNS request resolutions on both the local BIND server on the BIG-IP system and any back-end DNS servers.

What is DNS Express?

DNS Express™ provides the ability for a BIG-IP® system to act as a high-speed, authoritative secondary DNS server. This makes it possible for the system to:

  • Perform zone transfers from multiple primary DNS servers that are responsible for different zones.
  • Perform a zone transfer from the local BIND server on the BIG-IP system.
  • Serve DNS records faster than the primary DNS servers.

Task summary

Perform these tasks to configure DNS Express™ on your BIG-IP® system.

Configuring a back-end DNS server to allow zone file transfers

If you are unfamiliar with how to modify DNS server files, review the fifth edition of DNS and BIND, available from O’Reilly Media.
To configure a back-end DNS server to allow zone file transfers to the BIG-IP® system, add to the DNS server an allow-transfer statement that specifies a self IP address on the BIG-IP system.
You can modify the following allow-transfer statement to use a self IP address on the BIG-IP system:
allow-transfer { localhost; <self IP address of BIG-IP system>; }; 

Creating a DNS Express TSIG key

Ensure that your back-end DNS servers are configured for zone file transfers using TSIG keys.

When you want to verify the identity of the authoritative server that is sending information about the zone, create a DNS Express™ TSIG key.

Note: This step is optional.
  1. On the Main tab, click Local Traffic > DNS Express Zones > DNS Express TSIG Key List .
    The DNS Express TSIG Key List screen opens.
  2. Click Create.
    The New DNS Express TSIG Key screen opens.
  3. In the Name field, type a name for the key.
  4. From the Algorithm list, select one of the following.
    The system uses the algorithm that you select to authenticate updates from an approved client and responses from an approved recursive nameserver. The algorithm is a hash function in combination with the secret key.
    Algorithm Name Description
    HMAC MD5 Produces a 128-bit hash sequence
    HMAC SHA-1 Produces a 160-bit hash sequence
    HMAC SHA-256 Produces a 256-bit hash sequence
  5. In the Secret field, type the phrase required for authentication of the key.
    Note: The secret key is created by a third party tool such as BIND’s keygen utility.
  6. Click Finished.

Creating a DNS Express zone

If you are using back-end DNS servers, ensure that those servers are configured for zone transfers.
To implement DNS Express™ on a BIG-IP® system, create a DNS Express zone.
  1. On the Main tab, click Local Traffic > DNS Express Zones > DNS Express Zone List .
    The DNS Express Zone List screen opens.
  2. Click Create.
    The New DNS Express Zone screen opens.
  3. In the Name field, type a name for the DNS Express zone.
  4. In the Target IP Address field, type the IP address of the current master DNS server for the zone from which you want to transfer records.
    The default value 127.0.0.1 is for the BIND server on the BIG-IP system.
  5. To configure the system to verify the identity of the authoritative server that is sending information about the zone, from the TSIG Key list, select a key.
  6. To specify an action for the BIG-IP system to take when a NOTIFY query is received for a configured DNS Express zone, from the Notify Action list, select one of the following.
    Action Description
    Consume The NOTIFY query is seen only by DNS Express. This is the default value.
    Bypass Queries do not go to DNS Express, but instead go to any backend DNS resource (subject to DNS profile unhandled-query-action).
    Repeat The NOTIFY query goes to both DNS Express and any backend DNS resource.
    Tip: If a TSIG Key is configured, the signature is only validated for Consume and Repeat actions. NOTIFY responses are assumed to be sent by a backend DNS resource, except when the action is Consume and DNS Express generates a response.
  7. Click Finished.

Enabling DNS Express

Create a custom DNS profile and assign to a listener or virtual server to enable DNS Express™, only if you want to use a back-end DNS server for name resolution while the BIG-IP system handles queries for wide IPs and DNS Express zones.
Note: If you plan to use the BIND server on BIG-IP GTM™, you can use the default dns profile.
  1. On the Main tab, click Local Traffic > Profiles > Services > DNS .
    The DNS profile list screen opens.
  2. Click Create.
    The New DNS Profile screen opens.
  3. Name the profile dns_express.
  4. In the Parent Profile list, accept the default dns profile.
  5. Select the Custom check box.
    The fields in the Settings area become available for revision.
  6. In the Global Traffic Management list, accept the default value Enabled.
  7. From the DNS Express list, select Enabled.
  8. From the Unhandled Query Actions list, select how you want the BIG-IP system to handle a query that is not for a wide IP or DNS Express zone.
    Option Description
    Allow The BIG-IP system forwards the connection request to another DNS server or DNS server pool. Note that if a DNS server pool is not associated with a listener and the Use BIND Server on BIG-IP option is set to enabled, connection requests are forwarded to the local BIND server. (Allow is the default value.)
    Drop The BIG-IP system does not respond to the query.
    Reject The BIG-IP system returns the query with the REFUSED return code.
    Hint The BIG-IP system returns the query with a list of root name servers.
    No Error The BIG-IP system returns the query with the NOERROR return code.
  9. From the Use BIND Server on BIG-IP list, select Disabled.
  10. Click Finished.
Assign the profile to virtual servers or listeners.

Assigning a DNS profile to a virtual server

If you plan to use the BIND server on the BIG-IP® system, you can assign the default DNS profile (dns) to a virtual server. If you plan to use a back-end DNS server and you created a custom DNS profile for DNS Express, you can assign it to the virtual server.
  1. On the Main tab, click Local Traffic > Virtual Servers .
    The Virtual Server List screen displays a list of existing virtual servers.
  2. Click the name of the virtual server you want to modify.
  3. From the DNS Profile list, select either dns or the custom DNS profile you created for DNS Express.
  4. Click Finished.
The traffic handled by this virtual server is protected by DNS Express.

Viewing information about DNS Express zones

You can view information about the zones that are protected by DNS Express™.

  1. On the Main tab, click Statistics > Module Statistics > Local Traffic .
    The Local Traffic Statistics screen opens.
  2. From the Statistics Type list, select DNS Express Zones.
    Information displays about the DNS Express zones.
    Record type Description
    SOA Records Displays start of authority record information.
    Resource Records Displays the number of resource records for the zone.

Implementation result

You now have an implementation in which the BIG-IP® system helps to mitigate DDoS attacks on your network and to resolve more DNS queries faster.

Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)