You can configure DNS Express on BIG-IP systems to mitigate distributed denial-of-service attacks (DDoS) and increase the volume of DNS request resolutions on both the local BIND server on the BIG-IP system and any back-end DNS servers.
DNS Express provides the ability for a BIG-IP system to act as a high-speed, authoritative secondary DNS server. This makes it possible for the system to:
Perform these tasks to configure DNS Express on your BIG-IP system.
When you want to verify the identity of the authoritative server that is sending information about the zone, create a DNS Express TSIG key.
|HMAC MD5||Produces a 128-bit hash sequence|
|HMAC SHA-1||Produces a 160-bit hash sequence|
|HMAC SHA-256||Produces a 256-bit hash sequence|
|Consume||The NOTIFY query is seen only by DNS Express. This is the default value.|
|Bypass||Queries do not go to DNS Express, but instead go to any backend DNS resource (subject to DNS profile unhandled-query-action).|
|Repeat||The NOTIFY query goes to both DNS Express and any backend DNS resource.|
|Allow||The BIG-IP system forwards the connection request to another DNS server or DNS server pool. Note that if a DNS server pool is not associated with a listener and the Use BIND Server on BIG-IP option is set to enabled, connection requests are forwarded to the local BIND server. (Allow is the default value.)|
|Drop||The BIG-IP system does not respond to the query.|
|Reject||The BIG-IP system returns the query with the REFUSED return code.|
|Hint||The BIG-IP system returns the query with a list of root name servers.|
|No Error||The BIG-IP system returns the query with the NOERROR return code.|
You can view information about the zones that are protected by DNS Express.
|SOA Records||Displays start of authority record information.|
|Resource Records||Displays the number of resource records for the zone.|