Scribd Logo
Upload

Welcome to Scribd!

  • DNS Express and Zone Transfers

    Uploaded by

    M. S.
    5 views8 pages

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    5 views8 pages

    DNS Express and Zone Transfers

    Uploaded by

    M. S.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 8

    12/4/2017 DNS Express and Zone Transfers

    Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

     Filter by: 

     Back to List

    TECHNICAL ARTICLE

    DNS Express and Zone Transfers


    Updated 4 months ago • Originally posted on 27-Feb-2014 by John Wagnon F5
    article application delivery big-ip dns dns dnsexpress gtm ltm security techtip

      

    This is the third in a series of DNS articles that I'm writing. The rst two are:

    1. Let's Talk DNS on DevCentral


    2. DNS The F5 Way: A Paradigm Shift

    DNS Express is a relatively new feature (showed up in v11.1), and it's one of the more powerful features o ered by the BIG-IP. DNS Express allows you to
    transfer DNS zones from your current infrastructure to the BIG-IP. The BIG-IP can then answer requests for those zones...and do it at blazingly fast
    speeds! Another bene t of DNS Express is that it doesn't run full BIND, so it's not as vulnerable as a typical BIND infrastructure. Related note: as of the
    date of this article, BIND alone had 71 di erent CVE vulnerabilities (41 of those were DoS-speci c).

    With all this greatness at our ngertips, I want to show you how to provision the Global Tra c Manager (GTM), create a zone, con gure DNS Express, and
    show a successful zone transfer. I'll be using BIND from the GTM as the Master server (disclaimer: I'm doing this in my virtual lab setup, but you wouldn't
    normally do this in a production environment).

    Provision GTM
    First, navigate to System >> Resource Provisioning and check the box for Global Tra c (GTM). Make sure that this module is licensed (keep in mind that
    you will have to restart your BIG-IP once you provision GTM). See the screenshot below for details.

    If GTM is not licensed, then talk to your Sales Engineer. By the way, you can take advantage of our new Good, Better, Best licensing model and save
    yourself time and money. If you get the "Best" option, then you basically get all the modules F5 has to o er!

    https://devcentral.f5.com/articles/dns-express-and-zone-transfers 1/8
    12/4/2017 DNS Express and Zone Transfers

    Create a Listener
    Once GTM is provisioned, it's time to create a listener for the DNS requests (navigate to Global Tra c >> Listeners). I used the address from my external
    VLAN as the listener address, but in a production environment you would choose a di erent listener address.

    When creating a Listener, you need to choose a DNS Pro le that has DNS Express enabled. I veri ed that DNS Express was enabled on the pro le listed
    below (dns). You can enable/disable options like IPv6 to IPv4 translation, DNS Express, DNSSEC, etc in the DNS pro le. So, make sure you con gure your
    DNS pro le correctly prior to selecting it when creating a Listener.

    https://devcentral.f5.com/articles/dns-express-and-zone-transfers 2/8
    12/4/2017 DNS Express and Zone Transfers

    Con gure ZoneRunner


    Now that the listener is created and con gured, you can use the ZoneRunner utility to manage your DNS zones and resource records. You can do several
    things with ZoneRunner including:

    con guring a zone


    con guring the resource records that make up that zone
    con gure a view for access control
    con gure options in the named.conf le

    I created a master zone and named it "dnstest.com" and then con gured the SOA Record and NS Record details (TTL values, server names, etc). I also
    created two A records (www.dnstest.com and ftp.dnstest.com) and associated IP addresses with each. You can see the details of the zone in the
    screenshot below:

    https://devcentral.f5.com/articles/dns-express-and-zone-transfers 3/8
    12/4/2017 DNS Express and Zone Transfers

    After I created the zone, I con gured the Named Con guration le to allow for zone transfer from the local host. You can view/modify the named.conf le
    directly from the GUI by navigating to Global Tra c >> ZoneRunner >> Named Con guration. The named con guration le will also automatically
    update as you make changes in the other areas of the ZoneRunner utility, so you don't always have to con gure it directly. In my case, I simply viewed
    the le to ensure the "allow-transfer localhost" was there...and it was! This entry was required for the BIND server to transfer the zone information for
    dnstest.com to the DNS Express module. In my lab setup, I used BIND from GTM as the Master server, but in a production environment, the Master BIND
    server would probably reside on an external server.

    https://devcentral.f5.com/articles/dns-express-and-zone-transfers 4/8
    12/4/2017 DNS Express and Zone Transfers

     
    In a typical setup where you host zones external to the BIG-IP, you would have to add the following code to the zone le. In my case, I didn't have to add
    this code because I set up everything on the BIG-IP.

    zone "dnstest.com"
    {
    type master;
    file "var/lib/bind/dnstest.com.hosts";
    also-notify {1.1.1.1;}; //where 1.1.1.1 is the listener address
    allow-transfer {1.1.1.2;}; //where 1.1.1.2 is the self IP
    };

     
     

    DNS Express
    DNS Express provides the ability for a BIG-IP to act as a high speed, authoritative secondary DNS server. This allows the BIG-IP to perform zone transfers
    from multiple primary DNS servers that are responsible for di erent zones, perform a zone transfer from the local BIND server on the BIG-IP, and serve
    DNS records faster than the primary DNS servers and the local BIND server.

    To use DNS Express, you need to create a DNS Express zone. Then, you can transfer zone records from the local BIND server or back-end DNS servers
    to DNS Express. In order to set up a DNS Express Zone, navigate to Local Tra c >> DNS Express Zones >> DNS Express Zone List and create a new
    zone. Note that DNS Express is con gured under "Local Tra c" as part of the Local Tra c Manager (LTM). The best practice is to use the name that
    appears at the apex of a BIND zone le (in my case, dnstest.com). The name must begin with a letter and can contain only letters, numbers, and the
    underscore character (it doesn't have to contain each of these, but it can't contain anything other than these characters). The Target IP Address is for the
    DNS server from which you want to transfer records. In my setup, I used the default value (127.0.0.1) which is for the BIND server on the BIG-IP. The Notify
    Action setting of "consume" means that NOTIFY queries are only seen by DNS Express...you can think of it like DNS Express "consumes" all the NOTIFY
    queries and the backend DNS resources never have to handle them. This is the default setting...and it's awesome!

    The Test...
    After everything had been con gured, the zone records should have been transferred to DNS Express. In order to test this, I used the "dnsxdump"
    command from the CLI to verify that all the records were in the DNS Express database. As you can see in the screenshot below, all the records
    transferred correctly!

    https://devcentral.f5.com/articles/dns-express-and-zone-transfers 5/8
    12/4/2017 DNS Express and Zone Transfers

    In addition, I checked out /var/log/ltm to look for the zone transfer message. As you can see in the screenshot below, the zone transfer (AXFR Transfer of
    zone dnstest.com) succeeded!

    Now that you know how to con gure DNS Express, you have no reason to not use it...so get out there, get it con gured, and let the BIG-IP provide you
    with the best DNS performance you've ever experienced!

    I also created a quick video showing how to do all the things I just wrote about in this article (provision GTM, create a listener, create a zone, etc). So, if
    you're more of a "hands-on, visual learner" check out the video...it's located here: https://devcentral.f5.com/videos/dns-express-and-zone-transfers

    Well, that wraps it up for this article. I'll be back soon with more BIG-IP and GTM articles, so check back often!

     2 Ratings

     Print  Download  Share



    Comments on this Article
    https://devcentral.f5.com/articles/dns-express-and-zone-transfers 6/8
    12/4/2017 DNS Express and Zone Transfers

    Comment made 28-Feb-2014 by Mohamed Lrhazi  398


    I thought DNS Express was a feature of LTM, not GTM.
     0 

    Comment made 28-Feb-2014 by John Wagnon F5


    Mohamed, I wanted to clarify the DNS Express question. DNS Express is not a feature of LTM...it either comes in BIG-IP GTM (or DNS
    SKUs) or it comes in the DNS Services add-on module to LTM. So it’s available on LTM either as GTM add-on, DNS Services add-on
    module, or it comes in a standalone GTM/DNS. I hope this clari es for you. (and, thanks to Jonathan George for the awesome info on this
    answer!)
     0 

    Comment made 19-Jan-2015 by kva  7


    John, thank you for a great article. I do have a related question - maybe you can point me it the right direction. For internal DNS we sync
    our GTMs' DNS Express with AD Integrated DNS that is managed by another team. By default, CNAMES that point to the names of servers
    in AWS are not being resolved to an IP by DNS Express (in contrast to the behavior of the AD integrated DNS). Would there be some way
    to allow these to be resolved, besides using Irules or Wide IPs? (Thinking along the lines of some Notify Action setting or an unhandled
    query action) I am looking for something that would not require us to touch DNS entries after they are added to AD integrated DNS by the
    server team, but still be able to use the great performance boost of DNS Express.
     0 

    Comment made 11-May-2016 by John Heyer  398


    kva - I just left a reply on your thread: https://devcentral.f5.com/questions/dns-express-and-cnames-to-aws-servers
     0 

    Comment made 1 week ago by Marius Schmid  0


    For those that are using this article as a resource for getting familar with BIG-IP DNS and therefore are using the same setup (BIG-IP
    running BIND as the master and DNS Express as slave on the same machine), one short hint:

    To be able to automatically update DNS Express through NOTIFY-Messages from the local BIND, you have to use the following command
    in the con gruation of named.conf, otherwise it won't work:

    also-notify {
    ::1 port 5353;
    };

    Also notice that it really needs to be ::1, since 127.0.0.1 did not work for me, even if I was just using IPv4 for all the listeners and stu . See
    also the following link, section "Con guring local BIND to send NOTIFY messages to DNS Express":

    https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/dns-services-implementations-11-5-0/1.html

     0 

    https://devcentral.f5.com/articles/dns-express-and-zone-transfers 7/8
    12/4/2017 DNS Express and Zone Transfers

    About DevCentral
    We are a community of 250,000+ technical peers who solve problems together.

    Learn More

     Get a Developer Lab license

     Contact us - Feedback and


    Help

     Become an MVP

    ABOUT F5
    EDUCATION
    F5 SITES
    PREFERENCES
    CONNECT WITH US

    © 2017 F5 Networks, Inc. All rights reserved | Policies | Trademarks

    https://devcentral.f5.com/articles/dns-express-and-zone-transfers 8/8

    You might also like