ltm dns cache validating-resolver
ltm dns cache validating-resolver(1) BIG-IP TMSH Manual ltm dns cache validating-resolver(1)
NAME
validating-resolver - Configures a DNS cache with a resolver and validator on the BIG-IP(r) system.
MODULE
ltm dns cache
SYNTAX
Configure the validating-resolver DNS cache component within the ltm dns cache module using the syntax in the following
sections.
CREATE/MODIFY
create validating-resolver [name]
modify validating-resolver [name]
options:
allowed-query-time [integer]
answer-default-zones [yes | no]
app-service [[string] | none]
description [[string] | none]
dlv-anchors {
{ [DNSKEY or DS RR string] ... }
}
forward-zones [add | delete | modify | replace-all-with] {
[ [zone-name] ] {
options:
nameservers [add | delete | replace-all-with] {
[ [IPv4address:port] | [IPv6address.port] ]
}
nameservers none
}
forward-zones none
ignore-cd [yes | no]
key-cache-size [integer]
local-zones [ [none] |
[ { { name [dname] type [type] records [none | add { [RR string] ...} ] } ... } ] ]
max-concurrent-queries [integer]
max-concurrent-udp [integer]
max-concurrent-tcp [integer]
msg-cache-size [integer]
nameserver-cache-count [integer]
prefetch-key [yes | no]
randomize-query-name-case [yes | no]
response-policy-zones [add | delete | modify] {
[zone-name] {
action [nxdomain | walled-garden]
walled-garden [local-zone]
}
}
response-policy-zones none
root-hints {
{ [IP address] ... }
}
route-domain [name]
rrset-cache-size [integer]
rrset-rotate [none | query-id]
trust-anchors {
{ [NDSKEY or DS RR string] ... }
}
unwanted-query-reply-threshold [integer]
use-ipv4 [yes | no]
use-ipv6 [yes | no]
use-tcp [yes | no]
use-udp [yes | no]
DISPLAY
list validating-resolver
list validating-resolver [ [ [name] | [glob] | [regex] ] ... ]
options:
all-properties
non-default-properties
one-line
show validating-resolver [name]
DELETE
delete validating-resolver [name]
DESCRIPTION
You can use the validating-resolver component to configure and view information about a validating recursive-resolving DNS
cache. A resolving and validating cache performs recursive resolution to fill its cache and uses DNSSEC to ensure the
integrity of the data.
Important: When sizing caches, consider the total amount of memory available and how you wish to allocate memory for DNS
caching. Note that cache sizing values are per-TMM process; therefore, a platform with eight TMMs consumes the amount of
memory set for the resource record set cache times eight.
EXAMPLES
list validating-resolver myCache
Displays the properties of the validating recursive-resolving DNS cache myCache.
modify validating-resolver myCache local-zones { { name lz.example.net records add { "lz.example.net 60 IN A 127.0.0.1"
"www.lz.example.net 300 IN A 127.0.0.2" } } }
Modifies DNS cache myCache by adding a local-zone lz.example.net with 2 resource records.
OPTIONS
allowed-query-time
Specifies the time allowed for a query to stay in the queue before it is replaced by a new query when the number of
concurrent distinct queries exceeds the limit. The default value is 200 milliseconds.
answer-default-zones
Specifies whether the validating resolver cache answers queries for default zones: localhost, reverse 127.0.0.1 and
::1, and AS112 zones. The default value is no.
app-service
Specifies the name of the application service to which the object belongs. The default value is none. Note: If the
strict-updates option is enabled on the application service that owns the object, you cannot modify or delete the
object. Only the application service can modify or delete the object.
description
User defined description.
dlv-anchors
Deprecated
forward-zones
Adds, deletes, modifies, or replaces a set of forward zones on a DNS Cache, by specifying zone name(s). A given zone
name should only use the symbols allowed for a fully qualified domain name (FQDN), namely ASCII letters a though z,
digits 0 through 9, hyphen -, and period .. For example site.example.com would be a valid zone name.
A DNS Cache configured with a forward zone will forward any queries that result in a cache-miss (the answer was not
available in the cache) and match a configured zone name, to the nameserver specified on the zone. If no nameservers
are specified on the zone, an automatic SERVFAIL is returned. When a forward zone's nameserver returns a valid
response to the DNS Cache, that response is cached and then returned to the requester.
nameservers
Adds, deletes, or replaces a set of nameservers in a forward zone on a DNS Cache. A nameserver is represented by
an IPaddress and port in the format [IPv4:port] or [IPv6.port], for example 10.10.10.10:53 or 2001::1:ff.53,
respectively.
If more than one nameserver is listed for a given forward zone, a matching query will be sent to the nameserver
that is currently deemed the most responsive (based on RTTs). If no response is received within a certain window
of time, the DNS Cache will resend the query to another nameserver with an increased wait window until a response
is received.
glob Displays the items that match the glob expression. See help glob for a description of glob expression syntax.
ignore-cd
When enabled, the system ignores the Checking Disabled setting on client queries, performs validation, and returns
only secure answers. The default value is no.
key-cache-size
Specifies the maximum size in bytes of the DNSKEY cache. The default value is 1048576.
local-zones
Zones and associated resource records for which the cache will provide Authoritative responses. Default is empty. This
is intended for small, simple authoritative data configurations.
The local-zone name must be fully qualified and should be the apex of the zone. The local-zone type may be one of the
following: deny, refuse, static, transparent, type-transparent, or redirect. Zero or more resource records must be
fully specified: name, ttl, class, type, and record data, separated by spaces, and within double quotes. For example,
"www.example.net. 300 IN A 1.2.3.4".
For all local-zones types, if the DNS query matches, it is answered Authoritatively. How a non-matching query is
handled depends on the local-zone type.
deny drops the query.
refuse sends a REFUSED response.
static sends either a NoData or NXDOMAIN response (includes SOA if present in local-zone).
transparent performs regular cache operation (i.e. transparent pass-through or iterative resolution) except for those
query names which would result in NoData. This is the default local-zone type.
type-transparent Same as transparent but does not return NoData.
redirect returns responses with zone suffix record(s) for queries beneath that suffix. For example, a local-zone for
example.com and a single A record for that name; queries for www.example.com or abc.www.example.com would return the
single A record (both have the same suffix).
max-concurrent-queries
Specifies the maximum number of concurrent distinct queries used by the resolver. A query is identified by query name,
type and class. If the number of distinct queries exceeds this limit, the resolver replaces the earliest query in the
queue with the new query if it has been in the queue longer than the allowed time. The default value is 1024.
max-concurrent-tcp
Specifies the maximum number of concurrent TCP flows used by the resolver. The default value is 20.
max-concurrent-udp
Specifies the maximum number of concurrent UDP flows used by the resolver. The default value is 8192.
msg-cache-size
Specifies the maximum size in bytes of the DNS message cache. The default value is 1048576.
The BIG-IP system caches the messages in a DNS response in the message cache. After the maximum size of the cache is
reached, when new or refreshed content is added to the cache, the expired and older content is removed from the cache.
A higher maximum size allows more DNS responses to be cached and increases the cache hit percentage. A lower maximum
size forces earlier eviction of cached content, but can lower the cache hit percentage.
name Specifies a unique name for the component. This option is required for the commands create, delete, and modify.
nameserver-cache-count
Specifies the maximum number of DNS nameservers for which the BIG-IP system caches connection and capability data. The
default value is 16536 entries.
prefetch-key
When enabled, the validating resolver fetches the DNSKEY early in the validation process. Disable this setting when
you want to reduce resolver traffic, but understand that a client may have to wait for the validating resolver to
perform a key lookup. The default value is yes.
randomize-query-name-case
When enabled, the resolver randomizes the case of query names. The default value is yes.
regex
Displays the items that match the regular expression. The regular expression must be preceded by an at sign (@[regular
expression]) to indicate that the identifier is a regular expression. See help regex for a description of regular
expression syntax.
response-policy-zones
Adds, deletes or modifies the response policy zone to be used by this DNS Cache. Only a DNS Express zone configured as
a response policy zone can be added.
The query name of a recursive DNS request without DNSSEC enabled is queried against the data in the response policy
zone. If a match is found, the configured response policy action is taken.
action
The action to take upon a match. nxdomain results in an NXDOMAIN response given to the client. walled-garden
results in a response with a CNAME to the walled-garden zone and an A or AAAA response matching the DNS query
type. The default action is nxdomain.
walled-garden
A local zone configured in this cache that contains an A and/or AAAA record. This is typically used to redirect a
user that requests resolution of a name contained in the RPZ database to a local server. This local server can
display a message to the user and/or record the connection. Only A/AAAA/ANY requests are redirected, a request
for any other type is answered with a NoData response. If a request is received for type A or AAAA but there are
no records of that type configured, a NoData response is returned instead.
root-hints
Specifies the IP addresses of DNS servers that the BIG-IP system considers authoritative for the DNS root nameservers.
Important:By default, the BIG-IP system uses the DNS root nameservers published by InterNIC.
Caution:When you add DNS root nameservers, the BIG-IP system no longer uses the default nameservers published by
InterNIC, but instead uses the nameservers you add as authoritative for the DNS root nameservers.
route-domain
Specifies the route domain the resolver uses for outbound traffic. The default value is the default route domain.
rrset-cache-size
Specifies the maximum size in bytes of the resource records set cache. The default value is 10485760.
The BIG-IP system caches the supporting records in a DNS response in the resource record cache. After the maximum size
of the cache is reached, when new or refreshed content is added to the cache, the expired and older content is removed
from the cache. A higher maximum size allows more DNS responses to be cached and increases the cache hit percentage. A
lower maximum size forces earlier eviction of cached content, but can lower the cache hit percentage.
rrset-rotate
Specifies the resource record rotation method used within cached responses. The default value is none.
none Resource record order is not modified.
query-id Resource record order is a function of the client's query id.
trust-anchors
Specifies the DNSKEY or DS resource records the BIG-IP system uses to establish DNSSEC trust with a specific DNS zone.
The resource records must be specified in string format, for example, dig or drill format. The default value is none.
unwanted-query-reply-threshold
The system always rejects unsolicited replies. The default value of 0 (off) indicates the system does not generate
SNMP traps or log messages when rejecting unsolicited replies.
Change the default value to monitor for unsolicited DNS replies. This alerts you to a potential security attack, such
as cache poisoning or DOS. For example, if you specify a value of 1,000,000, each time the system receives 1,000,000
unsolicited replies, it generates an SNMP trap and log message. The default value is 0 (off).
use-ipv4
When enabled, the resolver sends DNS queries to IPv4 addresses. The default value is yes.
use-ipv6
When enabled, the resolver sends DNS queries to IPv6 addresses. The default value is yes.
use-tcp
When enabled, the resolver can send queries over the TCP protocol. The default value is yes.
use-udp
When enabled, the resolver can send queries over the UDP protocol. The default value is yes.
SEE ALSO
create, delete, edit, glob, list, ltm dns cache transparent, ltm dns cache resolver, show, modify, regex, tmsh
COPYRIGHT
No part of this program may be reproduced or transmitted in any form or by any means, electronic or mechanical, including
photocopying, recording, or information storage and retrieval systems, for any purpose other than the purchaser's personal
use, without the express written permission of F5 Networks, Inc.
F5 Networks and BIG-IP (c) Copyright 2009-2016. All rights reserved.
BIG-IP 2020-11-12 ltm dns cache validating-resolver(1)