ltm dns cache validating-resolver
ltm dns cache validating-resolBIG-IP TMSH ltmudns cache validating-resolver(1)
NAME
validating-resolver - Configures a DNS cache with a resolver and
validator on the BIG-IP(r) system.
MODULE
ltm dns cache
SYNTAX
Configure the validating-resolver DNS cache component within the ltm
dns cache module using the syntax in the following sections.
CREATE/MODIFY
create validating-resolver [name]
modify validating-resolver [name]
options:
allowed-query-time [integer]
answer-default-zones [yes | no]
app-service [[string] | none]
dlv-anchors {
{ [DNSKEY or DS RR string] ... }
}
forward-zones [add | delete | modify | replace-all-with] {
[ [zone-name] ] {
options:
nameservers [add | delete | replace-all-with] {
[ [IPv4address:port] | [IPv6address.port] ]
}
nameservers none
}
forward-zones none
ignore-cd [yes | no]
key-cache-size [integer]
local-zones [ [none] |
[ { { name [dname] type [type] records [none | add { [RR string] ...} ] } ... } ] ]
max-concurrent-queries [integer]
max-concurrent-udp [integer]
max-concurrent-tcp [integer]
msg-cache-size [integer]
nameserver-cache-count [integer]
prefetch-key [yes | no]
randomize-query-name-case [yes | no]
response-policy-zones [add | delete | modify] {
[zone-name] {
action [nxdomain | walled-garden]
walled-garden [local-zone]
}
}
response-policy-zones none
root-hints {
{ [IP address] ... }
}
route-domain [name]
rrset-cache-size [integer]
rrset-rotate [none | query-id]
trust-anchors {
{ [NDSKEY or DS RR string] ... }
}
unwanted-query-reply-threshold [integer]
use-ipv4 [yes | no]
use-ipv6 [yes | no]
use-tcp [yes | no]
use-udp [yes | no]
DISPLAY
list validating-resolver
list validating-resolver [ [ [name] | [glob] | [regex] ] ... ]
options:
all-properties
non-default-properties
one-line
show validating-resolver [name]
DELETE
delete validating-resolver [name]
DESCRIPTION
You can use the validating-resolver component to configure and view
information about a validating recursive-resolving DNS cache. A
resolving and validating cache performs recursive resolution to fill
its cache and uses DNSSEC to ensure the integrity of the data.
Important: When sizing caches, consider the total amount of memory
available and how you wish to allocate memory for DNS caching. Note
that cache sizing values are per-TMM process; therefore, a platform
with eight TMMs consumes the amount of memory set for the resource
record set cache times eight.
EXAMPLES
list validating-resolver myCache
Displays the properties of the validating recursive-resolving DNS cache
myCache.
modify validating-resolver myCache local-zones { { name lz.example.net
records add { "lz.example.net 60 IN A 127.0.0.1" "www.lz.example.net
300 IN A 127.0.0.2" } } }
Modifies DNS cache myCache by adding a local-zone lz.example.net with 2
resource records.
OPTIONS
allowed-query-time
Specifies the time allowed for a query to stay in the queue before
it is replaced by a new query when the number of concurrent
distinct queries exceeds the limit. The default value is 200
milliseconds.
answer-default-zones
Specifies whether the validating resolver cache answers queries
for default zones: localhost, reverse 127.0.0.1 and ::1, and AS112
zones. The default value is no.
app-service
Specifies the name of the application service to which the object
belongs. The default value is none. Note: If the strict-updates
option is enabled on the application service that owns the object,
you cannot modify or delete the object. Only the application
service can modify or delete the object.
dlv-anchors
Specifies the DNSKEY or DS resource records the BIG-IP system uses
to establish DNSSEC trust with a DLV registry. The resource
records must be specified in string format, for example, dig or
drill format. The default is none.
forward-zones
Adds, deletes, modifies, or replaces a set of forward zones on a
DNS Cache, by specifying zone name(s). A given zone name should
only use the symbols allowed for a fully qualified domain name
(FQDN), namely ASCII letters a though z, digits 0 through 9,
hyphen -, and period .. For example site.example.com would be a
valid zone name.
A DNS Cache configured with a forward zone will forward any
queries that result in a cache-miss (the answer was not available
in the cache) and match a configured zone name, to the nameserver
specified on the zone. If no nameservers are specified on the
zone, an automatic SERVFAIL is returned. When a forward zone's
nameserver returns a valid response to the DNS Cache, that
response is cached and then returned to the requester.
nameservers
Adds, deletes, or replaces a set of nameservers in a forward
zone on a DNS Cache. A nameserver is represented by an
IPaddress and port in the format [IPv4:port] or [IPv6.port],
for example 10.10.10.10:53 or 2001::1:ff.53, respectively.
If more than one nameserver is listed for a given forward
zone, a matching query will be sent to the nameserver that is
currently deemed the most responsive (based on RTTs). If no
response is received within a certain window of time, the DNS
Cache will resend the query to another nameserver with an
increased wait window until a response is received.
glob Displays the items that match the glob expression. See help glob
for a description of glob expression syntax.
ignore-cd
When enabled, the system ignores the Checking Disabled setting on
client queries, performs validation, and returns only secure
answers. The default value is no.
key-cache-size
Specifies the maximum size in bytes of the DNSKEY cache. The
default value is 1048576.
local-zones
Zones and associated resource records for which the cache will
provide Authoritative responses. Default is empty. This is
intended for small, simple authoritative data configurations.
The local-zone name must be fully qualified and should be the apex
of the zone. The local-zone type may be one of the following:
deny, refuse, static, transparent, type-transparent, or redirect.
Zero or more resource records must be fully specified: name, ttl,
class, type, and record data, separated by spaces, and within
double quotes. For example, "www.example.net. 300 IN A 1.2.3.4".
For all local-zones types, if the DNS query matches, it is
answered Authoritatively. How a non-matching query is handled
depends on the local-zone type.
deny drops the query.
refuse sends a REFUSED response.
static sends either a NoData or NXDOMAIN response (includes SOA if
present in local-zone).
transparent performs regular cache operation (i.e. transparent
pass-through or iterative resolution) except for those query names
which would result in NoData. This is the default local-zone type.
type-transparent Same as transparent but does not return NoData.
redirect returns responses with zone suffix record(s) for queries
beneath that suffix. For example, a local-zone for example.com and
a single A record for that name; queries for www.example.com or
abc.www.example.com would return the single A record (both have
the same suffix).
max-concurrent-queries
Specifies the maximum number of concurrent distinct queries used
by the resolver. A query is identified by query name, type and
class. If the number of distinct queries exceeds this limit, the
resolver replaces the earliest query in the queue with the new
query if it has been in the queue longer than the allowed time.
The default value is 1024.
max-concurrent-tcp
Specifies the maximum number of concurrent TCP flows used by the
resolver. The default value is 20.
max-concurrent-udp
Specifies the maximum number of concurrent UDP flows used by the
resolver. The default value is 8192.
msg-cache-size
Specifies the maximum size in bytes of the DNS message cache. The
default value is 1048576.
The BIG-IP system caches the messages in a DNS response in the
message cache. After the maximum size of the cache is reached,
when new or refreshed content is added to the cache, the expired
and older content is removed from the cache. A higher maximum size
allows more DNS responses to be cached and increases the cache hit
percentage. A lower maximum size forces earlier eviction of cached
content, but can lower the cache hit percentage.
name Specifies a unique name for the component. This option is required
for the commands create, delete, and modify.
nameserver-cache-count
Specifies the maximum number of DNS nameservers for which the BIG-
IP system caches connection and capability data. The default value
is 16536 entries.
prefetch-key
When enabled, the validating resolver fetches the DNSKEY early in
the validation process. Disable this setting when you want to
reduce resolver traffic, but understand that a client may have to
wait for the validating resolver to perform a key lookup. The
default value is yes.
randomize-query-name-case
When enabled, the resolver randomizes the case of query names. The
default value is yes.
regex
Displays the items that match the regular expression. The regular
expression must be preceded by an at sign (@[regular expression])
to indicate that the identifier is a regular expression. See help
regex for a description of regular expression syntax.
response-policy-zones
Adds, deletes or modifies the response policy zone to be used by
this DNS Cache. Only a DNS Express zone configured as a response
policy zone can be added.
The query name of a recursive DNS request without DNSSEC enabled
is queried against the data in the response policy zone. If a
match is found, the configured response policy action is taken.
action
The action to take upon a match. nxdomain results in an
NXDOMAIN response given to the client. walled-garden results
in a response with a CNAME to the walled-garden zone and an A
or AAAA response matching the DNS query type. The default
action is nxdomain.
walled-garden
A local zone configured in this cache that contains an A
and/or AAAA record. This is typically used to redirect a user
that requests resolution of a name contained in the RPZ
database to a local server. This local server can display a
message to the user and/or record the connection. Only
A/AAAA/ANY requests are redirected, a request for any other
type is answered with a NoData response. If a request is
received for type A or AAAA but there are no records of that
type configured, a NoData response is returned instead.
root-hints
Specifies the IP addresses of DNS servers that the BIG-IP system
considers authoritative for the DNS root nameservers.
Important:By default, the BIG-IP system uses the DNS root
nameservers published by InterNIC.
Caution:When you add DNS root nameservers, the BIG-IP system no
longer uses the default nameservers published by InterNIC, but
instead uses the nameservers you add as authoritative for the DNS
root nameservers.
route-domain
Specifies the route domain the resolver uses for outbound traffic.
The default value is the default route domain.
rrset-cache-size
Specifies the maximum size in bytes of the resource records set
cache. The default value is 10485760.
The BIG-IP system caches the supporting records in a DNS response
in the resource record cache. After the maximum size of the cache
is reached, when new or refreshed content is added to the cache,
the expired and older content is removed from the cache. A higher
maximum size allows more DNS responses to be cached and increases
the cache hit percentage. A lower maximum size forces earlier
eviction of cached content, but can lower the cache hit
percentage.
rrset-rotate
Specifies the resource record rotation method used within cached
responses. The default value is none.
none Resource record order is not modified.
query-id Resource record order is a function of the client's query
id.
trust-anchors
Specifies the DNSKEY or DS resource records the BIG-IP system uses
to establish DNSSEC trust with a specific DNS zone. The resource
records must be specified in string format, for example, dig or
drill format. The default value is none.
unwanted-query-reply-threshold
The system always rejects unsolicited replies. The default value
of 0 (off) indicates the system does not generate SNMP traps or
log messages when rejecting unsolicited replies.
Change the default value to monitor for unsolicited DNS replies.
This alerts you to a potential security attack, such as cache
poisoning or DOS. For example, if you specify a value of
1,000,000, each time the system receives 1,000,000 unsolicited
replies, it generates an SNMP trap and log message. The default
value is 0 (off).
use-ipv4
When enabled, the resolver sends DNS queries to IPv4 addresses.
The default value is yes.
use-ipv6
When enabled, the resolver sends DNS queries to IPv6 addresses.
The default value is yes.
use-tcp
When enabled, the resolver can send queries over the TCP protocol.
The default value is yes.
use-udp
When enabled, the resolver can send queries over the UDP protocol.
The default value is yes.
SEE ALSO
create, delete, edit, glob, list, ltm dns cache transparent, ltm dns
cache resolver, show, modify, regex, tmsh
COPYRIGHT
No part of this program may be reproduced or transmitted in any form or
by any means, electronic or mechanical, including photocopying,
recording, or information storage and retrieval systems, for any
purpose other than the purchaser's personal use, without the express
written permission of F5 Networks, Inc.
F5 Networks and BIG-IP (c) Copyright 2009-2016. All rights reserved.
BIG-IP 2016-03-ltm dns cache validating-resolver(1)