F5BigDnsApp¶
Overview¶
The F5BigDnsApp Custom Resource (CR) configures the Traffic Management Microkernel (TMM) to provide high-performance DNS resolution, caching and DNS64 translation mapping. The F5BigDnsApp CR can also reference the F5BigIpsPolicy to intelligently protect applications from malignant network traffic, and the F5BigDnsCache CR to optimize DNS lookup performance with query caching.
This document guides you through understanding, configuring and installing a simple F5BigDnsApp, and the optional F5BigDnsCache, F5BigIpsPolicy and F5BigLogProfile CRs.
CR parameters¶
The tables below describe the F5BigDnsApp and F5BigDnsCache CR parameters used in this document.
F5BigDnsCache¶
The table below describes the F5BigDnsCache CR spec
parameters used in this document. For the full list of parameters, refer to the F5BigDnsCache Reference.
Note: DNS responses remain cached for the duration of the DNS record TTL.
Parameter | Description |
---|---|
cacheType |
Transparent DNS cacheType is used here. Net-resolver and Resolver are the other available cacheTypes that are supported. |
transparent.localZones.name |
The Fully Qualified Domain Name for a localZone. |
transparent.localZones.zoneType |
The zone type for the localZone: deny, refuse, static, transparent (default), type-transparent, or redirect. |
transparent.localZones.records |
An array of records for this localZone. |
F5BigDnsApp¶
The table below describes the F5BigDnsApp CR spec
parameters used in this document. For the full list of parameters, refer to the F5BigDnsApp Reference.
Parameter | Description |
---|---|
destination.address |
Specifies the IPv4 address used by clients to resolve DNS queries. |
destination.ipv6Address |
Specifies the IPv6 address used by clients to resolve DNS queries. |
destination.port |
Specifies the service port used to resolve DNS queries. The default is 53. |
pool.members |
Specifies a list of endpoint DNS servers used to resolve DNS queries. |
pool.members.address |
Specifies an endpoint, or DNS server used to resolve DNS queries. |
pool.members.port |
Specifies the endpoint service port used to resolve DNS queries. The default value is 53. |
logProfile |
Specifies the F5BigLogProfile to be used. |
dns.dnsCache |
Enables caching when referencing a F5BIGDnscache CR by metadata.name . |
monitors.dns.enabled |
Enables monitoring the pool.members availability: true or false (default). |
monitors.dns.queryName |
Specifies a fully qualified domain name the monitor sends in the DNS query probe. |
monitors.dns.queryType |
Specifies the type of DNS query to send type that the monitor sends in DNS query probe: a (default) or aaaa. |
monitors.dns.recv |
The IP address that the monitor looks for in the DNS server response to the DNS query probe. |
monitors.dns.icmp.enabled |
Enables sending ICMP probes to verify the pool.members availability: true or false (default). |
CR Examples¶
F5BigDnsCache
apiVersion: "k8s.f5net.com/v1"
kind: F5BigDnsCache
metadata:
name: "cnf-dnscache"
namespace: "cnf-gateway"
spec:
cacheType: transparent
transparent:
localZones:
- name: example.com
zoneType: static
records:
- example.com. IN AAAA 2002::10:11:12:13
cacheType: netResolver
netResolver:
useUdp: true
useTcp: true
forwardZones:
- forwardZone: example.com
nameServers:
- ipAddress: 43.43.43.50
port: 53
cacheType: resolver
resolver:
useUdp: true
useTcp: false
useIpv4: true
useIpv6: false
rootHints:
- 11.11.11.100
forwardZones:
- forwardZone: example.com
nameServers:
- ipAddress: "11.11.11.100"
- ipAddress: "2002::11:11:11:100"
_Note: The F5BigDnsCache example CR has all the three cacheTypes. However, the DNS cache supports only one cacheType at once for the DNSApp.
F5BigDnsApp
apiVersion: "k8s.f5net.com/v1"
kind: F5BigDnsApp
metadata:
name: "cnf-dnsapp"
namespace: "cnf-gateway"
spec:
ipProtocol: "udp"
destination:
ipv6Address: "2002::192:168:100:201"
port: 53
snat:
type: "automap"
iRules: ["dns-req"]
dns:
dnsCache: "cnf-dnscache"
dns64Mode: "secondary"
dns64Prefix: "64:ff9b::"
dns64AdditionalSectionRewrite: "v4-only"
pool:
members:
- address: "2002::10:10:10:100"
- address: "2002::10:10:10:101"
monitors:
dns:
enabled: true
queryName: "webapp.net."
queryType: "aaaa"
recv: "2002::10:10:20:200"
CR shortName¶
CR shortNames provide an easy way to view installed CRs, and their configuration parameters. The CR shortName can also be used to delete the CR instance. The F5BigDnsApp and F5BigDnsCache CR shortNames are dnsapp and dnscache respectively.
View CR instance:
oc get dnsapp -n <namespace>
oc get dnscache -n <namespace>
View CR configuration:
oc get dnsapp -n <namespace> -o yaml
oc get dnscache -n <namespace> -o yaml
DNS Monitors¶
Prior to configuring and applying F5BigDnsApp monitors to Service endpoints, it is important to understand the CR’s timeout
and interval
parameters, and their recommended configuration. The parameters behave as follows:
timeout
is only observed when it is less than theinterval
: Endpoints are marked down when unanswered probes exceed the configuredtimeout
.timeout
is not observed when it is greater than theinterval
: Endpoints are marked down when unanswered probes exceed the configuredinterval
.
Note: F5 recommends setting the timeout
value to the same or less than the interval
value.
Installation¶
Use the following steps to install the F5BigDnsApp CR.
Tip: Open a second shell to view the CNFs Event Logs while installing.
Optional: To capture and send DNS and IPS events to remote logging servers, copy the example F5BigLogHslpub CR into a YAML file:
apiVersion: k8s.f5net.com/v1 kind: F5BigLogHslpub metadata: name: "cnf-hsl-pub" namespace: "cnf-gateway" spec: pool: - name: hsl-pool endpoint: - "2002::192:168:10:200:514" syslog: - name: "cnf-syslog" distribution: "adaptive" format: "rfc5424" pool: "hsl-pool" protocol: "udp"
Install the F5BigLogHslpub CR:
oc apply -f cnf-hsl-cr.yaml
In this example, the BIG-IP Controller logs indicate the F5BigLogHslpub CR was added/updated:
I0202 12:00:00.12347 1 event.go:282 Event(v1.ObjectReference{Kind:"F5Hslpub", F5Hslpub cnf-gateway/cnf-hsl-pub was added/updated
Optional: To define the type of DNS and IPs events to capture, copy the F5BigLogProfile CR into a YAML file:
apiVersion: "k8s.f5net.com/v1" kind: F5BigLogProfile metadata: name: "cnf-log-profile" namespace: "cnf-gateway" spec: name: "dns-log" publisher: "cnf-hsl-pub" dns: enabled: true publisher: "cnf-hsl-pub" responseLogging: true queryId: true protocolInspection: enabled: true publisher: "cnf-hsl-pub" logPacket: true
Install the F5BigLogProfile CR:
oc apply -f cnf-log-cr.yaml
In this example, the BIG-IP Controller logs indicate the F5BigLogProfile CR was added/updated:
I0202 12:00:00.12348 1 event.go:282 Event(v1.ObjectReference{Kind:"F5LogProfile", LogProfile cnf-gateway/cnf-log-profile was added/updated
Optional: The example F5BigIpsPolicy CR rejects SOA record queries, and rejects dns_named_version_attempt and dns_os_solaris_exploit_sparc_overflow_attempt packet signatures. Copy and paste the CR into a YAML file:
apiVersion: "k8s.f5net.com/v1" kind: F5BigIpsPolicy metadata: name: "cnf-ips" namespace: "cnf-gateway" spec: services: - name: dns ports: - "53" compliances: - name: dns_disallowed_query_type valueType: string value: SOA action: reject signatures: - name: dns_named_version_attempt action: reject - name: dns_os_solaris_exploit_sparc_overflow_attempt action: reject
Install the F5BigIpsPolicy CR:
oc apply -f cnf-ips-policy.yaml
In this example, the BIG-IP Controller logs indicate the F5BigIpsPolicy CR was added/updated:
I0208 12:00:00.12345 1 event.go:282] Event(v1.ObjectReference{Kind:"F5ProtocolInspectionProfile", F5ProtocolInspectionProfile cnf-gateway/cnf-ips was added/updated
Optional: Copy the F5BigDnsCache CR into a YAML file:
In this example, the DNS cache creates an AAAA record, and returns authoritative DNS responses for the example.com domain.
apiVersion: "k8s.f5net.com/v1" kind: F5BigDnsCache metadata: name: "cnf-dnscache" namespace: "cnf-gateway" spec: cacheType: transparent transparent: localZones: - name: example.com zoneType: static records: - example.com. IN AAAA 2002::10:11:12:13
Install the F5BigDnsCache CR:
oc apply -f cnf-dnscache-cr.yaml
In this example, the BIG-IP Controller logs indicate the F5BigDnsCache CR was added/updated:
I0208 12:00:00.12345 1 event.go:282] Event(v1.ObjectReference{Kind:"F5Dnscache", F5Dnscache cnf-gateway/cnf-dnscache was added/updated
Copy the F5BigDnsApp into a YAML file:
In the example below, clients can use 192.168.100.201 or 2002::192:168:100:201 as their DNS resolver IP address.
apiVersion: "k8s.f5net.com/v1" kind: F5BigDnsApp metadata: name: "cnf-dnsapp" namespace: "cnf-gateway" spec: ipProtocol: "udp" destination: address: "192.168.100.201" ipv6Address: "2002::192:168:100:201" port: 53 snat: type: "automap" iRules: ["dns-req"] dns: dnsCache: "cnf-dnscache" dns64Mode: "secondary" dns64Prefix: "64:ff9b::" dns64AdditionalSectionRewrite: "v4-only" udp: allowNoPayload: true pool: members: - address: "2002::10:10:10:100" - address: "2002::10:10:10:101" monitors: dns: enabled: true queryName: "webapp.net." queryType: "aaaa" recv: "2002::10:10:20:200" icmp: enabled: true
Install the F5BigDnsApp CR:
oc apply -f cnf-dnsapp-cr.yaml
In this example, the BIG-IP Controller logs indicate the F5BigDnsApp CR was added/updated:
I0208 12:00:00.12345 1 event.go:282] Event(v1.ObjectReference{Kind:"F5Dns", F5Dns cnf-gateway/cnf-dnsapp was added/updated
Traffic statistics¶
If you installed the CNF Controller with the Debug Sidecar enabled, connect to the sidecar to view the DNS statistics.
Log in to the TMM Debug container:
oc exec -it deploy/f5-tmm -c debug -n cnf-gateway -- bash
View the IPS statstics:
tmctl -d blade protocol_inspection_stats
In this example, IPS disallowed MX records has matched 11 times, blacklisted domains 3:
insp_id insp_name vs_name ------- ------------------------------- ------------------------------------- 10007 dns_disallowed_resource_records cnf-gateway-cnf-dnsapp-virtual_server 10009 dns_domains_blacklist cnf-gateway-cnf-dnsapp-virtual_server prof_name hit_count last_hit_time --------------------------------------------- --------- ------------- cnf-gateway-dns-ips-profileprotocolinspection 11 1645748374 cnf-dateway-dns-ips-profileprotocolinspection 3 1645748620
View the DNS caching statistics:
tmctl -d blade dns_cache_resolver_stat -s name,queries,responses,msg.hits,msg.inserts
In this example, 55 queries have been process, and 7 domain names have been added to the DNS cache.
name queries responses msg.hits msg.inserts ------------------------------ ------- --------- -------- ----------- cnf-gateway-cnf-dnscache 55 48 48 7
View the DNS resolution statistics:
tmctl -d blade profile_dns_stat -s name,vs_name,queries
In this example, 55 successful DNS queries have been processed:
name vs_name queries ---------------------------------- ------------------------------------- ------- cnf-gateway-cnf-dnsapp-profile_dns cnf-gateway-cnf-dnsapp-virtual_server 55
Monitor status¶
When the F5BigDnsApp has a monitor
configured, the Service Proxy TMM Pod logs pool member status change messages similar to the following:
oc logs -f f5-tmm-7599d547fc-g2zqd -n cnf-gateway | grep 'Pool Member Status'
f5-tmm-7599d547fc-g2zqd tmm[34]: 01010057:3: Pool Member Status Change: pool member 2002::10:10:10:100:53 in cnf-gateway-cnf-dnsapp-pool is up\n"
f5-tmm-7599d547fc-g2zqd tmm[34]: 01010057:3: Pool Member Status Change: pool member 2002::10:10:10:100:53 in cnf-gateway-cnfn-dnsapp-pool is down\n"
f5-tmm-7599d547fc-g2zqd tmm[34]: 01010057:3: Pool Member Status Change: pool member 2002::10:10:10:100:53 in cnf-gateway-cnf-dnsapp-pool is up\n"
Feedback¶
Provide feedback to improve this document by emailing cnfdocs@f5.com.