F5BigDnsApp

Overview

The F5BigDnsApp Custom Resource (CR) configures the Traffic Management Microkernel (TMM) to provide high-performance DNS resolution, caching and DNS64 translation mapping. The F5BigDnsApp CR can also reference the F5BigIpsPolicy to intelligently protect applications from malignant network traffic, and the F5BigDnsCache CR to optimize DNS lookup performance with query caching.

This document guides you through understanding, configuring and installing a simple F5BigDnsApp, and the optional F5BigDnsCache, F5BigIpsPolicy and F5BigLogProfile CRs.

CR parameters

The tables below describe the F5BigDnsApp and F5BigDnsCache CR parameters used in this document.

F5BigDnsCache

The table below describes the F5BigDnsCache CR spec parameters used in this document. For the full list of parameters, refer to the F5BigDnsCache Reference.

_images/spk_info.png Note: DNS responses remain cached for the duration of the DNS record TTL.

Parameter Description
cacheType Transparent DNS cacheType is used here. Net-resolver and Resolver are the other available cacheTypes that are supported.
transparent.localZones.name The Fully Qualified Domain Name for a localZone.
transparent.localZones.zoneType The zone type for the localZone: deny, refuse, static, transparent (default), type-transparent, or redirect.
transparent.localZones.records An array of records for this localZone.

F5BigDnsApp

The table below describes the F5BigDnsApp CR spec parameters used in this document. For the full list of parameters, refer to the F5BigDnsApp Reference.

Parameter Description
destination.address Specifies the IPv4 address used by clients to resolve DNS queries.
destination.ipv6Address Specifies the IPv6 address used by clients to resolve DNS queries.
destination.port Specifies the service port used to resolve DNS queries. The default is 53.
pool.members Specifies a list of endpoint DNS servers used to resolve DNS queries.
pool.members.address Specifies an endpoint, or DNS server used to resolve DNS queries.
pool.members.port Specifies the endpoint service port used to resolve DNS queries. The default value is 53.
logProfile Specifies the F5BigLogProfile to be used.
dns.dnsCache Enables caching when referencing a F5BIGDnscache CR by metadata.name.
monitors.dns.enabled Enables monitoring the pool.members availability: true or false (default).
monitors.dns.queryName Specifies a fully qualified domain name the monitor sends in the DNS query probe.
monitors.dns.queryType Specifies the type of DNS query to send type that the monitor sends in DNS query probe: a (default) or aaaa.
monitors.dns.recv The IP address that the monitor looks for in the DNS server response to the DNS query probe.
monitors.dns.icmp.enabled Enables sending ICMP probes to verify the pool.members availability: true or false (default).

CR Examples

F5BigDnsCache

apiVersion: "k8s.f5net.com/v1"
kind: F5BigDnsCache
metadata:
  name: "cnf-dnscache"
  namespace: "cnf-gateway"
spec:
  cacheType: transparent
  transparent:
    localZones:
      - name: example.com
        zoneType: static
        records:
          - example.com. IN AAAA 2002::10:11:12:13
  cacheType: netResolver
  netResolver:
    useUdp: true
    useTcp: true
    forwardZones:
      - forwardZone: example.com
        nameServers:
          - ipAddress: 43.43.43.50
            port: 53
  cacheType: resolver
  resolver:
    useUdp: true
    useTcp: false
    useIpv4: true
    useIpv6: false
    rootHints:
      - 11.11.11.100
    forwardZones:
      - forwardZone: example.com
        nameServers:
          - ipAddress: "11.11.11.100"
          - ipAddress: "2002::11:11:11:100"

_images/spk_info.png _Note: The F5BigDnsCache example CR has all the three cacheTypes. However, the DNS cache supports only one cacheType at once for the DNSApp.

F5BigDnsApp

apiVersion: "k8s.f5net.com/v1"
kind: F5BigDnsApp
metadata:
  name: "cnf-dnsapp"
  namespace: "cnf-gateway"
spec:
  ipProtocol: "udp"
  destination:
   ipv6Address: "2002::192:168:100:201"
   port: 53
  snat:
   type: "automap"
   iRules: ["dns-req"]
  dns:
    dnsCache: "cnf-dnscache"
    dns64Mode: "secondary"
    dns64Prefix: "64:ff9b::"
    dns64AdditionalSectionRewrite: "v4-only"
  pool:
    members:
      - address: "2002::10:10:10:100"
      - address: "2002::10:10:10:101"
  monitors:
    dns:
      enabled: true
      queryName: "webapp.net."
      queryType: "aaaa"
      recv: "2002::10:10:20:200"

CR shortName

CR shortNames provide an easy way to view installed CRs, and their configuration parameters. The CR shortName can also be used to delete the CR instance. The F5BigDnsApp and F5BigDnsCache CR shortNames are dnsapp and dnscache respectively.

View CR instance:

oc get dnsapp -n <namespace>
oc get dnscache -n <namespace>

View CR configuration:

oc get dnsapp -n <namespace> -o yaml
oc get dnscache -n <namespace> -o yaml

DNS Monitors

Prior to configuring and applying F5BigDnsApp monitors to Service endpoints, it is important to understand the CR’s timeout and interval parameters, and their recommended configuration. The parameters behave as follows:

  • timeout is only observed when it is less than the interval: Endpoints are marked down when unanswered probes exceed the configured timeout.
  • timeout is not observed when it is greater than the interval: Endpoints are marked down when unanswered probes exceed the configured interval.

_images/spk_info.png Note: F5 recommends setting the timeout value to the same or less than the interval value.

Requirements

Ensure you have:

Installation

Use the following steps to install the F5BigDnsApp CR.

_images/spk_info.png Tip: Open a second shell to view the CNFs Event Logs while installing.

  1. Optional: To capture and send DNS and IPS events to remote logging servers, copy the example F5BigLogHslpub CR into a YAML file:

    apiVersion: k8s.f5net.com/v1
    kind: F5BigLogHslpub
    metadata:
      name: "cnf-hsl-pub"
      namespace: "cnf-gateway"
    spec:
      pool:
      - name: hsl-pool
        endpoint:
        - "2002::192:168:10:200:514"
      syslog:
      - name: "cnf-syslog"
        distribution: "adaptive"
        format: "rfc5424"
        pool: "hsl-pool"
        protocol: "udp"
    
  2. Install the F5BigLogHslpub CR:

    oc apply -f cnf-hsl-cr.yaml
    

    In this example, the BIG-IP Controller logs indicate the F5BigLogHslpub CR was added/updated:

    I0202 12:00:00.12347   1 event.go:282 Event(v1.ObjectReference{Kind:"F5Hslpub",
    F5Hslpub cnf-gateway/cnf-hsl-pub was added/updated
    
  3. Optional: To define the type of DNS and IPs events to capture, copy the F5BigLogProfile CR into a YAML file:

    apiVersion: "k8s.f5net.com/v1"
    kind: F5BigLogProfile
    metadata:
      name: "cnf-log-profile"
      namespace: "cnf-gateway"
    spec:
      name: "dns-log"
      publisher: "cnf-hsl-pub"
      dns:
        enabled: true
        publisher: "cnf-hsl-pub"
        responseLogging: true
        queryId: true
      protocolInspection:
        enabled: true
        publisher: "cnf-hsl-pub"
        logPacket: true
    
  4. Install the F5BigLogProfile CR:

    oc apply -f cnf-log-cr.yaml
    

    In this example, the BIG-IP Controller logs indicate the F5BigLogProfile CR was added/updated:

    I0202 12:00:00.12348   1 event.go:282 Event(v1.ObjectReference{Kind:"F5LogProfile",
    LogProfile cnf-gateway/cnf-log-profile was added/updated
    
  5. Optional: The example F5BigIpsPolicy CR rejects SOA record queries, and rejects dns_named_version_attempt and dns_os_solaris_exploit_sparc_overflow_attempt packet signatures. Copy and paste the CR into a YAML file:

    apiVersion: "k8s.f5net.com/v1"
    kind: F5BigIpsPolicy
    metadata:
      name: "cnf-ips"
      namespace: "cnf-gateway"
    spec:
      services:
        - name: dns
          ports:
            - "53"
          compliances:
            - name: dns_disallowed_query_type
              valueType: string
              value: SOA
              action: reject
          signatures:
            - name: dns_named_version_attempt
              action: reject
            - name: dns_os_solaris_exploit_sparc_overflow_attempt
              action: reject
    
  6. Install the F5BigIpsPolicy CR:

    oc apply -f cnf-ips-policy.yaml
    

    In this example, the BIG-IP Controller logs indicate the F5BigIpsPolicy CR was added/updated:

    I0208 12:00:00.12345   1 event.go:282] Event(v1.ObjectReference{Kind:"F5ProtocolInspectionProfile", 
    F5ProtocolInspectionProfile cnf-gateway/cnf-ips was added/updated
    
  7. Optional: Copy the F5BigDnsCache CR into a YAML file:

    In this example, the DNS cache creates an AAAA record, and returns authoritative DNS responses for the example.com domain.

    apiVersion: "k8s.f5net.com/v1"
    kind: F5BigDnsCache
    metadata:
      name: "cnf-dnscache"
      namespace: "cnf-gateway"
    spec:
      cacheType: transparent
      transparent:
        localZones:
          - name: example.com
            zoneType: static
            records:
              - example.com. IN AAAA 2002::10:11:12:13
    
  8. Install the F5BigDnsCache CR:

    oc apply -f cnf-dnscache-cr.yaml
    

    In this example, the BIG-IP Controller logs indicate the F5BigDnsCache CR was added/updated:

    I0208 12:00:00.12345   1 event.go:282] Event(v1.ObjectReference{Kind:"F5Dnscache", 
    F5Dnscache cnf-gateway/cnf-dnscache was added/updated
    
  9. Copy the F5BigDnsApp into a YAML file:

    In the example below, clients can use 192.168.100.201 or 2002::192:168:100:201 as their DNS resolver IP address.

    apiVersion: "k8s.f5net.com/v1"
    kind: F5BigDnsApp
    metadata:
      name: "cnf-dnsapp"
      namespace: "cnf-gateway"
    spec:
      ipProtocol: "udp"
      destination:
       address: "192.168.100.201"
       ipv6Address: "2002::192:168:100:201"
       port: 53
      snat:
       type: "automap"
       iRules: ["dns-req"]
      dns:
        dnsCache: "cnf-dnscache"
        dns64Mode: "secondary"
        dns64Prefix: "64:ff9b::"
        dns64AdditionalSectionRewrite: "v4-only"
      udp:
        allowNoPayload: true
      pool:
        members:
          - address: "2002::10:10:10:100"
          - address: "2002::10:10:10:101"
      monitors:
        dns:
          enabled: true
          queryName: "webapp.net."
          queryType: "aaaa"
          recv: "2002::10:10:20:200"
        icmp:
          enabled: true
    
  10. Install the F5BigDnsApp CR:

    oc apply -f cnf-dnsapp-cr.yaml
    

    In this example, the BIG-IP Controller logs indicate the F5BigDnsApp CR was added/updated:

    I0208 12:00:00.12345   1 event.go:282] Event(v1.ObjectReference{Kind:"F5Dns",
    F5Dns cnf-gateway/cnf-dnsapp was added/updated
    

Traffic statistics

If you installed the CNF Controller with the Debug Sidecar enabled, connect to the sidecar to view the DNS statistics.

  1. Log in to the TMM Debug container:

    oc exec -it deploy/f5-tmm -c debug -n cnf-gateway -- bash
    
  2. View the IPS statstics:

    tmctl -d blade protocol_inspection_stats
    

    In this example, IPS disallowed MX records has matched 11 times, blacklisted domains 3:

    insp_id insp_name                       vs_name
    ------- ------------------------------- -------------------------------------
      10007 dns_disallowed_resource_records cnf-gateway-cnf-dnsapp-virtual_server
      10009 dns_domains_blacklist           cnf-gateway-cnf-dnsapp-virtual_server
    
    prof_name                                     hit_count last_hit_time
    --------------------------------------------- --------- -------------
    cnf-gateway-dns-ips-profileprotocolinspection        11    1645748374
    cnf-dateway-dns-ips-profileprotocolinspection         3    1645748620
    
  3. View the DNS caching statistics:

    tmctl -d blade dns_cache_resolver_stat -s name,queries,responses,msg.hits,msg.inserts
    

    In this example, 55 queries have been process, and 7 domain names have been added to the DNS cache.

    name                           queries responses msg.hits msg.inserts
    ------------------------------ ------- --------- -------- -----------
    cnf-gateway-cnf-dnscache            55        48       48           7
    
  4. View the DNS resolution statistics:

    tmctl -d blade profile_dns_stat -s name,vs_name,queries
    

    In this example, 55 successful DNS queries have been processed:

    name                               vs_name                               queries
    ---------------------------------- ------------------------------------- -------
    cnf-gateway-cnf-dnsapp-profile_dns cnf-gateway-cnf-dnsapp-virtual_server      55 
    

Monitor status

When the F5BigDnsApp has a monitor configured, the Service Proxy TMM Pod logs pool member status change messages similar to the following:

oc logs -f f5-tmm-7599d547fc-g2zqd -n cnf-gateway | grep 'Pool Member Status'
f5-tmm-7599d547fc-g2zqd tmm[34]: 01010057:3: Pool Member Status Change: pool member 2002::10:10:10:100:53 in cnf-gateway-cnf-dnsapp-pool is up\n"
f5-tmm-7599d547fc-g2zqd tmm[34]: 01010057:3: Pool Member Status Change: pool member 2002::10:10:10:100:53 in cnf-gateway-cnfn-dnsapp-pool is down\n"
f5-tmm-7599d547fc-g2zqd tmm[34]: 01010057:3: Pool Member Status Change: pool member 2002::10:10:10:100:53 in cnf-gateway-cnf-dnsapp-pool is up\n"

Feedback

Provide feedback to improve this document by emailing cnfdocs@f5.com.

Supplemental