CNF DNS Express¶
DNS Express (DNSX) is an engine that enables the BIG-IP system to act as a high-speed, authoritative Domain Name System (DNS) Server. With DNS Express configured, the BIG-IP system can answer DNS queries for a DNS zone and respond to zone transfer requests from specified DNS nameservers (clients). Additionally, zone transfer communications can be secured with Transaction Signature keys (TSIG) keys.
Configuring DNS Express¶
Configure the BIG-IP system to use the DNS Express engine to respond to queries for a DNS zone. The process includes transferring a DNS zone from the authoritative DNS Server into DNS Express, which then handles DNS queries for the zone. To set this up, configure the required parameters in the specified order.
Set up zone transfers with optional TSIG key authentication¶
For Authoritative DNS Server:
- Retrieve the TSIG key from the authoritative DNS Server that manages the zone.
- Configure the
F5BigDnsZoneYAML file with the zone name, nameserver address, and optionally include the TSIG key for authentication.
For Client DNS Nameserver:
- Get the TSIG key from the Client DNS nameserver allowed to send zone transfer requests.
- Add the Client nameserver IP address in the
F5BigDnsZoneYAML file. Optionally include the TSIG key for the Client.
Configure DNS Application:
- Before configuring the DNS Express in the BIG-IP Next system, ensure the
F5BigDnsAppCR is installed, and applied. - The
dnsExpressEnabledanddnsZoneTransferEnabledparameters can be used to configure the DNS Express use case. - Modify the
F5BigDnsAppYAML file to specify the IP protocol (UDP or TCP) and enablednsExpressEnabledparameter to support efficient zone transfers.
Configure DNS Express to answer DNS queries¶
DNS Express can respond to the DNS queries for a DNS zone configured on and transferred to the BIG-IP system. Optionally, TSIG keys can be used to validate zone transfer communications between the BIG-IP system and the authoritative DNS Server hosting the zone.
Loading a zone into DNS Express
Following is an example of loading a zone into DNS Express.
In the following diagram, an administrator at Site Request creates a DNS zone with a DNS Express Server. The DNS zone name on the BIG-IP system matches that of the authoritative DNS Server. Configuring the zone triggers a zone transfer request from DNS Express to the authoritative DNS Server hosting the zone. The Server responds, completing the zone transfer, and the zone is loaded into the DNS Express engine.
- Creation of siterequest.com DNS zone with a DNS Express Server on the BIG-IP system initiates an unsolicited zone transfer request.
- The authoritative DNS Server responds with zone transfer and DNS Express loads the zone.
DNS Express answering DNS queries
Following is an example of DNS Express answering DNS queries.
In the following diagram, when the zone is updated, the authoritative DNS Server sends a NOTIFY message to DNS Express. DNS Express responds by initiating a zone transfer request. The authoritative DNS Server responds with a zone transfer, and updates the zone in DNS Express. Subsequently, when the Local DNS (LDNS) sends a query to the zone, DNS Express can respond faster than the authoritative DNS Server.
- When a zone update occurs, the DNS Server sends NOTIFY message to DNS Express.
- DNS Express sends zone transfer requests in response.
- DNS Server answers with zone transfer and DNS Express updates the zone.
- LDNS sends a DNS query for the zone.
- DNS Express answers with authoritative response. The response is faster than the authoritative DNS Server.
TSIG Key Authentication¶
The BIG-IP system can use transaction signature (TSIG) keys to authenticate zone transfer communications between the BIG-IP system and authoritative DNS Servers, and between the BIG-IP system and DNS nameservers (clients). TSIG keys are optional and can be generated using a third-party tool such as BIND’s keygen utility.
TSIG key configured on authoritative DNS Server
You can add a TSIG key to a nameserver configuration representing an authoritative DNS Server. This configuration allows DNS Express to send a TSIG-signed zone transfer request in response to a NOTIFY message from the DNS Server, and receive a TSIG-signed zone transfer.
If required, the ‘Verify Notify TSIG’ option on the DNS zone can be disabled, to allow DNS Express to process NOTIFY messages without a TSIG key, even if the subsequent zone transfer requires one.
TSIG key configured on DNS nameserver (client)
You can add a TSIG key to a nameserver configuration that represents a DNS nameserver (client). When the Client sends a TSIG-signed zone transfer request, the DNS Express returns a TSIG-signed zone transfer.
Apply F5BigDnsApp Custom Resource (CR)¶
F5BigDnsApp CR configures the Traffic Management Microkernel (TMM) for high-performance DNS resolution. It passively monitors DNS packets on port 53 and the assigned IP address. When a DNS request is sent to this IP address, the BIG-IP system either processes the request or forwards it to the appropriate resource.
For more information on how to configure and install the F5BigDnsApp CR, see F5BigDnsApp and F5BigDnsApp Reference pages.
Procedure¶
Following is the procedure to configure DNS Express to answer DNS queries for a DNS zone.
Configure BIND servers to allow zone transfers¶
For information on how to modify DNS server files, see fifth edition of DNS and BIND, from O’Reilly Media.
By default, BIND servers allow zone transfers to any DNS nameserver without restrictions, as named.conf typically lacks an allow-transfer statement. To improve response speed for DNS queries, you can configure the BIND Server to allow zone transfers only to the DNS Express engine on the BIG-IP system. This is done by adding an allow-transfer statement to named.conf, which restricts zone transfers to a specified list of DNS nameservers. Update the allow-transfer statement on the BIND server to include the IP address of the zxfrd pod.
Following is an example statement to modify allow-transfer statement to use the IP address of the zxfrd pod.
system: allow-transfer { localhost; <self IP address from which zone transfer request is sent to the server>; };
Example:
allow-transfer { localhost; 10.10.10.1 ; };
Configure BIND to send NOTIFY messages to DNS Express¶
If the zone is defined on a BIND authoritative nameserver, add an allow-transfer statement in named.conf to enable zone transfers to DNS Express. Include an also-notify statement to direct NOTIFY messages from the BIND server to DNS Express, specifying the BIG-IP system.
Note: If required, you can configure the also-notify statement on a per-zone or per-view basis. For example: also-notify { ::1 port 5353; };
Add TSIG Keys¶
TSIG keys are created by a third-party tool such as BIND keygen utility.
Note: Currently, CNFs support TSIG keys generated from the hmacmd5, hmacsha1, hmacsha256 algorithms.
- While adding TSIG keys for DNS Servers that host zones, ensure the following conditions are met:
- DNS Servers are configured to allow the BIG-IP system to perform zone transfers.
- Time on the systems that use TSIG keys are synchronized.
- Get the TSIG key for each DNS Server.
- While the TSIG keys are being added for DNS nameservers (Clients):
- Ensure that the time on the systems that use TSIG keys are synchronized.
- Get the TSIG key for each Client.
Add TSIG keys to the BIG-IP system configuration, in the following scenarios:
- To validate zone transfer communications between the DNS Express and a DNS Server.
- To validate zone transfer communications between the DNS Express and a DNS nameserver (Client).
Get TSIG Key from Authoritative DNS Server:
Get the TSIG key from the Authoritative DNS Server that hosts your DNS zone and optionally the DNS nameserver (Client). Add the TSIG keys to the CR configuration as shown in the following example.
apiVersion: k8s.f5net.com/v1
kind: F5BigDnsZone
...
spec:
dnsxServer:
tsigKey:
name: "<Key name>"
secret: "<key secret>"
algorithm: <key algorithm>
clientNameServers:
tsigKey:
name: "<Client Key name>"
secret: "<Client key secret>"
algorithm: "<Client key algorithm>"
...
Generate TSIG Key using Bind (third-party) tool:
Generate TSIG Key by using a third-party tool bind, if the backend nameserver does not have a TSIG key, use the following command:
tsig-keygen -a <algorithm> <Key-name>
Following is an example command to generate the TSIG Key:
~$ sudo apt install bind9
~$ tsig-keygen -a hmac-sha256 example.
Sample output:
key "example.net" {
algorithm hmac-sha256;
secret "dIFRW4T7DB14dn1l48zvIkML3rLHe6xpUnym/9h086U=";
};
Add back-end namserver configuration in F5BigDnsZone CR that represents DNS servers¶
Obtain the IP address of the authoritative DNS server hosting the DNS zone. Optionally, ensure the TSIG key of Server is available on the the BIG-IP system. To transfer a zone into the DNS Express engine and enable DNS Express respond to queries for the zone, add a nameserver configuration representing the server hosting the zone.
Update the DNS Server IP address and, optionally, the TSIG key in the
f5-dns-zone.yamlfile, and save the changes.apiVersion: k8s.f5net.com/v1 kind: F5BigDnsZone ... spec: dnsxAllowNotifyFrom: ["<DNS server IP from where we accepts NOTIFY messages>"] dnsxServer: address: "<Authoritative DNS server IP>" port: 53 tsigKey: name: "<Key name>" secret: "<key secret>" algorithm: <key algorithm> ...
Example:
apiVersion: k8s.f5net.com/v1 kind: F5BigDnsZone metadata: name: example.net spec: dnsxAllowNotifyFrom: ["10.10.10.100"] dnsxServer: address: "10.10.10.100" port: 53 tsigKey: name: "example.net" secret: "dIFRW4T7DB14dn1l48zvIkML3rLHe6xpUnym/9h086U=" algorithm: hmac-sha256
Configure the CR to create a DNS zone and include the DNS Express Server as part of the configuration.
Note: Since zone transfers are handled by zxfrdpod through the Kubernetes interface, ensure that the authoritative nameserver is reachable from thezxfrdpod.
Use Cases¶
Use case 1 - Configure DNS Express to offload Authoritative DNS Server (with optional TSIG keys) and answer client queries.
Use case 2 - Configure DNS Express to perform use case 1 and answer zone transfer requests (with optional TSIG keys).
Use Case 1¶
Create a DNS zone to answer DNS queries¶
Pre-requisistes
Ensure to perform the following steps before creating a DNS zone:
Configure the authoritative DNS server that currently hosts the zone to allow zone transfers to the BIG-IP system.
Get the nameserver information that represents the authoritative DNS server is available for configuring F5BigDnsZone CR.
Determine the name to use for the zone. The zone name given must exactly match the zone name on the authoritative DNS server.
Note: Zone names are case insensitive.
Procedure
For the DNS Express engine to answer DNS queries for the zone, create a DNS zone on the BIG-IP system.
In the Name field, type the name of the DNS zone. The name must begin and end with a letter and contain only letters, numbers, and the period and hyphen (-) characters.
In the DNS Express field
dnsxServerofF5BigDnsZone, add the IP address and port of the authoritative primary DNS server that currently hosts the zone. Note: Zone transfers are requested from this server by the DNS Express engine.From the following Notify Action table, select any of the options to specify the action the BIG-IP system takes after receiving a NOTIFY message for this zone.
Parameter Description Consume The BIG-IP system processes the NOTIFY message and does not pass the NOTIFY message to the back end DNS server. Bypass The BIG-IP system does not process the NOTIFY message, but instead sends the NOTIFY message to the back end DNS server. Repeat The BIG-IP system processes the NOTIFY message and sends the NOTIFY message to the back end DNS server. Tip: If the nameserver configuration for the DNS server is configured with a TSIG Key, the signature is only validated for ConsumeandRepeatactions. Additionally, NOTIFY responses are assumed to be sent by the DNS server, except when the action isConsumeand the DNS Express engine generates the response.Following is a sample configuration of
F5BigDnsZoneCR.apiVersion: k8s.f5net.com/v1 kind: F5BigDnsZone metadata: name: example.net spec: dnsxAllowNotifyFrom: ["10.10.10.100"] dnsxServer: address: "10.10.10.100" port: 53 dnsxEnabled: true dnsxNotifyAction: consume
For more information on the fields, Example CR, and information on how to configure the
F5BigDnsZoneCR, see F5BigDnsZone CR page.
(Optional) Disable TSIG verification for NOTIFY messages¶
The BIG-IP system might need to accept a zone transfer for a DNS Express zone from an authoritative DNS server, even if the NOTIFY message does not contain a TSIG key. To configure the system for this scenario, disable TSIG verification for NOTIFY messages.
Set the dnsxVerifyNotifyTsig field to false in the F5BigDnsZone CR in the f5-dns-zone.yaml, and save the file.
Example:
apiVersion: k8s.f5net.com/v1
kind: F5BigDnsZone
metadata:
name: example.net
spec:
dnsxAllowNotifyFrom: ["10.244.99.94"]
dnsxServer:
address: "10.244.99.94"
port: 53
dnsxEnabled: true
dnsxNotifyAction: consume
dnsxVerifyNotifyTsig: false
(Optional) Enable DNS Express to respond to a zone transfer request¶
DNS zone transfers use TCP port 53. Ensure that a listener configured for TCP exists in the configuration.
To enable DNS Express to answer zone transfers for a zone, dns.dnsZoneTransferEnabled field must be set to true.
apiVersion: "k8s.f5net.com/v1"
kind: F5BigDnsApp
metadata:
name: dnsx-app-listener
spec:
destination:
address: "10.10.10.100"
port: 53
ipProtocol: "udp"
snat:
type: "automap"
dns:
dnsExpressEnabled: true
dnsZoneTransferEnabled: true
Configure F5BigDnsApp¶
Configure the F5BigDnsApp CR to enable DNS express.
Set the dnsExpressEnabled and dnsZoneTransferEnabled fields to true in the F5BigDnsApp custom resource (CR). For more information, see F5BigDnsApp
Create applications to identify DNS Express traffic¶
Create applications to identify the DNS queries handled by DNS Express. If DNS Express only responds to UDP DNS queries, a single listener can manage both IPv4 and IPv6 traffic.
However, the best practice is to create two applications, one for UDP traffic and another for TCP traffic. DNS zone transfers use TCP port 53, so configure one DNS app for UDP traffic and another for TCP traffic, both using the same IPv4 and IPv6 addresses.
Enter a unique name for the DNS app in the
namefield.Enter an IPv4 address in the
addressfield under thedestinationfield. In the IPv6 address field, provide an IPv6 address on which the BIG-IP system listens for DNS queries.Optional: Update the
snattype field with snat, automap or none, based on the possible source address translation on your network.Specify the IP protocol for which the virtual server has to direct traffic. TCP and UDP are for DNS virtual. In the
ipProtocolfield, update UDP or TCP.Enable the
dnsExpressEnabledanddnsZoneTransferEnabledfields for enabling DNS express and zone transfer enabling.Example configuration:
apiVersion: "k8s.f5net.com/v1" kind: F5BigDnsApp metadata: name: dnsx-app-listener spec: destination: address: "10.10.10.100" port: 53 ipProtocol: "udp" snat: type: "automap" dns: dnsExpressEnabled: true dnsZoneTransferEnabled: true
Create another listener with the same IPv4 address and IPv6 address configuration, but select TCP from the Protocol list.
Configure F5BigDnsxGlobalOptions CR¶
For more information on how to configure the F5BigDnsxGlobalOptions CR, see F5BigDnsxGlobalOptions page.
Use Case 2¶
Configure DNS Express to answer zone transfer requests¶
DNS Express can respond to zone transfer requests for a DNS zone from specified DNS nameservers (clients). Optionally, DNS Express can use TSIG keys to validate the identity of the client making the zone transfer request.
Example:
Following is an example of DNS Express answering zone transfer requests.
When the zone is updated, the authoritative DNS server sends a NOTIFY message to DNS Express, which responds with a zone transfer request. The server responds with a zone transfer and the zone is updated in DNS Express. DNS Express sends a NOTIFY message to the client, and the client responds with a zone transfer request for the zone. DNS Express responds with a zone transfer and the client updates the zone.
- When zone update occurs, the DNS server sends NOTIFY message to DNS Express.
- DNS Express sends zone transfer requests in response to the NOTIFY query.
- DNS server answers with zone transfer and DNS Express updates the zone.
- DNS Express sends NOTIFY message to the Authoritative DNS nameserver client.
- Client sends zone transfer request in response to the NOTIFY query.
- DNS Express answers with zone transfer of siterequest.com, and client updates the zone.
Procedure¶
To configure the BIG-IP system to respond to zone transfer requests, perform the following tasks listed in this section:
Add nameservers that represent DNS nameservers (clients)
Get the IP addresses of DNS nameservers (clients) allowed to send zone transfer requests to DNS Express for a DNS zone. Optionally, ensure the TSIG key of the client is available on the BIG-IP system. To enable client requests, update the clientNameServers.address field with the nameserver’s IP and, if needed, the tsigKey field to authenticate the client during zone transfer communications.
Ensure the DNS server that hosts the zone exists and the DNS nameservers (clients) are permitted to request zone transfers.
Add the DNS nameserver (client) details in the
clientNameServers.namefield.In the
clientNameServers.addressfield, add the IP address on which, the DNS nameserver (client) listens for DNS messages.(Optional) To enable the BIG-IP system to validate a zone transfer request from a client, update
clientNameServers.tsigKeywith the TSIG key name, secret, and algorithm of the Client. If a TSIG key is configured for the client, the BIG-IP system uses it to validate zone transfer requests and adds a signature for the key to zone transfer responses from the DNS server, pool members, or DNS Express.Following is an example
F5BigDnsZoneCR:apiVersion: k8s.f5net.com/v1 kind: F5BigDnsZone metadata: name: example.net spec: dnsxAllowNotifyFrom: ["10.10.10.100"] dnsxServer: address: "10.10.10.100" port: 53 clientNameServers: - name: "client1" address: "11.11.11.100" port: 53 tsigKey: name: "tsig-key-02" secret: "A5Sa4uEiZKrhkjDL4qb2TQ==" algorithm: "hmacsha256" dnsxEnabled: true dnsxNotifyAction: consume dnsxVerifyNotifyTsig: false
Note: To enable DNS Express to respond to zone transfer requests for a particular zone, apply a Custom Resource containing the list of permitted client nameservers. To allow specific nameservers (clients) to perform zone transfers from DNS Express, copy the example F5BigDnsZoneCustom Resource provided in step 3 into a YAML file.Add the DNS nameservers (clients) to the Zone Transfer Client list of the DNS zone on the BIG-IP system.
Install the F5BigDnsZone CR.
kubectl apply -f zone.yaml
DNS zone Statistics¶
Following are the steps to check the stats of DNS Express:
Log in to the TMM Debug container
kubectl exec -it deploy/f5-tmm -c debug -- bash
View DNS Express stats:
/tmctl -id blade tmmdns_zone_stat name=example.net name dnsx_queries dnsx_responses dnsx_xfr_msgs dnsx_notifies_recv ----------- ------------ -------------- ------------- ------------------ example.net 2 2 2 0 dnsx_qtype_a dnsx_qtype_aaaa dnsx_qtype_any dnsx_qtype_axfr dnsx_qtype_cname ------------ --------------- -------------- --------------- ---------------- 0 0 0 2 0 dnsx_qtype_ixfr dnsx_qtype_mx dnsx_qtype_ns dnsx_qtype_other dnsx_qtype_soa --------------- ------------- ------------- ---------------- -------------- 0 0 0 0 0 dnsx_qtype_srv dnsx_qtype_txt dnsx_rcode_noerror dnsx_rcode_nxdomain -------------- -------------- ------------------ ------------------- 0 0 2 0 dnsx_rcode_refused dnsx_rcode_servfail xfr_notifies_sent xfr_notifies_failed ------------------ ------------------- ----------------- ------------------- 0 0 2 2 xfr_queries_acl_failed axfr_queries ixfr_queries tsig_missing tsig_not_required ---------------------- ------------ ------------ ------------ ----------------- 0 2 0 0 2 tsig_verified tsig_bad_key tsig_bad_sig tsig_bad_time ------------- ------------ ------------ ------------- 0 0 0 0
Feedback
To provide feedback and help improve this document, please email us at cnfdocs@f5.com.