F5BigDnsApp¶
Overview¶
The F5BigDnsApp Custom Resource (CR) configures the Traffic Management Microkernel (TMM) to provide high-performance DNS resolution, caching and DNS64 translation mapping over normal (Dns listener) connections and over secure HTTP (DoH listener) connections. The F5BigDnsApp CR can be configured and is compatible with both DNS and DoH connections. The F5BigDnsApp CR can also reference the F5BigIpsPolicy to intelligently protect applications from malignant network traffic, and the F5BigDnsCache CR to optimize DNS lookup performance with query caching.
DNS filtering is an exclusion list used by F5BigIpsPolicy CR to filter out dns packets based on DNS query types or DNS resource record types. The user can add the compliance and port that they want to monitor while creating the CR. The two compliances related to DNS Profile for Security are dns_disallowed_resource_records
and dns_disallowed_query_type
.
This document guides you through understanding, configuring, and installing a simple F5BigDnsApp, and the optional F5BigDnsCache, F5BigIpsPolicy, and F5BigLogProfile CRs.
CR parameters¶
The tables below describe the F5BigDnsApp and F5BigDnsCache CR parameters used in this document.
F5BigDnsCache¶
The table below describes the F5BigDnsCache CR spec
parameters used in this document. For the full list of parameters, refer to the F5BigDnsCache Reference.
Note: DNS responses remain cached for the duration of the DNS record TTL.
Parameter | Description |
---|---|
cacheType |
Transparent DNS cacheType is used here. Net-resolver and Resolver are the other available cacheTypes that are supported. |
transparent.localZones.name |
The Fully Qualified Domain Name for a localZone. |
transparent.localZones.zoneType |
The zone type for the localZone: deny, refuse, static, transparent (default), type-transparent, or redirect. |
transparent.localZones.records |
An array of records for this localZone. |
F5BigDnsApp¶
The table below describes the F5BigDnsApp CR spec
parameters used in this document. For the full list of parameters, refer to the F5BigDnsApp Reference.
Parameter | Description |
---|---|
destination.address |
Specifies the IPv4 address used by clients to resolve DNS queries. |
destination.ipv6Address |
Specifies the IPv6 address used by clients to resolve DNS queries. |
destination.port |
Specifies the virtual server port used to resolve DNS queries. The default is 53 for DNS virtual and 443 for DoH virtual. |
pool.members |
Specifies a list of endpoint DNS servers used to resolve DNS queries. |
pool.members.address |
Specifies an endpoint, or DNS server used to resolve DNS queries. |
pool.members.port |
Specifies the endpoint service port used to resolve DNS queries. The default value is 53. |
logProfile |
Specifies the F5BigLogProfile to be used. |
pool.members.priorityGroup |
Specifies the priority group for the pool member. |
pool.minActiveMembers |
Specifies the minimum number of members that must be available in one priority group. |
dns.dnsCache |
Enables caching when referencing a F5BIGDnscache CR by metadata.name . |
ipProtocol |
Specifies the IP protocol for which the virtual server has to direct the traffic. TCP and UDP are the supported IP protocols for DNS virtual servers and HTTP2 is for DoH virtual servers. |
dohProtocol |
Specifies the DoH virtual server-side protocol for which the traffic is directed on server-side. UDP protocol is the default protocol. |
monitors.dns.enabled |
Enables monitoring the pool.members availability: true or false (default). |
monitors.dns.queryName |
Specifies a fully qualified domain name the monitor sends in the DNS query probe. |
monitors.dns.queryType |
Specifies the type of DNS query to send type that the monitor sends in DNS query probe: a (default) or aaaa. |
monitors.dns.recv |
The IP address that the monitor looks for in the DNS server response to the DNS query probe. |
monitors.dns.icmp.enabled |
Enables sending ICMP probes to verify the pool.members availability: true or false (default). |
iRules |
Specifies one or more iRules CRs within F5BigDnsApp CR. |
vlans.vlanList |
A reference to a F5BigNetVlan name that accepts traffic on the virtual server. |
ddosProfile |
References a Ddos profile name to use for this virtual server. The profile is applied here after the application of GlobalDdos policy. |
protocolnspectionProfile |
Specifies the F5BigIpsPolicy profile to be attached to this virtual server. |
tcpSettings.clientSide |
Specifies a client side F5BigTcpSetting CR referenced by the virtual server, using the metadata.name parameter. |
tcpSettings.serverSide |
Specifies a server side F5BigTcpSetting CR referenced by the virtual server, using the metadata.name parameter. |
udpSettings.clientSide |
Specifies a client side F5BigUdpSetting CR referenced by the virtual server, using the metadata.name parameter. |
udpSettings.serverSide |
Specifies a server side F5BigUdpSetting CR referenced by the virtual server, using the metadata.name parameter. |
http2Settings.clientside |
Specifies a client side F5BigHttp2Setting profile referenced by the virtual server, using the metadata.name parameter. |
httpSettings |
References a F5BigHTTPSetting profile name to use for the DoH virtual server. |
clientSslSettings |
References a F5ClientSslSetting profile name to use for the DoH virtual server. |
Note: The DoH listener works only when the user creates/applies a ClienSslSettings profile with a valid keyCertPairs and soft-references it in the DoH listener CR.
CR Examples¶
F5BigDnsCache
apiVersion: "k8s.f5net.com/v1"
kind: F5BigDnsCache
metadata:
name: "cnf-dnscache"
namespace: "cnf-gateway"
spec:
cacheType: transparent
transparent:
localZones:
- name: example.com
zoneType: static
records:
- example.com. IN AAAA 2002::10:11:12:13
F5BigDnsApp - for DNS listener
apiVersion: "k8s.f5net.com/v1"
kind: F5BigDnsApp
metadata:
name: "cnf-dnsapp"
namespace: "cnf-gateway"
spec:
ipProtocol: "udp"
destination:
address: "192.168.100.201"
ipv6Address: "2002::192:168:100:201"
port: 53
snat:
type: "automap"
iRules: ["dns-req"]
dns:
dnsCache: "cnf-dnscache"
dns64Mode: "secondary"
dns64Prefix: "64:ff9b::"
dns64AdditionalSectionRewrite: "v4-only"
pool:
members:
- address: "2002::10:10:10:100"
- address: "2002::10:10:10:101"
monitors:
dns:
enabled: true
queryName: "webapp.net."
queryType: "aaaa"
recv: "2002::10:10:20:200"
F5BigDnsApp - for DoH listener
apiVersion: "k8s.f5net.com/v1"
kind: F5BigDnsApp
metadata:
name: "cnf-dohapp"
namespace: "cnf-gateway"
spec:
ipProtocol: "http2"
dohProtocol: "udp"
destination:
address: "192.168.100.202"
ipv6Address: "2002::192:168:100:202"
port: 443
snat:
type: "automap"
iRules: ["dns-req"]
dns:
dnsCache: "cnf-dnscache"
dns64Mode: "secondary"
dns64Prefix: "64:ff9b::"
dns64AdditionalSectionRewrite: "v4-only"
http2Settings:
clientSide : "http2-profile"
httpSettings: "http-profile"
clientSslSettings: "clientssl-profile"
pool:
members:
- address: "2002::10:10:10:100"
- address: "2002::10:10:10:101"
monitors:
dns:
enabled: true
queryName: "webapp.net."
queryType: "aaaa"
recv: "2002::10:10:20:200"
F5BigHttp2Setting
apiVersion: "k8s.f5net.com/v1"
kind: F5BigHttp2Setting
metadata:
name: http2-profile
spec:
activationModes: "alpn"
concurrentStreamsPerConnection: 10
connectionIdleTimeout: 300
frameSize: 2048
insertHeader: false
insertHeaderName: "X-HTTP2"
receiveWindow: 32
writeSize: 16384
headerTableSize: 4096
enforceTlsRequirements: true
F5BigHttpSetting
apiVersion: "k8s.f5net.com/v1"
kind: F5BigHttpSetting
metadata:
name: http-profile
spec:
oneConnect: false
responseChunking: "sustain"
lwsMaxColumn: 80
F5BigClientSslSetting
apiVersion: "k8s.f5net.com/v1"
kind: F5BigClientsslSetting
metadata:
name: clientssl-profile
spec:
enableTls13: true
keyCertPairs:
- key: 'file://ssl/tls.key'
cert: 'file://ssl/tls.crt'
CR shortName¶
CR shortNames provide an easy way to view installed CRs, and their configuration parameters. The CR shortName can also be used to delete the CR instance. The F5BigDnsApp and F5BigDnsCache CR shortNames are dnsapp and dnscache respectively.
View CR instance:
kubectl get dnsapp -n <namespace>
kubectl get dnscache -n <namespace>
View CR configuration:
kubectl get dnsapp -n <namespace> -o yaml
kubectl get dnscache -n <namespace> -o yaml
DNS Monitors¶
Prior to configuring and applying F5BigDnsApp monitors to Service endpoints, it is important to understand the CR’s timeout
and interval
parameters, and their recommended configuration. The parameters behave as follows:
timeout
is only observed when it is less than theinterval
: Endpoints are marked down when unanswered probes exceed the configuredtimeout
.timeout
is not observed when it is greater than theinterval
: Endpoints are marked down when unanswered probes exceed the configuredinterval
.
Note: F5 recommends setting the
timeout
value to the same or less than the interval
value.
Installation¶
Use the following steps to install the F5BigDnsApp CR.
Tip: Open a second shell to view the CNFs Event Logs while installing.
Optional: To capture and send DNS and IPS events to remote logging servers, copy the example F5BigLogHslpub CR into a YAML file:
apiVersion: k8s.f5net.com/v1 kind: F5BigLogHslpub metadata: name: "cnf-hsl-pub" namespace: "cnf-gateway" spec: pool: - name: hsl-pool endpoint: - "2002::192:168:10:200:514" syslog: - name: "cnf-syslog" distribution: "adaptive" format: "rfc5424" pool: "hsl-pool" protocol: "udp"
Install the F5BigLogHslpub CR:
kubectl apply -f cnf-hsl-cr.yaml
In this example, the BIG-IP Controller logs indicate the F5BigLogHslpub CR was added/updated:
I0202 12:00:00.12347 1 event.go:282 Event(v1.ObjectReference{Kind:"F5Hslpub", F5Hslpub cnf-gateway/cnf-hsl-pub was added/updated
Optional: To define the type of DNS and IPs events to capture, copy the F5BigLogProfile CR into a YAML file:
apiVersion: "k8s.f5net.com/v1" kind: F5BigLogProfile metadata: name: "cnf-log-profile" namespace: "cnf-gateway" spec: name: "dns-log" publisher: "cnf-hsl-pub" dns: enabled: true publisher: "cnf-hsl-pub" responseLogging: true queryId: true protocolInspection: enabled: true publisher: "cnf-hsl-pub" logPacket: true
Install the F5BigLogProfile CR:
kubectl apply -f cnf-log-cr.yaml
In this example, the BIG-IP Controller logs indicate the F5BigLogProfile CR was added/updated:
I0202 12:00:00.12348 1 event.go:282 Event(v1.ObjectReference{Kind:"F5LogProfile", LogProfile cnf-gateway/cnf-log-profile was added/updated
Optional: The example F5BigIpsPolicy CR rejects SOA record queries, and rejects dns_named_version_attempt and dns_os_solaris_exploit_sparc_overflow_attempt packet signatures. Copy and paste the CR into a YAML file:
apiVersion: "k8s.f5net.com/v1" kind: F5BigIpsPolicy metadata: name: "cnf-ips" namespace: "cnf-gateway" spec: services: - name: dns ports: - "53" compliances: - name: dns_disallowed_query_type valueType: string value: SOA action: reject signatures: - name: dns_named_version_attempt action: reject - name: dns_os_solaris_exploit_sparc_overflow_attempt action: reject
Optional: An example CR to attach the Inspection protocol to F5BigDnsApp CR. Copy and paste the following example CR to an YAML file:
apiVersion: "k8s.f5net.com/v1" kind: F5BigDnsApp metadata: name: "cnf-dnsapp" spec: protocolInspectionProfile: "cnf-ips"
Note: The Inspection protocol can be attached to either a F5BigContextSecure or F5BigDnsApp CR. You can ignore this step if you have already added Inspection protocol to F5BigContextSecure CR
Install the F5BigIpsPolicy CR:
kubectl apply -f cnf-ips-policy.yaml
In this example, the BIG-IP Controller logs indicate the F5BigIpsPolicy CR was added/updated:
I0208 12:00:00.12345 1 event.go:282] Event(v1.ObjectReference{Kind:"F5ProtocolInspectionProfile", F5ProtocolInspectionProfile cnf-gateway/cnf-ips was added/updated
Optional: Copy the F5BigDnsCache CR into a YAML file:
In this example, the DNS cache creates an AAAA record, and returns authoritative DNS responses for the example.com domain.
apiVersion: "k8s.f5net.com/v1" kind: F5BigDnsCache metadata: name: "cnf-dnscache" namespace: "cnf-gateway" spec: cacheType: transparent transparent: localZones: - name: example.com zoneType: static records: - example.com. IN AAAA 2002::10:11:12:13
Install the F5BigDnsCache CR:
kubectl apply -f cnf-dnscache-cr.yaml
In this example, the BIG-IP Controller logs indicate the F5BigDnsCache CR was added/updated:
I0208 12:00:00.12345 1 event.go:282] Event(v1.ObjectReference{Kind:"F5Dnscache", F5Dnscache cnf-gateway/cnf-dnscache was added/updated
Copy the F5BigDnsApp into a YAML file:
a. In the example below, clients can use 192.168.100.201 or 2002::192:168:100:201 as their DNS resolver IP address for the DNS listener.
apiVersion: "k8s.f5net.com/v1" kind: F5BigDnsApp metadata: name: "cnf-dnsapp" namespace: "cnf-gateway" spec: ipProtocol: "udp" destination: address: "192.168.100.201" ipv6Address: "2002::192:168:100:201" port: 53 snat: type: "automap" iRules: ["dns-req"] dns: dnsCache: "cnf-dnscache" dns64Mode: "secondary" dns64Prefix: "64:ff9b::" dns64AdditionalSectionRewrite: "v4-only" udp: allowNoPayload: true pool: members: - address: "2002::10:10:10:100" - address: "2002::10:10:10:101" monitors: dns: enabled: true queryName: "webapp.net." queryType: "aaaa" recv: "2002::10:10:20:200" icmp: enabled: true
b. In the example below, clients can use 192.168.100.202 or 2002::192:168:100:202 as their DNS resolver IP address for DoH listener.
apiVersion: "k8s.f5net.com/v1" kind: F5BigDnsApp metadata: name: "cnf-dohapp" namespace: "cnf-gateway" spec: ipProtocol: "http2" dohProtocol: "udp" destination: address: "192.168.100.202" ipv6Address: "2002::192:168:100:202" port: 443 snat: type: "automap" iRules: ["dns-req"] dns: dnsCache: "cnf-dnscache" dns64Mode: "secondary" dns64Prefix: "64:ff9b::" dns64AdditionalSectionRewrite: "v4-only" clientSslSettings: "clientssl-profile" pool: members: - address: "2002::10:10:10:100" - address: "2002::10:10:10:101" monitors: dns: enabled: true queryName: "webapp.net." queryType: "aaaa" recv: "2002::10:10:20:200"
Install the F5BigDnsApp CR:
kubectl apply -f cnf-dnsapp-cr.yaml
In this example, the BIG-IP Controller logs indicate the F5BigDnsApp CR was added/updated:
I0208 12:00:00.12345 1 event.go:282] Event(v1.ObjectReference{Kind:"F5Dns", F5Dns cnf-gateway/cnf-dnsapp was added/updated
Traffic statistics¶
If you installed the CNF Controller with the Debug Sidecar enabled, connect to the sidecar to view the DNS statistics.
Log in to the TMM Debug container:
kubectl exec -it deploy/f5-tmm -c debug -n cnf-gateway -- bash
View the IPS statstics:
tmctl -d blade protocol_inspection_stats
In this example, IPS disallowed MX records has matched 11 times, blacklisted domains 3:
insp_id insp_name vs_name ------- ------------------------------- ------------------------------------- 10007 dns_disallowed_resource_records cnf-gateway-cnf-dnsapp-virtual_server 10009 dns_domains_blacklist cnf-gateway-cnf-dnsapp-virtual_server prof_name hit_count last_hit_time --------------------------------------------- --------- ------------- cnf-gateway-dns-ips-profileprotocolinspection 11 1645748374 cnf-dateway-dns-ips-profileprotocolinspection 3 1645748620
View the DNS caching statistics:
tmctl -d blade dns_cache_resolver_stat -s name,queries,responses,msg.hits,msg.inserts
In this example, 55 queries have been process, and 7 domain names have been added to the DNS cache.
name queries responses msg.hits msg.inserts ------------------------------ ------- --------- -------- ----------- cnf-gateway-cnf-dnscache 55 48 48 7
View the DNS resolution statistics:
tmctl -d blade profile_dns_stat -s name,vs_name,queries
In this example, 55 successful DNS queries have been processed:
name vs_name queries ---------------------------------- ------------------------------------- ------- cnf-gateway-cnf-dnsapp-profile_dns cnf-gateway-cnf-dnsapp-virtual_server 55
Note: The above statistics are same for the DoH listener as well and the only difference is the name of the application.
Monitor status¶
When the F5BigDnsApp has a monitor
configured, the Service Proxy TMM Pod logs pool member status change messages similar to the following:
kubectl logs -f f5-tmm-7599d547fc-g2zqd -n cnf-gateway | grep 'Pool Member Status'
f5-tmm-7599d547fc-g2zqd tmm[34]: 01010057:3: Pool Member Status Change: pool member 2002::10:10:10:100:53 in cnf-gateway-cnf-dnsapp-pool is up\n"
f5-tmm-7599d547fc-g2zqd tmm[34]: 01010057:3: Pool Member Status Change: pool member 2002::10:10:10:100:53 in cnf-gateway-cnfn-dnsapp-pool is down\n"
f5-tmm-7599d547fc-g2zqd tmm[34]: 01010057:3: Pool Member Status Change: pool member 2002::10:10:10:100:53 in cnf-gateway-cnf-dnsapp-pool is up\n"
Feedback¶
Provide feedback to improve this document by emailing cnfdocs@f5.com.