F5BigDnsApp

Overview

The F5BigDnsApp Custom Resource (CR) configures the Traffic Management Microkernel (TMM) to provide high-performance DNS resolution, caching and DNS64 translation mapping over normal (Dns listener) connections and over secure HTTP (DoH listener) connections. The F5BigDnsApp CR can be configured and is compatible with both DNS and DoH connections. The F5BigDnsApp CR can also reference the F5BigIpsPolicy to intelligently protect applications from malignant network traffic, and the F5BigDnsCache CR to optimize DNS lookup performance with query caching.

DNS filtering is an exclusion list used by F5BigIpsPolicy CR to filter out dns packets based on DNS query types or DNS resource record types. The user can add the compliance and port that they want to monitor while creating the CR. The two compliances related to DNS Profile for Security are dns_disallowed_resource_records and dns_disallowed_query_type.

This document guides you through understanding, configuring, and installing a simple F5BigDnsApp, and the optional F5BigDnsCache, F5BigIpsPolicy, and F5BigLogProfile CRs.

CR parameters

The tables below describe the F5BigDnsApp and F5BigDnsCache CR parameters used in this document.

F5BigDnsCache

The table below describes the F5BigDnsCache CR spec parameters used in this document. For the full list of parameters, refer to the F5BigDnsCache Reference.

_images/spk_info.png Note: DNS responses remain cached for the duration of the DNS record TTL.

Parameter Description
cacheType Transparent DNS cacheType is used here. Net-resolver and Resolver are the other available cacheTypes that are supported.
transparent.localZones.name The Fully Qualified Domain Name for a localZone.
transparent.localZones.zoneType The zone type for the localZone: deny, refuse, static, transparent (default), type-transparent, or redirect.
transparent.localZones.records An array of records for this localZone.

F5BigDnsApp

The table below describes the F5BigDnsApp CR spec parameters used in this document. For the full list of parameters, refer to the F5BigDnsApp Reference.

Parameter Description
destination.address Specifies the IPv4 address used by clients to resolve DNS queries.
destination.ipv6Address Specifies the IPv6 address used by clients to resolve DNS queries.
destination.port Specifies the virtual server port used to resolve DNS queries. The default is 53 for DNS virtual and 443 for DoH virtual.
pool.members Specifies a list of endpoint DNS servers used to resolve DNS queries.
pool.members.address Specifies an endpoint, or DNS server used to resolve DNS queries.
pool.members.port Specifies the endpoint service port used to resolve DNS queries. The default value is 53.
logProfile Specifies the F5BigLogProfile to be used.
pool.members.priorityGroup Specifies the priority group for the pool member.
pool.minActiveMembers Specifies the minimum number of members that must be available in one priority group.
dns.dnsCache Enables caching when referencing a F5BIGDnscache CR by metadata.name.
ipProtocol Specifies the IP protocol for which the virtual server has to direct the traffic. TCP and UDP are the supported IP protocols for DNS virtual servers and HTTP2 is for DoH virtual servers.
dohProtocol Specifies the DoH virtual server-side protocol for which the traffic is directed on server-side. UDP protocol is the default protocol.
monitors.dns.enabled Enables monitoring the pool.members availability: true or false (default).
monitors.dns.queryName Specifies a fully qualified domain name the monitor sends in the DNS query probe.
monitors.dns.queryType Specifies the type of DNS query to send type that the monitor sends in DNS query probe: a (default) or aaaa.
monitors.dns.recv The IP address that the monitor looks for in the DNS server response to the DNS query probe.
monitors.dns.icmp.enabled Enables sending ICMP probes to verify the pool.members availability: true or false (default).
iRules Specifies one or more iRules CRs within F5BigDnsApp CR.
vlans.vlanList A reference to a F5BigNetVlan name that accepts traffic on the virtual server.
ddosProfile References a Ddos profile name to use for this virtual server. The profile is applied here after the application of GlobalDdos policy.
protocolnspectionProfile Specifies the F5BigIpsPolicy profile to be attached to this virtual server.
tcpSettings.clientSide Specifies a client side F5BigTcpSetting CR referenced by the virtual server, using the metadata.name parameter.
tcpSettings.serverSide Specifies a server side F5BigTcpSetting CR referenced by the virtual server, using the metadata.name parameter.
udpSettings.clientSide Specifies a client side F5BigUdpSetting CR referenced by the virtual server, using the metadata.name parameter.
udpSettings.serverSide Specifies a server side F5BigUdpSetting CR referenced by the virtual server, using the metadata.name parameter.
http2Settings.clientside Specifies a client side F5BigHttp2Setting profile referenced by the virtual server, using the metadata.name parameter.
httpSettings References a F5BigHTTPSetting profile name to use for the DoH virtual server.
clientSslSettings References a F5ClientSslSetting profile name to use for the DoH virtual server.

Note: The DoH listener works only when the user creates/applies a ClienSslSettings profile with a valid keyCertPairs and soft-references it in the DoH listener CR.

CR Examples

F5BigDnsCache

apiVersion: "k8s.f5net.com/v1"
kind: F5BigDnsCache
metadata:
  name: "cnf-dnscache"
  namespace: "cnf-gateway"
spec:
  cacheType: transparent
  transparent:
    localZones:
      - name: example.com
        zoneType: static
        records:
          - example.com. IN AAAA 2002::10:11:12:13

F5BigDnsApp - for DNS listener

apiVersion: "k8s.f5net.com/v1"
kind: F5BigDnsApp
metadata:
  name: "cnf-dnsapp"
  namespace: "cnf-gateway"
spec:
  ipProtocol: "udp"
  destination:
   address: "192.168.100.201"
   ipv6Address: "2002::192:168:100:201"
   port: 53
  snat:
   type: "automap"
   iRules: ["dns-req"]
  dns:
    dnsCache: "cnf-dnscache"
    dns64Mode: "secondary"
    dns64Prefix: "64:ff9b::"
    dns64AdditionalSectionRewrite: "v4-only"
  pool:
    members:
      - address: "2002::10:10:10:100"
      - address: "2002::10:10:10:101"
  monitors:
    dns:
      enabled: true
      queryName: "webapp.net."
      queryType: "aaaa"
      recv: "2002::10:10:20:200"

F5BigDnsApp - for DoH listener

apiVersion: "k8s.f5net.com/v1"
kind: F5BigDnsApp
metadata:
  name: "cnf-dohapp"
  namespace: "cnf-gateway"
spec:
  ipProtocol: "http2"
  dohProtocol: "udp"
  destination:
   address: "192.168.100.202"
   ipv6Address: "2002::192:168:100:202"
   port: 443
  snat:
   type: "automap"
   iRules: ["dns-req"]
  dns:
    dnsCache: "cnf-dnscache"
    dns64Mode: "secondary"
    dns64Prefix: "64:ff9b::"
    dns64AdditionalSectionRewrite: "v4-only"
  http2Settings:
   clientSide : "http2-profile"
  httpSettings: "http-profile"
  clientSslSettings: "clientssl-profile"
  pool:
    members:
      - address: "2002::10:10:10:100"
      - address: "2002::10:10:10:101"
  monitors:
    dns:
      enabled: true
      queryName: "webapp.net."
      queryType: "aaaa"
      recv: "2002::10:10:20:200"

F5BigHttp2Setting

apiVersion: "k8s.f5net.com/v1"
kind: F5BigHttp2Setting
metadata:
  name: http2-profile
spec:
  activationModes: "alpn"
  concurrentStreamsPerConnection: 10
  connectionIdleTimeout: 300
  frameSize: 2048
  insertHeader: false
  insertHeaderName: "X-HTTP2"
  receiveWindow: 32
  writeSize: 16384
  headerTableSize: 4096
  enforceTlsRequirements: true

F5BigHttpSetting

apiVersion: "k8s.f5net.com/v1"
kind: F5BigHttpSetting
metadata:
  name: http-profile
spec:
  oneConnect: false
  responseChunking: "sustain"
  lwsMaxColumn: 80

F5BigClientSslSetting

apiVersion: "k8s.f5net.com/v1"
kind: F5BigClientsslSetting
metadata:
  name: clientssl-profile
spec:
  enableTls13: true
  keyCertPairs:
    - key: 'file://ssl/tls.key'
      cert: 'file://ssl/tls.crt'

CR shortName

CR shortNames provide an easy way to view installed CRs, and their configuration parameters. The CR shortName can also be used to delete the CR instance. The F5BigDnsApp and F5BigDnsCache CR shortNames are dnsapp and dnscache respectively.

View CR instance:

kubectl get dnsapp -n <namespace>
kubectl get dnscache -n <namespace>

View CR configuration:

kubectl get dnsapp -n <namespace> -o yaml
kubectl get dnscache -n <namespace> -o yaml

DNS Monitors

Prior to configuring and applying F5BigDnsApp monitors to Service endpoints, it is important to understand the CR’s timeout and interval parameters, and their recommended configuration. The parameters behave as follows:

  • timeout is only observed when it is less than the interval: Endpoints are marked down when unanswered probes exceed the configured timeout.
  • timeout is not observed when it is greater than the interval: Endpoints are marked down when unanswered probes exceed the configured interval.

_images/spk_info.png Note: F5 recommends setting the timeout value to the same or less than the interval value.

Requirements

Ensure you have:

Installation

Use the following steps to install the F5BigDnsApp CR.

_images/spk_info.png Tip: Open a second shell to view the CNFs Event Logs while installing.

  1. Optional: To capture and send DNS and IPS events to remote logging servers, copy the example F5BigLogHslpub CR into a YAML file:

    apiVersion: k8s.f5net.com/v1
    kind: F5BigLogHslpub
    metadata:
      name: "cnf-hsl-pub"
      namespace: "cnf-gateway"
    spec:
      pool:
      - name: hsl-pool
        endpoint:
        - "2002::192:168:10:200:514"
      syslog:
      - name: "cnf-syslog"
        distribution: "adaptive"
        format: "rfc5424"
        pool: "hsl-pool"
        protocol: "udp"
    
  2. Install the F5BigLogHslpub CR:

    kubectl apply -f cnf-hsl-cr.yaml
    

    In this example, the BIG-IP Controller logs indicate the F5BigLogHslpub CR was added/updated:

    I0202 12:00:00.12347   1 event.go:282 Event(v1.ObjectReference{Kind:"F5Hslpub",
    F5Hslpub cnf-gateway/cnf-hsl-pub was added/updated
    
  3. Optional: To define the type of DNS and IPs events to capture, copy the F5BigLogProfile CR into a YAML file:

    apiVersion: "k8s.f5net.com/v1"
    kind: F5BigLogProfile
    metadata:
      name: "cnf-log-profile"
      namespace: "cnf-gateway"
    spec:
      name: "dns-log"
      publisher: "cnf-hsl-pub"
      dns:
        enabled: true
        publisher: "cnf-hsl-pub"
        responseLogging: true
        queryId: true
      protocolInspection:
        enabled: true
        publisher: "cnf-hsl-pub"
        logPacket: true
    
  4. Install the F5BigLogProfile CR:

    kubectl apply -f cnf-log-cr.yaml
    

    In this example, the BIG-IP Controller logs indicate the F5BigLogProfile CR was added/updated:

    I0202 12:00:00.12348   1 event.go:282 Event(v1.ObjectReference{Kind:"F5LogProfile",
    LogProfile cnf-gateway/cnf-log-profile was added/updated
    
  5. Optional: The example F5BigIpsPolicy CR rejects SOA record queries, and rejects dns_named_version_attempt and dns_os_solaris_exploit_sparc_overflow_attempt packet signatures. Copy and paste the CR into a YAML file:

    apiVersion: "k8s.f5net.com/v1"
    kind: F5BigIpsPolicy
    metadata:
      name: "cnf-ips"
      namespace: "cnf-gateway"
    spec:
      services:
        - name: dns
          ports:
            - "53"
          compliances:
            - name: dns_disallowed_query_type
              valueType: string
              value: SOA
              action: reject
          signatures:
            - name: dns_named_version_attempt
              action: reject
            - name: dns_os_solaris_exploit_sparc_overflow_attempt
              action: reject
    
  6. Optional: An example CR to attach the Inspection protocol to F5BigDnsApp CR. Copy and paste the following example CR to an YAML file:

    apiVersion: "k8s.f5net.com/v1"
    kind: F5BigDnsApp
    metadata:
      name: "cnf-dnsapp"
    spec:
      protocolInspectionProfile: "cnf-ips"
    

    Note: The Inspection protocol can be attached to either a F5BigContextSecure or F5BigDnsApp CR. You can ignore this step if you have already added Inspection protocol to F5BigContextSecure CR

  7. Install the F5BigIpsPolicy CR:

    kubectl apply -f cnf-ips-policy.yaml
    

    In this example, the BIG-IP Controller logs indicate the F5BigIpsPolicy CR was added/updated:

    I0208 12:00:00.12345   1 event.go:282] Event(v1.ObjectReference{Kind:"F5ProtocolInspectionProfile", 
    F5ProtocolInspectionProfile cnf-gateway/cnf-ips was added/updated
    
  8. Optional: Copy the F5BigDnsCache CR into a YAML file:

    In this example, the DNS cache creates an AAAA record, and returns authoritative DNS responses for the example.com domain.

    apiVersion: "k8s.f5net.com/v1"
    kind: F5BigDnsCache
    metadata:
      name: "cnf-dnscache"
      namespace: "cnf-gateway"
    spec:
      cacheType: transparent
      transparent:
        localZones:
          - name: example.com
            zoneType: static
            records:
              - example.com. IN AAAA 2002::10:11:12:13
    
  9. Install the F5BigDnsCache CR:

    kubectl apply -f cnf-dnscache-cr.yaml
    

    In this example, the BIG-IP Controller logs indicate the F5BigDnsCache CR was added/updated:

    I0208 12:00:00.12345   1 event.go:282] Event(v1.ObjectReference{Kind:"F5Dnscache", 
    F5Dnscache cnf-gateway/cnf-dnscache was added/updated
    
  10. Copy the F5BigDnsApp into a YAML file:

    a. In the example below, clients can use 192.168.100.201 or 2002::192:168:100:201 as their DNS resolver IP address for the DNS listener.

    apiVersion: "k8s.f5net.com/v1"
    kind: F5BigDnsApp
    metadata:
      name: "cnf-dnsapp"
      namespace: "cnf-gateway"
    spec:
      ipProtocol: "udp"
      destination:
        address: "192.168.100.201"
        ipv6Address: "2002::192:168:100:201"
        port: 53
      snat:
        type: "automap"
        iRules: ["dns-req"]
      dns:
        dnsCache: "cnf-dnscache"
        dns64Mode: "secondary"
        dns64Prefix: "64:ff9b::"
        dns64AdditionalSectionRewrite: "v4-only"
      udp:
        allowNoPayload: true
      pool:
        members:
          - address: "2002::10:10:10:100"
          - address: "2002::10:10:10:101"
      monitors:
        dns:
          enabled: true
          queryName: "webapp.net."
          queryType: "aaaa"
          recv: "2002::10:10:20:200"
        icmp:
          enabled: true
    

    b. In the example below, clients can use 192.168.100.202 or 2002::192:168:100:202 as their DNS resolver IP address for DoH listener.

    apiVersion: "k8s.f5net.com/v1"
    kind: F5BigDnsApp
    metadata:
      name: "cnf-dohapp"
      namespace: "cnf-gateway"
    spec:
      ipProtocol: "http2"
      dohProtocol: "udp"
    destination:
      address: "192.168.100.202"
      ipv6Address: "2002::192:168:100:202"
    port: 443
    snat:
      type: "automap"
      iRules: ["dns-req"]
    dns:
      dnsCache: "cnf-dnscache"
      dns64Mode: "secondary"
      dns64Prefix: "64:ff9b::"
      dns64AdditionalSectionRewrite: "v4-only"
    clientSslSettings: "clientssl-profile"
    pool:
      members:
        - address: "2002::10:10:10:100"
        - address: "2002::10:10:10:101"
    monitors:
      dns:
        enabled: true
        queryName: "webapp.net."
        queryType: "aaaa"
        recv: "2002::10:10:20:200"
    
  11. Install the F5BigDnsApp CR:

    kubectl apply -f cnf-dnsapp-cr.yaml
    

    In this example, the BIG-IP Controller logs indicate the F5BigDnsApp CR was added/updated:

    I0208 12:00:00.12345   1 event.go:282] Event(v1.ObjectReference{Kind:"F5Dns",
    F5Dns cnf-gateway/cnf-dnsapp was added/updated
    

Traffic statistics

If you installed the CNF Controller with the Debug Sidecar enabled, connect to the sidecar to view the DNS statistics.

  1. Log in to the TMM Debug container:

    kubectl exec -it deploy/f5-tmm -c debug -n cnf-gateway -- bash
    
  2. View the IPS statstics:

    tmctl -d blade protocol_inspection_stats
    

    In this example, IPS disallowed MX records has matched 11 times, blacklisted domains 3:

    insp_id insp_name                       vs_name
    ------- ------------------------------- -------------------------------------
      10007 dns_disallowed_resource_records cnf-gateway-cnf-dnsapp-virtual_server
      10009 dns_domains_blacklist           cnf-gateway-cnf-dnsapp-virtual_server
    
    prof_name                                     hit_count last_hit_time
    --------------------------------------------- --------- -------------
    cnf-gateway-dns-ips-profileprotocolinspection        11    1645748374
    cnf-dateway-dns-ips-profileprotocolinspection         3    1645748620
    
  3. View the DNS caching statistics:

    tmctl -d blade dns_cache_resolver_stat -s name,queries,responses,msg.hits,msg.inserts
    

    In this example, 55 queries have been process, and 7 domain names have been added to the DNS cache.

    name                           queries responses msg.hits msg.inserts
    ------------------------------ ------- --------- -------- -----------
    cnf-gateway-cnf-dnscache            55        48       48           7
    
  4. View the DNS resolution statistics:

    tmctl -d blade profile_dns_stat -s name,vs_name,queries
    

    In this example, 55 successful DNS queries have been processed:

    name                               vs_name                               queries
    ---------------------------------- ------------------------------------- -------
    cnf-gateway-cnf-dnsapp-profile_dns cnf-gateway-cnf-dnsapp-virtual_server      55 
    

    Note: The above statistics are same for the DoH listener as well and the only difference is the name of the application.

Monitor status

When the F5BigDnsApp has a monitor configured, the Service Proxy TMM Pod logs pool member status change messages similar to the following:

kubectl logs -f f5-tmm-7599d547fc-g2zqd -n cnf-gateway | grep 'Pool Member Status'
f5-tmm-7599d547fc-g2zqd tmm[34]: 01010057:3: Pool Member Status Change: pool member 2002::10:10:10:100:53 in cnf-gateway-cnf-dnsapp-pool is up\n"
f5-tmm-7599d547fc-g2zqd tmm[34]: 01010057:3: Pool Member Status Change: pool member 2002::10:10:10:100:53 in cnf-gateway-cnfn-dnsapp-pool is down\n"
f5-tmm-7599d547fc-g2zqd tmm[34]: 01010057:3: Pool Member Status Change: pool member 2002::10:10:10:100:53 in cnf-gateway-cnf-dnsapp-pool is up\n"

Feedback

Provide feedback to improve this document by emailing cnfdocs@f5.com.

Supplemental