Manual Chapter :
Configuring a DNS Zone Proxy
Applies To:
Show Versions
BIG-IP LTM
- 14.0.1, 14.0.0
BIG-IP DNS
- 14.0.1, 14.0.0
Configuring a DNS Zone Proxy
Overview: Configuring a DNS zone proxy
Within your network, the BIG-IP® system can act as a proxy for an
authoritative DNS server. In this case, when the BIG-IP system receives a zone transfer request
from a specified list of DNS namservers (clients), the system sends the request to the
authoritative DNS server. The server responds with a zone transfer, and the BIG-IP system sends
the zone transfer to the client that made the zone transfer request. Optionally, the BIG-IP
system can use transaction signature (TSIG) keys to validate the identity of the authoritative
DNS server sending a zone transfer and the DNS nameservers (clients) sending zone transfer
requests.
Example of DNS zone proxy with client-side TSIG authentication
In this figure, an administrator at Site Request creates a DNS zone on the BIG-IP system that is
a proxy for the zone on the authoritative DNS server that hosts the zone. The name of the DNS
zone on the BIG-IP system matches the name of the zone on the authoritative DNS server. The
administrator uses TSIG key authenthication to verify the zone transfer communications between
the BIG-IP system and the DNS nameserver (client) making the zone transfer request.
BIG-IP system acting as DNS zone proxy with client-side TSIG authentication

- DNS nameserver (client) sends TSIG-signed zone transfer request for a DNS zone.
- BIG-IP system validates the signature and removes the client TSIG key.
- BIG-IP system sends the unsigned request to the DNS server that hosts the zone.
- DNS server answers with an unsigned zone transfer to the BIG-IP system.
- BIG-IP system adds the client TSIG key to the response.
- BIG-IP system sends a TSIG-signed zone transfer to the DNS nameserver that made the request.
Example of DNS zone proxy with client-side and server-side TSIG authentication
In this figure, an administrator at Site Request creates a DNS zone on the BIG-IP system that
is a proxy for the zone on the authoritative DNS server that hosts the zone. The name of the
DNS zone on the BIG-IP system matches the name of the zone on the authoritative DNS server.
The administrator uses TSIG key authenthication to verify the zone transfer communications
between the BIG-IP system and the authoritative DNS server and between the BIG-IP system and
the client making a zone transfer request.
BIG-IP system acting as DNS zone proxy with client and server-side TSIG
authentication

- DNS nameserver (client) sends TSIG-signed zone transfer request for a DNS zone.
- BIG-IP system validates the signature, removes the client TSIG key from the request, and adds the server TSIG key to the request.
- BIG-IP system sends the TSIG-signed request to the DNS server that hosts the zone.
- DNS server answers with a TSIG-signed zone transfer to the BIG-IP system.
- BIG-IP system validates the signature, removes the server TSIG key from the response, and adds the client TSIG key to the response.
- BIG-IP system sends the TSIG-signed zone transfer to the DNS nameserver that made the request.
About TSIG key authentication
The BIG-IP® system can use transaction signature (TSIG) keys to
authenticate communications about zone transfers between the BIG-IP system and authoritative DNS
servers, and between the BIG-IP system and DNS nameservers (clients). TSIG keys are generated by a third party tool such as BIND's keygen utility. Using
TSIG keys is optional.
- TSIG key configured on authoritative DNS server
- You can add a TSIG key to a nameserver object that represents an authoritative DNS server. With this configuration, when the DNS server sends a NOTIFY message to the BIG-IP system, DNS Express™ responds with a TSIG-signed zone transfer request. Then the DNS server returns a TSIG-signed zone transfer. If required, you can disable theVerify Notify TSIGoption on the DNS zone. With this configuration, DNS Express can process a NOTIFY message without a TSIG key, even when a subsequent zone transfer requires a TSIG key.
- TSIG key configured on DNS nameserver (client)
- You can add a TSIG key to a nameserver object that represents a DNS nameserver (client). When the client sends a TSIG-signed zone transfer request, DNS Express returns a TSIG-signed zone transfer.
- TSIG key configured on DNS zone
- You can add a server TSIG key to a DNS zone on the BIG-IP system. With this configuration, the system uses this TSIG key when the zone on the BIG-IP system is a proxy for the zone on the server. There are two possible scenarios:
- Client sends TSIG-signed zone transfer requestWhen the BIG-IP system receives a TSIG-signed zone transfer request from a client for a DNS zone for which it is a proxy, the system validates the client TSIG key and removes the key from the request. The system then adds the server TSIG key to the request and forwards the TSIG-signed request to the DNS server or load balances the TSIG-signed request to a pool of DNS servers. The DNS server responds with a TSIG-signed zone transfer. The BIG-IP system validates the server TSIG key and removes the key. Then the system adds the client TSIG key and returns a TSIG-signed signed zone transfer to the client.
- Client sends unsigned zone transfer requestWhen the BIG-IP system receives an unsigned zone transfer request from a client for a DNS zone for which it is a proxy, the system adds the server TSIG key to the request. The system then forwards the TSIG-signed request to the DNS server or load balances the TSIG-signed request to a pool of DNS servers. The DNS server responds with a TSIG-signed zone transfer. The BIG-IP system validates the server TSIG key and removes the key. Then the system returns an unsigned zone transfer to the client.
About
listeners
A
listener
is a specialized virtual
server that passively checks for DNS packets on port 53 and the IP address you assign to the
listener. When a DNS request is sent to the IP address of the listener, the BIG-IP system either handles the request or forwards the request to the
appropriate resource. Task summary
for configuring DNS zone proxy
Perform these tasks to configure a DNS zone on the BIG-IP system that is a proxy for a DNS
zone on a DNS server in your network:
Configuring BIND
servers to allow zone transfers
If you are unfamiliar with how to modify BIND server files, review the fifth edition of
DNS and BIND
, available from O’Reilly
Media.Typically, BIND servers allow zone transfers to
any DNS nameserver requesting a zone transfer. That is,
named.conf
on a typical BIND server does not contain an allow-transfer
statement. However, the BIND server on the BIG-IP system is configured to allow zone
transfers to only the localhost. Thus, named.conf
on the BIG-IP system contains this allow-transfer statement:
allow-transfer { localhost; } ;
.When you want to improve the speed of responses to DNS queries
you can configure a BIND server to allow zone transfers only to the DNS Express
engine on the BIG-IP system. You do this by adding an allow-transfer statement to
named.conf
on the BIND server.
Adding an allow-transfer statement to a BIND server actually
restricts zone transfers to a specified list of DNS nameservers.
- Add to the BIND server an allow-transfer statement that specifies a self IP address on the BIG-IP system.You can modify the following allow-transfer statement to use a self IP address on the BIG-IP system:allow-transfer { localhost; <self IP address from which zone transfer request is sent to the server>; };allow-transfer { localhost; 10.10.10.1 ; };
Adding TSIG keys for
DNS zone proxy
Obtain
the TSIG keys that you want to add to the BIG-IP system for the DNS server that hosts the zone.
Obtain the TSIG key for the DNS nameservers (clients) that you want to add to the BIG-IP system
configuration.
TSIG keys are created by a third party tool such as BIND’s
keygen
utility. When you want the BIG-IP system to authenticate the identity of the DNS
server and DNS nameservers (clients) when communicating about DNS zone transfers, add TSIG keys
to the BIG-IP system configuration.
- On the Main tab, click.The TSIG Key List screen opens.
- ClickCreate.The New TSIG Key screen opens.
- In theNamefield, type the name of the TSIG key.
- From the Algorithm list, select the algorithm that was used to generate the key.
- In theSecretfield, type the TSIG key secret.
- ClickFinished.
- Create additional TSIG keys, as needed.
Add
the server TSIG key for the DNS server to the DNS zone configured on the BIG-IP system. Add TSIG
keys to DNS nameservers (clients) configured on the BIG-IP system.
Adding DNS nameserver (client) objects
Gather the IP addresses of the DNS nameservers (clients) from which the BIG-IP system
accepts zone transfer requests for a DNS zone. Optional: Ensure that the client TSIG key
is available on the BIG-IP system.
To allow DNS nameservers (clients) to request zone
transfers for a zone, add a nameserver object that represents each client. Optionally,
you can add a client TSIG key that the BIG-IP system uses to authenticate the identity
of the client during zone transfer communications.
- On the Main tab, click.The Nameservers List screen opens.
- ClickCreate.The New Nameserver screen opens.
- In theNamefield, type a name for the DNS nameserver (client).
- In theAddressfield, type the IP address on which the DNS nameserver (client) listens for DNS messages.
- Optional: From theTSIG Keylist, select the TSIG key that matches the TSIG key on the DNS nameserver (client).The BIG-IP system uses this TSIG key to authenticate zone transfer communications as coming from this client and to sign communications sent to this client.
- ClickFinished.
- Add nameserver objects to represent other DNS nameservers (clients).
Add the DNS nameservers (clients) objects to the
Zone Transfer Client
list
of the DNS zone on the BIG-IP system.Enabling zone transfers
To enable the BIG-IP system to handle zone transfers, create a custom DNS
profile.
- On the Main tab, clickor .The DNS profile list screen opens.
- ClickCreate.The New DNS Profile screen opens.
- In the General Properties area, name the profiledns_zxfr.
- Select theCustomcheck box.
- In the DNS Features area, from theDNS Expresslist, selectDisabled.
- In the DNS Traffic area, from theZone Transferlist, selectEnabled.
- In the DNS Features area, from theUnhandled Query Actionslist, selectAllow.The BIG-IP system forwards zone transfer requests to a DNS server or a member of a pool of DNS servers.
- In the DNS Features area, from theUse BIND Server on BIG-IPlist, selectDisabled.
- ClickFinished.
Assign the profile to listeners.
Creating a DNS zone
Before you create a DNS zone to serve as a proxy for a zone hosted on a DNS server on your
network, do the following:
- Optional: Ensure that the TSIG key on the DNS server is available on the BIG-IP system.
- Determine the name you want to use for the DNS zone. The name must exactly match the name on the DNS server that hosts the zone.Zone names are case insensitive.
When you want the BIG-IP system to act as a proxy for a zone hosted on a DNS server on
your network, create a DNS zone and associate the server TSIG key on the DNS server with the zone
on the BIG-IP system.
- On the Main tab, click.The Zone List screen opens.
- ClickCreate.The New Zone screen opens.
- In theNamefield, type the name of the DNS zone.The name must begin and end with a letter and contain only letters, numbers, and the period and hyphen (-) characters.
- In the Zone Transfer Clients area, move the nameservers that can initiate zone transfers from theAvailablelist to theActivelist.
- Optional: From theServer Keylist, select the TSIG key that matches the TSIG key on the DNS server.The BIG-IP system uses this TSIG key to sign DNS zone transfer requests, before forwarding the requests to the DNS server that hosts this zone, and then to verify a zone transfer returned from the DNS server.
- ClickFinished.
Creating listeners to forward zone transfer requests
Determine to which DNS server you want the listeners to forward DNS zone transfer
requests.
Create listeners to alert the BIG-IP system to zone transfer
requests destined for a DNS server that hosts the zone. Create two listeners that
use the TCP protocol, one each for an IPv4 address and IPv6 address.
DNS zone transfers use TCP port
53
. This task applies only to BIG-IP DNS-provisioned
systems.
- On the Main tab, click.The Listeners List screen opens.
- ClickCreate.The Listeners properties screen opens.
- In theNamefield, type a unique name for the listener.
- For the Destination setting, in theAddressfield, type the IPv4 address on which the BIG-IP system listens for DNS zone transfer requests for a zone hosted on a DNS server.
- From theListenerlist, selectAdvanced.
- From theVLAN Trafficlist, selectAll VLANs.
- If you are using SNATs on your network, from theSource Address Translationlist, selectSNAT.
- Optional: If you are using NATs on your network, for theAddress Translationsetting, select theEnabledcheck box.
- Optional: If you are using port translation on your network, for thePort Translationsetting, select theEnabledcheck box.
- In the Service area, from theDNS Profilelist, selectdns_zxfr(the custom profile you created to enable the BIG-IP system to process zone transfer requests).
- In the Service area, from theProtocollist, selectTCP.
- ClickRepeat.
- Create another listener with the same settings, except using an IPv6 address.
- ClickFinished.