Manual Chapter : Using ZoneRunner to Configure DNS Zones

Applies To:

Show Versions Show Versions

BIG-IP LTM

  • 14.0.1, 14.0.0

BIG-IP DNS

  • 14.0.1, 14.0.0
Manual Chapter

Using ZoneRunner to Configure DNS Zones

About ZoneRunner

You can use the ZoneRunner utility to create and manage DNS zone files and configure the BIND instance on BIG-IP® DNS (formerly GTM). With the ZoneRunner utility, you can:
  • Import and transfer DNS zone files
  • Manage zone resource records
  • Manage views
  • Manage a local nameserver and the associated configuration file,
    named.conf
  • Transfer zone files to a nameserver
  • Import only primary zone files from a nameserver

About named.conf

named.conf
contains the primary operational characteristics of BIND, including DNS views, access control list definitions, and zones. The ZoneRunner utility updates
named.conf
when you modify the local BIND instance.

Using ZoneRunner to configure named.conf

Ensure that at least one zone is configured on BIG-IP DNS.
Use ZoneRunner to edit
named.conf
, to decrease the risk of a syntax error that prevents the BIND system from performing as expected. Zonerunner provides an automatic syntax check and displays error messages to help you write the correct syntax.
  1. On the Main tab, click
    DNS
    Zones
    ZoneRunner
    named Configuration
    .
    The named Configuration screen opens.
  2. In the Options area, type additional configurations per your network design.
  3. Click
    Update
    .

Creating a master DNS zone

A master zone is authoritative. Create a zone when you want to use ZoneRunner to manage DNS zones and resource records.
The BIG-IP system can be either a primary or secondary DNS server.
  1. On the Main tab, click
    DNS
    Zones
    ZoneRunner
    Zone List
    .
    The Zone List screen opens.
  2. Click
    Create
    .
    The New Zone screen opens.
  3. From the
    View Name
    list, select
    external
    .
    The external view is a default view to which you can assign zones.
  4. In the
    Zone Name
    field, type a period character (
    .
    ).
  5. From the
    Zone Type
    list, select
    Master
    .
  6. Clear the
    Zone File Name
    field, and type the zone file name.
    db.external.siterequest.com
    Do not include a trailing dot.
  7. In the Records Creation area, type the values for the SOA and NS record parameters.
  8. Click
    Finished
    .
If you want further help creating a custom zone file, see
SOL8380
on
www.askf5.com
for instructions.

Creating a hint zone

Hint zones
designate a subset of the root nameservers list. When the local nameserver starts (or restarts), the nameserver queries the root servers in the hint zone for the most current list of root servers. The root hint is built into BIND version 9.0 and later.
Create a zone when you want to use ZoneRunner to manage DNS zones and resource records.
The BIG-IP system can be either a primary or secondary DNS server.
  1. On the Main tab, click
    DNS
    Zones
    ZoneRunner
    Zone List
    .
    The Zone List screen opens.
  2. Click
    Create
    .
    The New Zone screen opens.
  3. From the
    View Name
    list, select
    external
    .
    The external view is a default view to which you can assign zones.
  4. In the
    Zone Name
    field, type a period character (
    .
    ).
  5. From the
    Zone Type
    list, select
    Hint
    .
  6. Clear the
    Zone File Name
    field, and type the zone file name.
    db.external.siterequest.com
    Do not include a trailing dot.
  7. Click
    Finished
    .
If you want further help creating a custom hint file, see
SOL8380
on
www.askf5.com
for instructions.

Configuring BIG-IP DNS to allow zone file transfers

By default, BIG-IP DNS is configured to secure BIND to not allow zone transfers except from the localhost. However, you can configure BIG-IP DNS to allow zone file transfers to other DNS servers.
  1. On the Main tab, click
    DNS
    Zones
    ZoneRunner
    named Configuration
    .
    The named Configuration screen opens.
  2. In the
    Options
    field, modify the allow-transfer statement to include the IP address of the BIG-IP DNS.
    You can modify the following allow-transfer statement to use the IP address of the BIG-IP DNS.
    allow-transfer { localhost; 192.168.10.105; };
  3. On the menu bar, click
    View List
    .
    The View List screen opens.
  4. Click the name of the view that contains the zone you are configuring.
    The View Configuration screen opens.
  5. In the Options area, modify the match-clients statement based on your configuration.
    View configuration type
    Add to match-clients statement
    Single view configuration
    view "external" { match-clients { "zrd-acl-000-000"; any; };
    Multiple view configuration, where you want to allow transfers from BIG-IP DNS
    Modify the following match-clients statement to use the IP address of the BIG-IP DNS.
    acl "internal-acl" { <IP address> ; }; view "internal" { match-clients { "zrd-acl-000-001"; "internal-acl"; <IP address> ; }; view "external" { match-clients { "zrd-acl-000-000"; any; };
  6. Click
    Update
    .
To verify that zone transfers are working properly, modify this Linux command and run it on an external computer:
dig @<IP address> es.net. axfr
The command should return a response similar to this:
; <<>> DiG? 9.5.0-P2 <<>> @192.17.1.253 es.net. axfr ; (1 server found) ;; global options: printcmd es.net. 500 IN SOA siterequest.com. hostmaster.siterequest.com. 6 10800 3600 604800 60 es.net. 500 IN NS siterequest.com. a.es.net. 30 IN A 192.17.1.100 b.es.net. 30 IN A 192.18.1.100 es.net. 500 IN SOA siterequest.com. hostmaster.siterequest.com. 6 10800 3600 604800 60 ;; Query time: 6 msec ;; SERVER: 192.17.1.253#53(192.17.1.253) ;; WHEN: Fri Mar 11 17:20:25 2011 ;; XFR size: 5 records (messages 1, bytes 180)

About DNS views

A DNS
view
is a modification of a nameserver configuration based on the community attempting to access it. Using views, you can build multiple nameserver configurations on the same server, and have those configurations apply dynamically when the request originates from a specified source.
If your DNS handles requests from both inside and outside your company, you can create two views: internal and external.

Creating a DNS view

It is helpful to keep in mind that ZoneRunner contains a default view named: external.
Create an additional DNS view to modify the local nameserver configuration to allow a specific community to access it.
  1. On the Main tab, click
    DNS
    Zones
    ZoneRunner
    View List
    .
    The View List screen opens.
  2. Click
    Create
    .
  3. In the
    View Name
    field, type a name for the view.
  4. From the
    View Order
    list, make a selection.
    Option
    Description
    First
    In the view hierarchy, this view is listed first.
    Last
    In the view hierarchy, this view is listed last.
    After
    In the view hierarchy, this view is listed immediately following the view that you select from the View List.
  5. In the Options area, modify the match-clients statement based on your configuration.
    View configuration type
    Add to match-clients statement
    Single view configuration
    view "external" { match-clients { "zrd-acl-000-000"; any; };
    Multiple view configuration, where you want to allow transfers from BIG-IP DNS
    Modify the following match-clients statement to use the IP address of the BIG-IP DNS.
    acl "internal-acl" { <IP address> ; }; view "internal" { match-clients { "zrd-acl-000-001"; "internal-acl"; <IP address> ; }; view "external" { match-clients { "zrd-acl-000-000"; any; };
  6. In the Options area, type additional configurations per your network design.
  7. Click
    Finished
    .

Types of DNS zone files

This table describes the types of DNS zone files.
DNS file type
Description
Primary
Zone files for a primary zone contain, at minimum, the start of authority (SOA) and nameserver (NS) resource records for the zone. Primary zones are authoritative, that is, they respond to DNS queries for the domain or sub-domain. A zone can have only one SOA record, and must have at least one NS record.
Secondary
Zone files for a secondary zone are copies of the principal zone files. At an interval specified in the SOA record, secondary zones query the primary zone to check for and obtain updated zone data. A secondary zone responds authoritatively for the zone provided that the zone data is valid.
Stub
Stub zones are similar to secondary zones, except that stub zones contain only the NS records for the zone. Note that stub zones are a specific feature of the BIND implementation of DNS. F5 Networks recommends that you use stub zones only if you have a specific requirement for this functionality.
Forward
The zone file for a forwarding zone contains only information to forward DNS queries to another nameserver on a per-zone (or per-domain) basis.
Hint
The zone file for a hint zone specifies an initial set of root nameservers for the zone. Whenever the local nameserver starts, it queries a root nameserver in the hint zone file to obtain the most recent list of root nameservers. Zone file import.

Types of DNS resource records

This table describes the types of DNS resource records that ZoneRunner supports.
DNS file type
Description
SOA (Start of authority)
The start of authority resource record, SOA, starts every zone file and indicates that a nameserver is the best source of information for a particular zone. The SOA record indicates that a nameserver is authoritative for a zone. There must be exactly one SOA record per zone. Unlike other resource records, you create a SOA record only when you create a new master zone file.
A (Address)
The Address record, or A record, lists the IP address for a given host name. The name field is the host’s name, and the address is the network interface address. There should be one A record for each IP address of the machine.
AAAA (IPv6 Address)
The IPv6 Address record, or AAAA record, lists the 128-bit IPv6 address for a given host name.
CNAME (Canonical Name)
The Canonical Name resource record, CNAME, specifies an alias or nickname for the official, or canonical, host name. This record must be the only one associated with the alias name. It is usually easier to supply one A record for a given address and use CNAME records to define alias host names for that address.
DNAME (Delegation of Reverse Name)
The Delegation of Reverse Name resource record, DNAME, specifies the reverse lookup of an IPv6 address. These records substitute the suffix of one domain name with another. The DNAME record instructs DNS (BIG-IP DNS, formerly GTM) (or any DNS server) to build an alias that substitutes a portion of the requested IP address with the data stored in the DNAME record.
HINFO (Host Information)
The Host Information resource record, HINFO, contains information on the hardware and operating system relevant to BIG-IP DNS (formerly GTM) (or other DNS).
MX (Mail Exchanger)
The Mail Exchange resource record, MX, defines the mail system(s) for a given domain.
NAPTR (Name Authority Pointer)
The Name Authority Pointer record, NAPTR, aids in the standardization of Uniform Resource Names (URNs). NAPTR records map between sets of URNs, URLs and plain domain names and suggest to clients the protocols available for communication with the mapped resource.
NS (nameserver)
The nameserver resource record, NS, defines the nameservers for a given domain, creating a delegation point and a subzone. The first name field specifies the zone that is served by the nameserver that is specified in the nameservers name field. Every zone needs at least one nameserver.
PTR (Pointer)
A name pointer resource record, PTR, associates a host name with a given IP address. These records are used for reverse name lookups.
SRV (Service)
The Service resource record, SRV, is a pointer with which an alias for a given service is redirected to another domain. For example, if the fictional company Site Request has an FTP archive hosted on archive.siterequest.com, the IT department can create an SRV record with which the alias ftp.siterequest.com is redirected to archive.siterequest.com.
TXT (Text)
The Text resource record, TXT, allows you to supply any string of information, such as the location of a server or any other relevant information that you want available.