Manual Chapter : Common elements for DNS Cache tasks

Applies To:

Show Versions Show Versions

BIG-IP APM

  • 15.0.1, 15.0.0
Manual Chapter

Common elements for DNS Cache tasks

  1. On the Main tab, click
    Local Traffic
    DNS Caches
    DNS Cache List
    .
    The DNS Cache List screen opens.
  2. On the Main tab, click
    DNS
    Caches
    Cache List
    .
    The DNS Cache List screen opens.
  3. On the menu bar, click
    Statistics
    .
    The Local Traffic Statistics screen opens.
  4. On the menu bar, click
    Local Zones
    .
    The Local Zones screen opens.
  5. On the menu bar, click
    Forward Zones
    .
    The Forward Zones screen opens.
  6. On the menu bar, click
    Response Policy Zones
    .
    The Response Policy Zones screen opens.
  7. On the menu bar, click
    Trust Anchors
    .
    The Trust Anchors screen opens.
  8. On the menu bar, click
    DLV Anchors
    .
    The DLV Anchors screen opens.
  9. Click the name of the cache you want to modify.
    The properties screen opens.
  10. Click the name of the cache you just created.
    The properties screen opens.
  11. Click the name of the RPZ you want to modify.
  12. Click
    Create
    .
    The New DNS Cache screen opens.
  13. Click
    Repeat
    .
    The New DNS Cache screen displays default values in the fields.
  14. Click the
    Add
    button.
  15. Click
    Update
    .
  16. Click
    Update
    .
    The rotation methodology used is based on picking a random number to select the first entry of the Resource Record Set (RRset). Local zones that are part of a Response Policy Zone are not rotated.
  17. Click
    Finished
    .
  18. In the
    Name
    field, type the domain name of the local zone.
    The domain you enter must be at the apex of the zone. For example, you could name a local zone
    siterequest.com
    , and then add resource records for the members
    wiki.siterequest.com.
    and
    download.siterequest.com.
    .
  19. In the
    Name
    field, type the domain name of the walled garden on your network.
    The domain you enter must be the exact name you want to use for the walled garden. Ensure that you use a zone name that does not match any other resources on your network, for example,
    walledgarden.siterequest.com
    .
  20. From the
    Type
    list, select
    Static
    .
  21. From the
    Type
    list, select how the cache handles a non-matching query for the local zone.
    The Description column provides a sample response to a query for
    wiki.siterequest.com
    , when the local zone is
    siterequest.com.
    Deny
    For a non-matching query, the cache drops the DNS query.
    This is an example of a response to a non-matching query:
    DNS request timed out
    Redirect
    For a non-matching query, when the query is for a subdomain of the local zone, the cache returns the same response that it would for the local zone. For example, if you add the local zone
    siterequest.com
    , the cache returns the same response to queries for
    wiki.siterequest.com.
    and
    download.wiki.siterequest.com.
    .
    This is an example of a response to a non-matching query:
    NOERROR rcode returned and example.com. NOT resolved as expected
    Refuse
    For a non-matching query, the cache returns a REFUSED message in the DNS response.
    This is an example of a response to a non-matching query:
    REFUSED rcode returned and example.com. NOT resolved as expected
    Static
    For a non-matching query, the cache returns a NoData or NXDOMAIN in the DNS response, which also includes the SOA record if the local zone contains one.
    This is an example of a response to a non-matching query:
    NOERROR rcode returned and example.com. NOT resolved as expected
    Transparent
    Transparent
    is the default value.
    For a non-matching query, the cache performs a pass-through or iterative resolution of the DNS query. If the query matches, but no resource records are available, the cache returns a response with a NoData message.
    This is an example of a response to a non-matching query:
    NOERROR rcode returned and example.com. NOT resolved as expected
    Type Transparent
    For a non-matching query, or a query for a matching domain name, but with a request for a record of a different type, the cache performs a pass-through or iterative resolution of the DNS query; however, if the query matches, but no resource records are available, the cache does not return a response with a NoData message.
    This is an example of a response to a non-matching query:
    DNS request resolved to example.com. as expected
  22. In the Records area, in the field, specify a resource record to identify the local zone, including domain name, type, class, TTL, and record data, separated by spaces, and then click
    Add
    .
    You can add multiple resource records.
    This is an example of an A record entry:
    wiki.siterequest.com. IN A 10.10.10.124
    . This is an example of a AAAA record entry:
    wiki.siterequest.com. IN AAAA 2002:0:1:12:123:c:cd:cdf
    .
  23. In the Records area, specify a resource record to identify the local zone, including domain name, type, class, TTL, and record data, separated by spaces, and then click
    Add
    .
    For example, if the local zone name is walledgarden.siterequest.com, then this is an example of an A record entry:
    walledgarden.siterequest.com. IN A 10.10.10.124
    , and this is an example of a AAAA record entry:
    walledgarden.siterequest.com. IN AAAA 2002:0:1:12:123:c:cd:cdf
    .
  24. Click the name of the forward zone you want to modify.
    The properties screen opens.
  25. Select the check box next to the forward zone you want to delete, and then click
    Delete
    .
    A dialog box displays asking you to confirm the deletion.
  26. Click
    OK
    to confirm the deletion.
  27. In the
    Name
    field, type a name for the forward zone.
  28. In the Nameservers area, in the
    Address
    field, type the IP address of a DNS nameserver that the system considers authoritative for this zone, and then click
    Add
    . Based on your network configuration, add IPv4 or IPv6 addresses, or both.
    The order of nameservers in the configuration does not impact which nameserver the system selects to forward a query to.
  29. In the Nameservers area, add or remove nameservers.
  30. From the
    Zone
    list, select an RPZ.
  31. From the
    Action
    list, select an action:
    Option
    Description
    NXDOMAIN
    Resolves a DNS query for a malicious domain found in the RPZ with an NXDOMAIN response, which states that the domain does not exist.
    walled-garden
    Resolves a DNS query for a malicious domain found in the RPZ by providing an A or AAAA record response, which redirects the query to a known host.
  32. If you selected the type Walled Garden, from the
    Walled Garden IP
    list, select the local zone that represents the walled garden on your network.
  33. Select the
    Logs and Stats Only
    check box.
    When checked, queries that match a malicious domain in the RPZ list are logged and statistics are created; however, RPZ policies are not enforced. That is, when a DNS query matches a malicious domain in the RPZ list, the system does not return an NXDOMAIN response or redirect the query to a walled garden.
    System performance is affected even when
    Logs and Stats Only
    is selected. This is because the system still performs RPZ lookups.
  34. In the
    Name
    field, type a name for the cache.
  35. From the
    Resolver Type
    list, select one of three types:
    Option
    Description
    Resolver
    Resolves a DNS request and stores the response in the DNS cache.
    Validating Resolver
    Resolves a DNS request, verifies the response using a DNSSEC key, and stores the response in the DNS cache.
    Transparent (None)
    Sends a DNS request to a DNS server for resolution, and stores the response in the DNS cache.
  36. From the
    Resolver Type
    list, select
    Resolver
    .
  37. From the
    Resolver Type
    list, select
    Validating Resolver
    .
  38. From the
    Resolver Type
    list, select
    Transparent
    .
  39. From the
    Route Domain Name
    list, select the route domain the resolver uses for outbound traffic.
  40. In the
    Message Cache Size
    field, type the maximum size in bytes for the DNS message cache.
    The BIG-IP system caches the messages in a DNS response in the message cache. A higher maximum size makes it possible for more DNS responses to be cached and increases the cache hit percentage. A lower maximum size forces earlier eviction of cached content, but can lower the cache hit percentage.
    When you change the value of the
    Message Cache Size
    , the records in the message cache are automatically removed. If you do not want to clear the message cache, do not change the value of this parameter.
  41. In the
    Resource Record Cache Size
    field, type the maximum size in bytes for the DNS resource record cache.
    The BIG-IP system caches the supporting records in a DNS response in the Resource Record cache. A higher maximum size makes it possible for more DNS responses to be cached and increases the cache hit percentage. A lower maximum size forces earlier eviction of cached content, but can lower the cache hit percentage.
    When you change the value of the
    Resource Record Cache Size
    , the records in the resource record cache are automatically removed from the cache. If you do not want to clear the resource record cache, do not change the value of this parameter.
  42. In the
    Nameserver Cache Count
    field, type the maximum number of DNS nameservers for which the BIG-IP system caches connection and capability data.
    When you change the value of the
    Nameserver Cache Count
    , the records in the nameserver cache are automatically removed from the cache. If you do not want to clear the nameserver cache, do not change the value of this parameter.
  43. In the
    DNSSEC Key Cache Size
    field, type the maximum size in bytes of the DNSKEY cache.
    When you change the value of the
    DNSSEC Key Cache
    , the records in the DNSSEC key cache are automatically removed from the cache. If you do not want to clear the DNSSEC key cache, do not change the value of this parameter.
  44. In the DNS Cache area, to clear specific records from the cache, do one of the following:
    To clear messages from the cache:
    change the value in the
    Message Cache Size
    field.
    To clear resource records from the cache:
    change the value in the
    Resource Record Cache Size
    field.
    To clear nameservers from the cache:
    change the value in the
    Name Server Cache Count
    field.
    To clear DNSSEC keys from the cache:
    change the value in the
    DNSSEC Key Cache Size
    field.
  45. Click the
    Enabled
    check box to enable or disable the
    Use IPv4
    option.
    When enabled, the resolver sends DNS queries to IPv4 addresses.
  46. Click the
    Enabled
    check box to enable or disable the
    Use IPv6
    option.
    When enabled, the resolver sends DNS queries to IPv6 addresses.
  47. Click the
    Enabled
    check box to enable or disable the
    Use UDP
    option.
    When enabled, the resolver can send queries over UDP.
  48. Click the
    Enabled
    check box to enable or disable the
    Use TCP
    option.
    When enabled, the resolver can send queries over TCP.
  49. Select the
    Enabled
    check box for the
    Answer Default Zones
    setting, when you want the BIG-IP system to answer queries for the default zones: localhost, reverse 127.0.0.1 and ::1, and AS112 zones.
  50. Select the
    Enabled
    check box to disable the
    Prefetch Key
    option.
    When enabled, the validating resolver fetches the DNSKEY early in the validation process. Disable this setting, when you want to reduce resolver traffic, but understand that a client may have to wait for the validating resolver to perform a key lookup.
  51. Select the
    Enabled
    check box to enable or disable the
    Ignore Checking Disabled Bit
    option.
    When enabled, the system ignores the Checking Disabled setting on client queries, performs validation, and returns only secure answers.
  52. In the
    Unsolicited Reply Threshold
    field, change the default value if you are using the BIG-IP system to monitor for unsolicited replies using SNMP.
    The system always rejects unsolicited replies. The default value of 0 (off) indicates the system does not generate SNMP traps or log messages when rejecting unsolicited replies. Changing the default value alerts you to a potential security attack, such as cache poisoning or DOS. For example, if you specify 1,000,000 unsolicited replies, each time the system receives 1,000,000 unsolicited replies, it generates an SNMP trap and log message.
  53. In the Root Hints area, in the
    IP address
    field, type the IP address of a DNS server that the system considers authoritative for the DNS root nameservers, and then click
    Add
    .
    By default, the system uses the DNS root nameservers published by InterNIC. When you add DNS root nameservers, the BIG-IP system no longer uses the default nameservers published by InterNIC, but uses the nameservers you add as authoritative for the DNS root nameservers.
    Based on your network configuration, add IPv4 or IPv6 addresses or both.
  54. In the DNS Cache area, in the
    RRSet Rotate
    field, select
    query id
    when you want to use the query identification number to decide which resource record to set first.
    The rotation methodology used is based on picking a random number to select the first entry of the Resource Record Set (RRset). Local zones that are part of a Response Policy Zone are not rotated.
  55. In the DNS Cache area, for the
    RRSet Rotate
    field, select one of the following options:
    Option
    Description
    none (default)
    Returns resource records in the same order as received.
    query id
    Uses the query identification number to decide which resource record to set first.
    The rotation methodology used is based on picking a random number to select the first entry of the Resource Record Set (RRset). Local zones that are part of a Response Policy Zone are not rotated.
  56. From the
    Statistics Type
    list, select
    DNS Cache
    .
  57. Select the check box next to the cache you want to clear, and then click
    Clear Cache
    .
  58. In the
    Trust Anchor
    field, paste the trust anchor that you copied from the signed zone.
    The trust anchor must be specified in a string format.
  59. In the
    DLV Anchor
    field, paste the DLV anchor that you want to add to the validating resolver.
    The DLV anchor must be specified in a string format.
  60. On the Main tab, click
    Network
    DNS Resolvers
    DNS Resolver List
    .
    The DNS Resolver List screen opens.
  61. Click
    Create
    .
    The New DNS Resolver screen opens.
  62. In the
    Name
    field, type a name for the resolver.
  63. Click the name of the resolver you want to modify.
    The properties screen opens.