Manual Chapter :
Common elements for DNS Cache tasks
Applies To:
Show VersionsBIG-IP APM
- 15.0.1, 15.0.0
Common elements for DNS Cache tasks
- On the Main tab, click.The DNS Cache List screen opens.
- On the Main tab, click.The DNS Cache List screen opens.
- On the menu bar, clickStatistics.The Local Traffic Statistics screen opens.
- On the menu bar, clickLocal Zones.The Local Zones screen opens.
- On the menu bar, clickForward Zones.The Forward Zones screen opens.
- On the menu bar, clickResponse Policy Zones.The Response Policy Zones screen opens.
- On the menu bar, clickTrust Anchors.The Trust Anchors screen opens.
- On the menu bar, clickDLV Anchors.The DLV Anchors screen opens.
- Click the name of the cache you want to modify.The properties screen opens.
- Click the name of the cache you just created.The properties screen opens.
- Click the name of the RPZ you want to modify.
- ClickCreate.The New DNS Cache screen opens.
- ClickRepeat.The New DNS Cache screen displays default values in the fields.
- Click theAddbutton.
- ClickUpdate.
- ClickUpdate.The rotation methodology used is based on picking a random number to select the first entry of the Resource Record Set (RRset). Local zones that are part of a Response Policy Zone are not rotated.
- ClickFinished.
- In theNamefield, type the domain name of the local zone.The domain you enter must be at the apex of the zone. For example, you could name a local zonesiterequest.com, and then add resource records for the memberswiki.siterequest.com.anddownload.siterequest.com..
- In theNamefield, type the domain name of the walled garden on your network.The domain you enter must be the exact name you want to use for the walled garden. Ensure that you use a zone name that does not match any other resources on your network, for example,walledgarden.siterequest.com.
- From theTypelist, selectStatic.
- From theTypelist, select how the cache handles a non-matching query for the local zone.The Description column provides a sample response to a query forwiki.siterequest.com, when the local zone issiterequest.com.DenyFor a non-matching query, the cache drops the DNS query.This is an example of a response to a non-matching query:DNS request timed outRedirectFor a non-matching query, when the query is for a subdomain of the local zone, the cache returns the same response that it would for the local zone. For example, if you add the local zonesiterequest.com, the cache returns the same response to queries forwiki.siterequest.com.anddownload.wiki.siterequest.com..This is an example of a response to a non-matching query:NOERROR rcode returned and example.com. NOT resolved as expectedRefuseFor a non-matching query, the cache returns a REFUSED message in the DNS response.This is an example of a response to a non-matching query:REFUSED rcode returned and example.com. NOT resolved as expectedStaticFor a non-matching query, the cache returns a NoData or NXDOMAIN in the DNS response, which also includes the SOA record if the local zone contains one.This is an example of a response to a non-matching query:NOERROR rcode returned and example.com. NOT resolved as expectedTransparentTransparentis the default value.For a non-matching query, the cache performs a pass-through or iterative resolution of the DNS query. If the query matches, but no resource records are available, the cache returns a response with a NoData message.This is an example of a response to a non-matching query:NOERROR rcode returned and example.com. NOT resolved as expectedType TransparentFor a non-matching query, or a query for a matching domain name, but with a request for a record of a different type, the cache performs a pass-through or iterative resolution of the DNS query; however, if the query matches, but no resource records are available, the cache does not return a response with a NoData message.This is an example of a response to a non-matching query:DNS request resolved to example.com. as expected
- In the Records area, in the field, specify a resource record to identify the local zone, including domain name, type, class, TTL, and record data, separated by spaces, and then clickAdd.You can add multiple resource records.This is an example of an A record entry:wiki.siterequest.com. IN A 10.10.10.124. This is an example of a AAAA record entry:wiki.siterequest.com. IN AAAA 2002:0:1:12:123:c:cd:cdf.
- In the Records area, specify a resource record to identify the local zone, including domain name, type, class, TTL, and record data, separated by spaces, and then clickAdd.For example, if the local zone name is walledgarden.siterequest.com, then this is an example of an A record entry:walledgarden.siterequest.com. IN A 10.10.10.124, and this is an example of a AAAA record entry:walledgarden.siterequest.com. IN AAAA 2002:0:1:12:123:c:cd:cdf.
- Click the name of the forward zone you want to modify.The properties screen opens.
- Select the check box next to the forward zone you want to delete, and then clickDelete.A dialog box displays asking you to confirm the deletion.
- ClickOKto confirm the deletion.
- In theNamefield, type a name for the forward zone.
- In the Nameservers area, in theAddressfield, type the IP address of a DNS nameserver that the system considers authoritative for this zone, and then clickAdd. Based on your network configuration, add IPv4 or IPv6 addresses, or both.The order of nameservers in the configuration does not impact which nameserver the system selects to forward a query to.
- In the Nameservers area, add or remove nameservers.
- From theZonelist, select an RPZ.
- From theActionlist, select an action:OptionDescriptionNXDOMAINResolves a DNS query for a malicious domain found in the RPZ with an NXDOMAIN response, which states that the domain does not exist.walled-gardenResolves a DNS query for a malicious domain found in the RPZ by providing an A or AAAA record response, which redirects the query to a known host.
- If you selected the type Walled Garden, from theWalled Garden IPlist, select the local zone that represents the walled garden on your network.
- Select theLogs and Stats Onlycheck box.When checked, queries that match a malicious domain in the RPZ list are logged and statistics are created; however, RPZ policies are not enforced. That is, when a DNS query matches a malicious domain in the RPZ list, the system does not return an NXDOMAIN response or redirect the query to a walled garden.System performance is affected even whenLogs and Stats Onlyis selected. This is because the system still performs RPZ lookups.
- In theNamefield, type a name for the cache.
- From theResolver Typelist, select one of three types:OptionDescriptionResolverResolves a DNS request and stores the response in the DNS cache.Validating ResolverResolves a DNS request, verifies the response using a DNSSEC key, and stores the response in the DNS cache.Transparent (None)Sends a DNS request to a DNS server for resolution, and stores the response in the DNS cache.
- From theResolver Typelist, selectResolver.
- From theResolver Typelist, selectValidating Resolver.
- From theResolver Typelist, selectTransparent.
- From theRoute Domain Namelist, select the route domain the resolver uses for outbound traffic.
- In theMessage Cache Sizefield, type the maximum size in bytes for the DNS message cache.The BIG-IP system caches the messages in a DNS response in the message cache. A higher maximum size makes it possible for more DNS responses to be cached and increases the cache hit percentage. A lower maximum size forces earlier eviction of cached content, but can lower the cache hit percentage.When you change the value of theMessage Cache Size, the records in the message cache are automatically removed. If you do not want to clear the message cache, do not change the value of this parameter.
- In theResource Record Cache Sizefield, type the maximum size in bytes for the DNS resource record cache.The BIG-IP system caches the supporting records in a DNS response in the Resource Record cache. A higher maximum size makes it possible for more DNS responses to be cached and increases the cache hit percentage. A lower maximum size forces earlier eviction of cached content, but can lower the cache hit percentage.When you change the value of theResource Record Cache Size, the records in the resource record cache are automatically removed from the cache. If you do not want to clear the resource record cache, do not change the value of this parameter.
- In theNameserver Cache Countfield, type the maximum number of DNS nameservers for which the BIG-IP system caches connection and capability data.When you change the value of theNameserver Cache Count, the records in the nameserver cache are automatically removed from the cache. If you do not want to clear the nameserver cache, do not change the value of this parameter.
- In theDNSSEC Key Cache Sizefield, type the maximum size in bytes of the DNSKEY cache.When you change the value of theDNSSEC Key Cache, the records in the DNSSEC key cache are automatically removed from the cache. If you do not want to clear the DNSSEC key cache, do not change the value of this parameter.
- In the DNS Cache area, to clear specific records from the cache, do one of the following:To clear messages from the cache:change the value in theMessage Cache Sizefield.To clear resource records from the cache:change the value in theResource Record Cache Sizefield.To clear nameservers from the cache:change the value in theName Server Cache Countfield.To clear DNSSEC keys from the cache:change the value in theDNSSEC Key Cache Sizefield.
- Click theEnabledcheck box to enable or disable theUse IPv4option.When enabled, the resolver sends DNS queries to IPv4 addresses.
- Click theEnabledcheck box to enable or disable theUse IPv6option.When enabled, the resolver sends DNS queries to IPv6 addresses.
- Click theEnabledcheck box to enable or disable theUse UDPoption.When enabled, the resolver can send queries over UDP.
- Click theEnabledcheck box to enable or disable theUse TCPoption.When enabled, the resolver can send queries over TCP.
- Select theEnabledcheck box for theAnswer Default Zonessetting, when you want the BIG-IP system to answer queries for the default zones: localhost, reverse 127.0.0.1 and ::1, and AS112 zones.
- Select theEnabledcheck box to disable thePrefetch Keyoption.When enabled, the validating resolver fetches the DNSKEY early in the validation process. Disable this setting, when you want to reduce resolver traffic, but understand that a client may have to wait for the validating resolver to perform a key lookup.
- Select theEnabledcheck box to enable or disable theIgnore Checking Disabled Bitoption.When enabled, the system ignores the Checking Disabled setting on client queries, performs validation, and returns only secure answers.
- In theUnsolicited Reply Thresholdfield, change the default value if you are using the BIG-IP system to monitor for unsolicited replies using SNMP.The system always rejects unsolicited replies. The default value of 0 (off) indicates the system does not generate SNMP traps or log messages when rejecting unsolicited replies. Changing the default value alerts you to a potential security attack, such as cache poisoning or DOS. For example, if you specify 1,000,000 unsolicited replies, each time the system receives 1,000,000 unsolicited replies, it generates an SNMP trap and log message.
- In the Root Hints area, in theIP addressfield, type the IP address of a DNS server that the system considers authoritative for the DNS root nameservers, and then clickAdd.By default, the system uses the DNS root nameservers published by InterNIC. When you add DNS root nameservers, the BIG-IP system no longer uses the default nameservers published by InterNIC, but uses the nameservers you add as authoritative for the DNS root nameservers.Based on your network configuration, add IPv4 or IPv6 addresses or both.
- In the DNS Cache area, in theRRSet Rotatefield, selectquery idwhen you want to use the query identification number to decide which resource record to set first.The rotation methodology used is based on picking a random number to select the first entry of the Resource Record Set (RRset). Local zones that are part of a Response Policy Zone are not rotated.
- In the DNS Cache area, for theRRSet Rotatefield, select one of the following options:OptionDescriptionnone (default)Returns resource records in the same order as received.query idUses the query identification number to decide which resource record to set first.The rotation methodology used is based on picking a random number to select the first entry of the Resource Record Set (RRset). Local zones that are part of a Response Policy Zone are not rotated.
- From theStatistics Typelist, selectDNS Cache.
- Select the check box next to the cache you want to clear, and then clickClear Cache.
- In theTrust Anchorfield, paste the trust anchor that you copied from the signed zone.The trust anchor must be specified in a string format.
- In theDLV Anchorfield, paste the DLV anchor that you want to add to the validating resolver.The DLV anchor must be specified in a string format.
- On the Main tab, click.The DNS Resolver List screen opens.
- ClickCreate.The New DNS Resolver screen opens.
- In theNamefield, type a name for the resolver.
- Click the name of the resolver you want to modify.The properties screen opens.