F5 Logo MyF5
Search
  1. MyF5 Home
  2. BIG-IP DNS: Implementations
  3. Configuring Oblivious DNS Over HTTP (ODoH) protocol
Manual Chapter : Configuring Oblivious DNS Over HTTP (ODoH) protocol

Applies To:

Show Versions Show Versions
Manual Chapter

Configuring Oblivious DNS Over HTTP (ODoH) protocol

About ODoH functionality

This section enable you to understand the basic concept of ODoH functionality.

About Oblivious DNS Over HTTP

The Oblivious DNS over HTTPS (ODoH) protocol improves the privacy of DNS operations. This is achieved through a layer of public key encryption (HPKE) and a network proxy between clients and a DNS server. When ODoH is enabled, it does not allow any one server entity to be aware of both the client’s IP address and the content of the DNS queries and answers.
The following are components of ODoH:
  • Client: Sends the encrypted query to proxy.
  • Proxy: Receives the query from the client and sends the proxy query to the server. Returns the encrypted response from the server to the client.
  • Server (Target): Receives and decrypts the query from the proxy and returns the encrypted response to the proxy. The ODoH target can be a virtual server with an HPKE key profile and GTM listener.
The following is an example scenario:
  1. When a client makes a DNS query using ODoH, its request is first encrypted using a public-key encryption scheme (HPKE).
  2. The request is then routed through a proxy that forwards the encrypted query to the DNS server.
  3. The DNS server can decrypt the query and sends the encrypted response back to the proxy, which returns it to the client.
This ensures that the DNS server never sees the client’s IP address, and the proxy never sees the unencrypted query, providing strong DNS privacy.
Components of ODoH

About HPKE

The ODoH uses Hybrid Public Key Encryption (HPKE), a versatile and modern cryptographic scheme that provides authenticated public key encryption for DNS queries. The clients encrypt their DNS queries with the DNS resolver’s public key, ensuring that only the resolver can decrypt the queries. Even if the proxy intercepts the communication, it cannot read the DNS query because it does not have the private key.

HPKE key management

The HPKE key management is an automated process that handles the lifecycle of encryption keys, including creation, rollover, and expiration. A designated BIG-IP GTM/DNS is responsible for managing these keys.

About SVCB and HTTPS resource records

BIG-IP DNS already supports popular DNS Resource Records (RR) like A, AAAA, and CNAME.
To support modern DNS-based service discovery and load balancing using the ODoH protocol, BIG-IP now includes support for Service Binding (SVCB) (Type64) and HTTPS RR (Type65). These records integrate with the Wide IP and Pool objects (GTM pools and pool members) to process and respond to DNS queries effectively.
  • Configuring SVCB and HTTPS RR in BIG-IP is currently limited to supporting the ODoH protocol.
  • The statistics for SVCB and HTTPS RR are included in the GTM statistics.

Configuring ODoH using GUI

Perform the following tasks to implement the ODoH protocol:
  1. Generating HPKE key
    1. Create an HPKE profile
    2. Create an HPKE key
  2. Defining an ODoH target
    1. Create a data center
    2. Create a GTM server with the automatic virtual server discovery
    3. Create a DNS profile for the ODoH target
    4. Create a DoH Server listener using the DNS profile for ODoH target
    5. Create a GTM pool with DoH target as member
  3. Configuring a Wide IP
    1. Create a GTM wide IP with the GTM pool as member
    2. Create a GTM pool of type SVCB
    3. Create a Wide IP of type SVCB
  4. Configuring a DNS listener for SVCB/HTTPS records
    1. Create a DNS profile
    2. Create a listener with the DNS profile

Create an HPKE profile

  1. Log in to the
    Configuration utility
    .
  2. On the
    Main
     tab, click
    DNS
     >
    Delivery
     >
    Profiles
     >
    Other
     >
    HPKE Profile
    . The
    HPKE Profile
    uicontrol> screen opens.
  3. Select
    Create
  4. On the
    General Properties
     section, specify this information:
    Name:
    The name of the HPKE profile that can be linked to the HPKE Key.
    Description:
    The text that provides the additional detail of the HPKE profile.
    KEM:
    The Key encapsulation method used to encrypt message.
    KDF:
    The Key Derivation Function algorithm.
    AEAD:
    The Authentication encryption method associated with data.
  5. Specify this information in the Key Settings section:
    Rollover Period:
    The interval after which the system generates a new key.
    By default, the value of the first key generation is 0 (zero) to indicate no rollover. Make sure the rollover period is more than or equal to half of the Expiration Period value. It must also be less than the value given in the Expiration Period. The value of ID is incremented by 1 for each key generation.
    Expiration Period:
    The interval after which the system deletes a key.
    By default, the value is 0 to indicate that the key does not expire. The value of the expiration period must be more than the value given in the
    Rollover Period
    . Also, the difference between the values of the rollover and expiration periods must be more than the value of the TTL. The National Institute of Standards and Technology (NIST) recommends that a zone signing key expire in 30 days, and that a key signing key expire once a year.
  6. Click
    Finished
     to complete the task.

Create an HPKE key

  1. Log in to the
    Configuration utility
    .
  2. On the Main tab, click
    DNS
    Delivery
    Keys
    HPKE Key List
    . The
    HPKE Key List
     screen opens.
  3. Click
    Create
    .
  4. On the
    General Properties
     section, specify this information:
    Name:
    The name of the HPKE Key.
    Description:
    The text that provides the additional details of the HPKE Key.
    HPKE Key Profile:
    The HPKE profile that must be associated with the HPKE key.
  5. Click
    Finished
    .
    You can select the Generations tab to check the generated HPKE key.

Create a data center

  1. Log in to the
    Configuration utility
    .
  2. On the Main tab, click
    DNS
    GSLB
    Data Centres
    Data Center List
    . The
    Data Center List
     screen opens.
  3. Click
    Create
    .
  4. In the
    General Properties
    section, specify this information:
    Name:
    The name of the data center.
    Description:
    The additional information about the data centre.
    Location:
    The physical location of data center.The name of the HPKE Key.
    Contact:
    The name of the administrator or the name of the department that manages the data center.
    Prober Preference:
    The type of prober pools to use to monitor servers defined within the data center. The default value is Inside Data Center. Possible options:
    Inside Data Center
    A server selects the probers from inside the data center where the server resides.
    Outside Data Center
    A server selects the probers from outside the data center where the server resides.
    Specific Prober Pool
    Select one of the Prober pools from the drop-down list. When assigning the Prober pool at the server level.
    Prober pools are not used by the bigip monitor.
    Prober Fallback:
    The type of prober to use to monitor servers defined within the data center when the preferred type is not available. The default value is Any Available. Possible options:
    Any Available
    For selecting any available prober.
    Inside Data Center
    A server selects probers from inside the data center where the server resides.
    Outside Data Center
    A server selects probers from outside the data center where the server resides.
    None
    No fallback probers are selected. Prober fallback is disabled.
    Specific Prober Pool
    Select one of the probers from the list When you want to assign a prober pool at the server level.
    Availability:
    Indicates the current status of the data center. The name of the HPKE Key.
    State:
    Indicates if the data center and its resources are available for load balancing. The value must be set to Enabled.
  5. In the
    Devices
     section, specify the required fields.
  6. In the
    Configuration
    section, specify the required fields
  7. In the
    Resources
    section, specify the required details.
  8. Click
    Finished
    .

Create a GTM Server with the automatic virtual server discovery

  1. Log in to the
    Configuration utility
    .
  2. On the Main tab, click
    DNS
    GLSB
    Servers
    Server List
    . The
    Server List
     screen opens.
  3. Click
    Create
    .
  4. In the
    General Properties:
    section, specify this information:
    Name:
    The name of the server host for DoH.The name of the data center.
    Product:
    The server type <Big-IP System>. The server type determines the metrics that the system can collect from the server.
    Data Center:
    The data center of the server.
    Prober Preference:
    The type of prober pools to use to monitor servers defined within the data center. The default value is Inside Data Center. Possible options:
    Inside Data Center
    A server selects the probers from inside the data center where the server resides.
    Outside Data Center
    A server selects the probers from outside the data center where the server resides.
    Specific Prober Pool
    Select one of the Prober pools from the drop-down list. When assigning the Prober pool at the server level.
    Prober pools are not used by the bigip monitor.
    Prober Fallback:
    The type of prober to use to monitor servers defined within the data center when the preferred type is not available. The default value is Any Available. Possible options:
    Any Available
    For selecting any available prober.
    Inside Data Center
    A server selects probers from inside the data center where the server resides.
    Outside Data Center
    A server selects probers from outside the data center where the server resides.
    None
    No fallback probers are selected. Prober fallback is disabled.
    Specific Prober Pool
    Select one of the probers from the list When you want to assign a prober pool at the server level.
    State:
    Indicates if the server and its resources are available for load balancing. The value must be set to Enabled.
  5. In the
    Devices
     section, specify the required fields.
  6. In the
    Configuration
     section, specify the required fields
  7. In the
    Resources
    section, specify the required details.
  8. Click
    Finished
    .

Create a DNS profile for ODoH target

  1. Log in to the
    Configuration utility
    .
  2. On the Main tab, click
    DNS
    Delivery
    Profiles
    DNS
    . The
    DNS
     screen opens.
  3. Click
    Create
    .
  4. In the
    General Properties
    section, specify this information:
    Name:
    The name <custom-dns-profile-odoh> of the DNS profile.
    Parent Profile:
    The DNS profile inherits the settings of this profile. The default value is dns.
  5. Select the
    Custom
     checkbox to enable the optional fields.
  6. In the
    DNS Features
     section, select the
    Oblivious DoH
    checkbox.
  7. Click
    Finished
    .
    The ODoH Target is currently associated with a clientssl-secure profile which has a self-signed certificate. So, create a profile associated with Certificate Authority (CA) signed certificate or disable the certificate verification on the client side.

Create a DoH Server listener using the DNS profile for ODoH target

  1. Log in to the
    Configuration utility
    .
  2. On the Main tab, click
    DNS
    Delivery
    Listeners
    GTM Listeners
    . The
    GTM Listeners List
     screen opens.
  3. Click
    Create
    .
  4. In the
    General
     section, specify:
    Name:
    The name of the listener.
    Description:
    The descriptive text to identify the listener.
    State:
    Indicates if the listener is enabled or disabled to handle ‌traffic.
  5. In the
    Listener
     section with
    Basic
     options, specify this information:
    Destination:
    The IP address to which the system listens for connections. The traffic sent to this IP address is processed.
    VLAN Traffic:
    The VLAN used by the system to listen for connection. Possible options:
    Option
    Description
    All VLANS
    Applies to all the VLANS within the network segment. This option also applies if the system resides on a network segment that does not use VLANs.
    Enabled on
    Applies to the selected VLANs.
    Disabled on
    Applies to all the VLANs except the selected VLANs.
  6. In the
    Service
     section, specify this information:
    Protocol:
    The protocol the listener uses. The default value is UDP. Possible options:
    • UDP
    • TCP
    Protocol Profile (client):
    The protocol profile that defines how clients communicate with this listener. The default is based on the protocol selected from the Protocol list. Possible options:
    • a list of system-supplied
    • user-defined protocol profiles
    Protocol Profile (server):
    The protocol profile that defines how servers communicate with this listener. Possible options:
    • Use Client Profile
    • System support
    • user-defined protocol profiles
    DNS Profile:
    Defines how the listener handles DNS traffic. The default is dns profile. Possible options:list of system-supplied user-defined DNS profiles
    SSL Profile (client):
    The SSL profile for managing client-side SSL traffic. Possible options:
    • HTTP Profile
    • HTTP/2 Profile (Client)
    When the listener is created, it is also added to the created GTM server. This is a virtual server on the device that is specified in the GTM Server.

Create a GTM pool with DoH Target as a member

  1. Log in to the
    Configuration utility
    .
  2. On the Main tab, click
    DNS
    GSLB
    Pools
    Pool List
    . The
    Pool List
     screen opens.
  3. Click
    Create
    .
  4. In the
    General
     section, specify this information:
    Name:
    The name of the pool.
    Type:
    The type of pool or Wide IP.
    State:
    Indicates if the pool and its resources are available for load balancing.
  5. In the
    Configuration
     section, select the Verify Member Availability checkbox and specify the required details.
  6. In the
    Members
     section, specify the
    Load Balancing Method
     and other related fields.
  7. Click
    Finished
    .

Create a GTM wide IP with the GTM pool as a member

  1. Log in to the
    Configuration utility
    .
  2. On the Main tab, click
    DNS
    GSLB
    Wide IPs
    Wide IP List
    . The
    Wide IP List
     screen opens.
  3. Click
    Create
    .
  4. In the
    General
     section, specify this information:
    Name:
    The name of the Wide IP.
    Type:
    The type (A) of pool or wide IP.
    State:
    Indicates that the system can use the wide IP and the resources for load balancing.
  5. If required, specify the details in
    iRules
     section.
  6. If required, specify the details in
    Pools
     section.
  7. Click
    Finished
    .
    Make sure that the wide IP and the HPKE Key are available to create ‌Pool and wide IP with SVCB and HTTPS RR types.

Create a GTM Pool of type SVCB

  1. Log in to the
    Configuration utility
    .
  2. On the Main tab, click
    DNS
    GSLB
    Pools
    Pool List
    . The
    Pool List
     screen opens.
  3. Click
    Create
    .
  4. In the
    General
     section, specify this information:
    Name:
    The name of the pool.
    Type:
    The type (SVCB) of the pool.
    State:
    Indicates that the system can use the pool and the resources for load balancing.
  5. In the
    Configuration
     section, specify the required fields.
  6. In the
    Members
     section, specify the required fields.
  7. Click
    Finished
    .

Create a WideIP of type SVCB

  1. Log in to the
    Configuration utility
    .
  2. On the Main tab, click
    DNS
    GSLB
    Wide IPs
    Wide IP List
    . The
    Wide IP List
     screen opens.
  3. Click
    Create
    .
  4. In the
    General
     section, specify this information:
    Name:
    The name of the Wide IP.
    Type:
    The type (SVCB) of pool or wide IP.
    State:
    Indicates that the system can use the wide IP and the resources for load balancing.
  5. In the
    iRules
     section, specify the required fields
  6. In the
    Pools
     section, specify the required fields.
  7. Click
    Finished
    .

Create a DNS profile

  1. Log in to the
    Configuration utility
    .
  2. On the Main tab, click
    DNS
    Delivery
    Profiles
    DNS
    . The
    DNS
     screen opens.
  3. Click
    Create
    .
  4. In the
    General
     section, specify this information:
    Name:
    The name <custom-dns-profile> of the DNS profile.
    Parent Profile:
    The DNS profile inherits the settings of this profile.
  5. Click
    Finished
    .
    Do not enable the
    Custom
     checkbox.

Create a listener with the DNS profile

  1. Log in to the
    Configuration utility
    .
  2. On the Main tab, click
    DNS
    Delivery
    Listeners
    GTM Listeners
    . The
    GTM Listeners
     screen opens.
  3. Click
    Create
    .
  4. In the
    General
     section, specify this information:
    Name:
    The name <dohTargetNameResolver> of the listener.
    Description:
    The descriptive text to identify the listener.
    State:
    Indicates if the listener is enabled or disabled to handle ‌traffic.
  5. In the
    Listener
     section with
    Basic
     options, specify:
    Destination:
    The IP address to which the system listens for connections. The traffic sent to this IP address is processed. For example: Host Address is 10.0.0.101
    VLAN Traffic:
    The VLAN used by the system to listen for connection. Possible options:OptionDescriptionAll VLANSApplies to all the VLANS within the network segment. This option also applies if the system resides on a network segment that does not use VLANs.Enabled onApplies to the selected VLANs.Disabled onApplies to all the VLANs except the selected VLANs.
  6. In the
    Service
     section with
    Basic
     options, specify this information:
    Protocol:
    The protocol the listener uses. The default value is UDP. Possible options:UDPTCP
    Protocol Profile (client):
    The protocol profile that defines how clients communicate with this listener. The default is based on the protocol selected from the Protocol list. Possible options: a list of system-supplieduser-defined protocol profiles
    Protocol Profile (server):
    The protocol profile that defines how servers communicate with this listener. Possible options:Use Client ProfileSystem supportuser-defined protocol profiles
    DNS Profile:
    The DNS profile <custom-dns-profile> that defines how the listener handles DNS traffic.
    SSL Profile (client):
    The SSL profile for managing client-side SSL traffic. Possible options:HTTP ProfileHTTP/2 Profile (Client)
    When the listener is created, it is also added to the created GTM server. This is a virtual server on the device that is specified in the GTM Server.

Configuring ODoH using TMSH commands

You can create multiple HPKE profiles using the TMSH commands.
Ensure that DNS is provisioned on the device, and the access is provided to the user for executing the TMSH commands. Following are the TMSH commands to configure ODoH.
  1. Create a data center. 
     
    tmsh create gtm datacenter testDC
  2. Create a GTM Server. It can have the automatic virtual server discovery set as enabled to discover the listener which will act as the ODoH Target.It is needed to create HPKE keys later in this procedure. 
     
    tmsh create gtm server odohServerHost { datacenter testDC devices add { 
    10.0
    .
    0.3
     
    { addresses add { 
    10.0
    .
    0.3
     
    } } } virtual-server-discovery enabled }
  3. Create an HPKE profile. 
    tmsh create ltm dns hpke profile hpke-profile
  4. Create an HPKE Key using the HPKE profile. 
    tmsh create ltm dns hpke key hpke-key profile hpke-profile
    Verify the key generation. 
    tmsh list ltm dns hpke key
    Following is an example output: 
    ltm dns hpke key hpke-key {
    generation {
        1 {
            creator bigip1.localdomain
            public-text X43zoccrC6LMDgkZBR8i9JDht3UrVhYn53P7FMdd+Ug=
        }
    }
    profile hpke-profile
}
  5. Create a DNS profile for ODoH target. 
     
    tmsh ltm profile dns odoh-dns-profile enable-odoh yes
  6. Create a DoH Server listener with the DNS profile for ODoH target
    1. When configured as the GTM listener: 
      
tmsh 
      create gtm listener odohTarget address 
      10.0
      .
      0.100
       
      port https ip-protocol tcp profiles add { odoh-dns-profile { } tcp { context clientside } udp_gtm_dns { context serverside } http { } http2 { } clientssl-secure { } }
    2. When configured as the GTM DoH Server listener:
      
tmsh 
      create gtm listener-doh-server odohTarget address 
      10.0
      .
      0.100
       
      port https profiles add { doh-server { } odoh-dns-profile { } tcp { context clientside } udp_gtm_dns { context serverside } http { } http2 { } clientssl-secure { } }
  7. Create a GTM Pool with DoH Target as a member. 
    tmsh create gtm pool a odohTargetPool members add { odohServerHost:/Common/odohTarget }
  8. Create a gtm wideip with the above pool as its member. 
    tmsh create gtm wideip a odoh.f5-dns.com pools add { odohTargetPool }
  9. Create a GTM Pool of type SVCB. 
    tmsh create gtm pool svcb odohTargetSVCBPool members add { odoh.f5-dns.com { hpke-key hpke-key } }
  10. Create a WideIP of type SVCB. 
    tmsh create gtm wideip svcb _dns.resolver.arpa pools add { odohTargetSVCBPool }
  11. Create a DNS profile. 
    tmsh create ltm profile dns custom-dns-profile
  12. Create a listener with the above profile. 
    tmsh create gtm listener dohTargetNameResolver { address 
    10.0
    .
    0.101
     
    profiles add { custom-dns-profile { } udp_gtm_dns { } } }

About ODoH log messages

The following are the log messages related to ODoH:
S. No
Description
011a0400
There was an error trying to send a HPKE Key Generation %s msg to MCP.
011a0401
Setting date of new generation %s to NOW.
011a0403
Encountered error %s while trying to set a HPKE Key Generation event timer.
011a0404
Processing %s Event for HPKE Key %s, ID %llu.
011a0405
Unable to determine primary GTM, must skip processing HPKE Key Generation events.
011a0406
Failed to create new HPKE Key Generation %s:%llu due to %s.
011a0408
Postponing expiration of HPKE Key Generation %s:%llu as the next generation has not yet been created.
011a0409
Canceling expiration of the latest HPKE Key Generation %s:%llu, resetting events for the Key.
011a040a
HPKE Key Generation %s:%llu action execution exceeded allowed processing time, canceling the action.
011a040b
Action of HPKE Key Generation %s:%llu failed or canceled, rerunning the action.
011a040c
Action of HPKE Key Generation %s:%llu failed or canceled, retry count exceeded.
011a040d
Failed to join worker-thread of HPKE Key Generation.
011a040e
Failed to re-encrypt HPKE Key Generation %s:%llu.
011a040f
HPKE Key Generation %s:%llu created: %s and %s
011a0410
HPKE Key Generation %s:%llu : expired or removed from configuration.
011a0411
HPKE Key Generation %s:%llu expired.
011ae119
Master Key decryption failed: %s.
011ae118
Master Key encryption failed: %s.

About ODoH error messages

The following are the HTML error messages:
HTML Message
HTTP Status Code
“No Error”
200 OK
“ODoH requires header Accept:application/oblivious-dns-message”
406 Not Acceptable
“ODoH Post requires header Content-type:application/oblivious-dns-message”
415 Unsupported Media Type
“ODoH only supports POST method”
400 Bad Request
“ODoH URL and method incompatible”
400 Bad Request
“Invalid DNS Packet"
400 Bad Request
“Key Mismatch”
401 Authorized
Contact Support Contact Support

Have a Question?

Support and Sales >

About F5

Education

F5 Sites

Support Tasks




©2023 F5, Inc. All rights reserved.


Trademarks Policies Privacy California Privacy Do Not Sell My Personal Information