Applies To:Show Versions
3-DNS Controller versions 1.x - 4.x
- 2.1 PTF-01, 2.1.2, 2.1.0
Introduction to the 3-DNS Controller
Welcome to the 3-DNS® Controller Administrator Guide. This guide describes how to set up the 3-DNS Controller hardware and how to set up your network and load balancing configurations, as well as other 3-DNS Controller features. The Administrator guide also includes the software specifications for the 3-DNS Controller platform, and it offers some sample configurations that can help you plan your own configuration.
The 3-DNS Controller is a network appliance that manages and balances traffic over global networks. The 3-DNS Controller manages network traffic patterns using load balancing algorithms, topology-based routing, and production rules that control and distribute traffic according to specific policies. The system is highly configurable, and its web-based and command line configuration utilities allow for easy system setup and monitoring.
The 3-DNS Controller provides a variety of features that meet special needs. For example, with this product you can:
- Guarantee multiple port availability for e-commerce sites
- Provide dynamic persistence by maintaining a connection between an LDNS IP address and a virtual server in a wide IP pool
- Restrict local clients to local servers for internationally- distributed sites
- Change the load balancing configuration according to current traffic patterns or time of day
- Customize load balancing modes
- Use network management tools to monitor 3-DNS via SNMP
The 3-DNS Controller supports both standard DNS protocol and the F5 iQuery protocol (a protocol used for collecting dynamic load balancing information). The 3-DNS Controller also supports administrative protocols, such as Simple Network Management Protocol (SNMP), and Simple Mail Transfer Protocol (SMTP) (outbound only), for performance monitoring and notification of system events. For administrative purposes, you can use the F-Secure SSH client (distributed only in crypto 3-DNS Controllers) which provides a secure shell connection, rsh, Telnet, and FTP. The Configuration utility supports secure connections via SSL (distributed only in crypto 3-DNS Controllers), as well as standard HTTP connections.
The 3-DNS Controller's SNMP agent allows you to monitor status and current traffic flow using popular network management tools, including the Configuration utility. The SNMP agent provides detailed data such as current connections being handled for each virtual server.
The 3-DNS Controller offers a variety of security features that can help prevent hostile attacks on your site or equipment.
- Secure administrative connections
crypto versions of 3-DNS Controllers support secure shell administrative connections via F-Secure SSH. The 3-DNS web server, which hosts the web-based Configuration utility, supports SSL connections as well as user authentication.
- Secure iQuery communications
crypto versions of 3-DNS Controllers also support Blowfish encryption for iQuery communications between controllers running the big3d agent.
- TCP wrappers
TCP wrappers provide an extra layer of security for network connections.
- IP address filtering
The IP filtering feature, based on BSD IP packet filtering, specifically accepts or denies connections received from particular IP addresses or ranges of IP addresses.
The 3-DNS Controller is a highly scalable and versatile solution. You can configure the 3-DNS Controller to manage up to several hundred domain names, including full support of domain name aliases. The 3-DNS Controller supports a variety of media options, including Fast Ethernet, Gigabit Ethernet, and FDDI; it also supports multiple network interface cards that can provide redundant or alternate paths to the network.
The 3-DNS Controller provides the following web-based and command line administrative tools that make for easy setup and configuration.
First-Time Boot utility
The First-Time Boot utility is a wizard that walks you through the initial system set up. The utility helps you quickly define basic system settings, such as a root password and the IP addresses for the interfaces that connect the 3-DNS Controller to the network. The First-Time Boot utility also helps you configure access to the 3-DNS web server, which hosts the web-based Configuration utility, as well as the NameSurfer application that you can use for DNS zone file management.
The Configuration utility is a web-based application that you use to configure and monitor the 3-DNS Controller. Using the Configuration utility, you can define the load balancing configuration along with the network setup, including data centers, sync groups, and servers used for load balancing and path probing. In addition, you can configure advanced features such as topology settings, IP filters, and the SNMP agent. The Configuration utility also monitors network traffic, current connections, load balancing statistics, and the operating system itself.
The 3-DNS web server, which hosts the Configuration utility, provides convenient access to downloads such as the SNMP MIB and documentation for third-party applications such as NameSurferTM.
The NameSurfer application is a third-party application, produced by Data Fellows, that automatically configures DNS zone files associated with domains handled by the 3-DNS Controller. You can use NameSurfer to configure and maintain additional DNS zone files on 3-DNS Controllers that run as master DNS servers. The Configuration utility provides direct access to the NameSurfer application, as well as the corresponding documentation for the application.
3-DNS Maintenance menu
The 3-DNS Maintenance menu is a command line utility that executes scripts which assist you in configuration and administrative tasks, such as installing the latest version of the big3d agent on all your systems, or editing the load balancing configuration files. You can use the 3-DNS Maintenance menu directly on the 3-DNS Controller, or you can use the menu when connected to the controller via a remote shell, such as the SSH client (on crypto 3-DNS Controllers only), or a standard rsh client (if rsh is configured).
The Configuration utility, which provides web-based access to the 3-DNS Controller system configuration and features, supports the following browser versions:
- Netscape Navigator 4.5 or later
- Microsoft Internet Explorer, version 4.02 or later
The 3-DNS Controller sync group feature allows you to automatically synchronize configurations from one 3-DNS Controller to the other 3-DNS Controllers in the network, simplifying administrative management. The synchronization feature offers a high degree of administrative control. For example, you can set the controller to synchronize a specific configuration file set, and you can also set which 3-DNS Controllers in the network receive the synchronized information and which ones do not.
The 3-DNS Controller platform includes a big3d agent, which is an integral part of 3-DNS Controller load balancing. The big3d agent continually monitors the availability of the servers that the 3-DNS Controller load balances. It also monitors the integrity of the network paths between the servers that host the domain and the various client LDNS servers that attempt to connect to the domain. The big3d agent runs on 3-DNS Controllers and BIG-IP Controllers distributed in various locations in your network. Each big3d agent broadcasts its collected data to all of the 3-DNS Controllers in your network, ensuring that all 3-DNS Controllers work with the latest information.
The big3d agent offers a variety of configuration options which allow you to choose the types of data collection methods you want to use. For example, you can configure the big3d agent to track the number of hops (intermediate system transitions) along a given network path, and you can also set the big3d agent to collect host server performance information using the SNMP protocol.
A redundant system is essentially a pair of 3-DNS Controller units, one operating as an active unit responding to DNS queries, and one operating as a standby unit. If the active unit fails, the standby unit takes over and begins to respond to DNS queries while the other controller reboots and becomes a standby unit.
The 3-DNS Controller actually supports two methods of checking status of the peer system:
- Hardware-based fail-over
In a system that has been set up with hardware-based fail-over, the two units in the system are connected to each other directly using a fail-over cable attached to the serial ports. The standby controller checks on the status of the active controller every second using this serial link. The controllers check on each other's status using that link.
- Network-based fail-over
In a system that has been set up with network-based fail-over, the two units in the system communicate with each other across an Ethernet network instead of going across a dedicated fail-over serial cable. The standby controller checks on the status of the active controller every second using the Ethernet. The controllers check each other's status using that link.
Note: In a network-based fail-over configuration, the standby 3-DNS Controller immediately takes over if the active unit fails. If a client had queried the failed controller, and not received an answer, it automatically re-issues the request (after 5 seconds) and the standby unit, functioning as the active controller, responds.
The 3-DNS Controller supports easy configuration of the BSD operating system method of IP packet filtering. In the Configuration utility, you can configure individual IP packet filters, which can control both in-bound and out-bound network traffic. For example, you can specify a single IP address or a range of IP addresses from which the 3-DNS Controller either accepts or denies network traffic. You can also specify one or more IP addresses to which you specifically want to allow or prevent out-bound connections.
This section provides a brief overview of how 3-DNS Controllers work within a global network and how they interact with BIG-IP Controllers and host machines in the network. The section also illustrates how the 3-DNS Controller works with the big3d agents that run in various locations in the network, as well as the LDNS servers that make DNS requests on behalf of clients connecting to the Internet.
The following sample configuration shows 3-DNS Controllers that load balance connections for a sample Internet domain named domain.com.
3-DNS Controllers sit in specific data centers in your network, and work in conjunction with BIG-IP Controllers and with generic host servers that also sit in your network data centers. All 3-DNS Controllers in the network can receive and respond to DNS resolution requests from the LDNS servers that clients use to connect to the domain.
Figure 1.1 illustrates the layout of the 3-DNS Controllers, BIG-IP Controllers, and host servers in the three data centers. The Los Angeles data center houses one 3-DNS Controller and one BIG-IP Controller, as does the New York data center. The Tokyo data center houses only one 3-DNS Controller and one host server.
In the Los Angeles and New York data centers, the big3d agent runs on the BIG-IP Controller, but in the Tokyo data center, the big3d agent runs on the 3-DNS Controller. Each big3d agent collects information about the network path between the data center where it is running and the client's LDNS server in Chicago, as illustrated by the red lines. Each big3d agent also broadcasts the network path information it collects to the 3-DNS Controllers running in each data center, as illustrated by the green, blue, and purple lines.
3-DNS Controllers typically work in sync groups where a group of controllers shares load balancing configuration settings. In a sync group, any controller that has new configuration changes can broadcast the changes to any other controller in the sync group, allowing for easy administrative maintenance. To distribute metrics data among the controllers in a sync group, the principal 3-DNS Controller sends requests to the big3d agents in the network, asking them to collect specific performance and path data. Once the big3d agents collect the data, they each broadcast the collected data to all controllers in the network, again allowing for simple and reliable metrics distribution.
When a client requests a DNS resolution for a domain name, DNS sends the request to the 3-DNS Controller that is authoritative for the zone (running as a master DNS server for the domain). The 3-DNS Controller chooses the best available virtual server out of a pool, and then returns a standard DNS answer record (an A record) to the requesting LDNS server. The LDNS server uses the answer for the period of time defined within the A record. Once the answer expires, however, the LDNS server must request name resolution all over again to get a fresh answer.
Figure 1.2 illustrates the specific steps in the name resolution process.
- The client connects to an Internet Service Provider (ISP) and queries the LDNS to resolve the domain name www.domain.com.
- If the information is not already in the LDNS server's cache, the LDNS server queries a root server (such as InterNIC's root servers). The root server returns the IP address of a DNS associated with www.domain.com, which in this case runs on the 3-DNS Controller.
- The LDNS then connects to the 3-DNS Controller looking to resolve the www.domain.com name. The 3-DNS Controller uses a load balancing mode to choose an appropriate server to receive the connection, and returns the server's IP address to the LDNS.
- The LDNS ends the connection to the 3-DNS Controller and passes the IP address to the client.
- The client connects to the IP address via the ISP.
Note: The dotted portion of line 5 indicates that the actual hardware for this step is not shown, due to the number of ways ISPs can configure their networks. The actual machines that handle all other transaction events are shown, so all other lines are solid.
Each of the 3-DNS Controller load balancing modes can provide efficient load balancing for any network configuration. The 3-DNS Controller bases load balancing on pools of virtual servers. When a client requests a DNS resolution, the 3-DNS Controller uses the specified load balancing mode to choose a virtual server from a pool of virtual servers. The resulting answer to this resolution request is returned as a standard A record.
Although some load balancing configurations can get complex, most load balancing configurations are relatively simple, whether you use a basic, static load balancing mode or an advanced, dynamic load balancing mode. More advanced configurations can incorporate multiple pools, as well as advanced traffic control features, such as topology or production rules. (For a list of individual load balancing modes, see Choosing a load balancing mode, on page 2-27 .
The 3-DNS Controller balances connections across a group of virtual servers that run in different data centers throughout the network. You can manage virtual servers from the following types of products:
- BIG-IP Controllers
A BIG-IP Controller virtual server maps to a series of content servers.
- Generic hosts
A host virtual server can be an IP address or an IP alias that hosts the content.
- Other load balancing products
Other load balancing products map virtual servers to a series of content hosts.
Figure 1.3 illustrates the hierarchy of virtual server management in our sample configuration.
How 3-DNS Controllers differ from BIG-IP Controllers
While both controllers provide load balancing, one of the significant differences between the 3-DNS Controller and the BIG-IP Controller is that the 3-DNS Controller responds to DNS requests issued by an LDNS on behalf of a client, while the BIG-IP Controller provides connection management between the client and the back-end server.
Once the 3-DNS Controller returns a DNS answer to an LDNS, the conversation between the LDNS and the 3-DNS Controller ends, and the client connects to the IP address returned by the 3-DNS Controller. Unlike 3-DNS, the BIG-IP Controller sits between the client and the content servers. It manages the client's entire conversation with the content server.
The 3-DNS Controller offers the following new features in version 2.1.
The 3-DNS Controller now provides dynamic persistence, enabling you to maintain a connection between an LDNS and a particular virtual server in a wide IP, rather than load balancing the connection to any available virtual server. For information on how to configure this option, view the Configuration utility online help for the Edit Wide IP screen.
The 3-DNS Controller can now acquire metrics from the Cisco LocalDirector and load balance to a LocalDirector using both basic and advanced load balancing modes. For more information on this feature, see Configuring host SNMP settings, on page 4-15
The 3-DNS Controller has a new, advanced load balancing mode called VS Capacity. This dynamic load balancing mode is a stand-alone mode as well as part of the Quality of Service (QOS) mode. For more information on this load balancing mode, see VS Capacity mode, on page 5-10 .
The TCP protocol has been added, so you can now choose UDP or TCP as an iQuery transport option when defining BIG-IP and 3-DNS Controllers. For information on how to configure this option, view the Configuration utility online help for the Add New 3-DNS Controller and Add New BIG-IP Controller screens.
Also, the iQuery protocol is now backward compatible with 3-DNS Controller, version 2.0.X.
The 3-DNS Controller, version 2.1 incorporates BIND version 8.2.2 p5.
You can now specify precisely which protocols to use when probing LDNS servers and hosts, and in what order to use the protocols. In addition, we have added two new protocols to the list, DNS_VER and DNS_DOT. For information on how to configure this option, view the Configuration utility online help for the System - Metric Collection screen.
You can now use the Configuration utility to change the status of objects, and either disable or enable the objects. The objects you can change the status of include wide IPs, wide IP pools, sync groups, data centers, 3-DNS Controllers, BIG-IP Controllers, host servers, and virtual servers. There is a hierarchy among these objects. If one object is disabled, all objects that the object owns are implicitly disabled. For example, by disabling a data center, you implicitly disable all of its servers and virtual servers. To enable these servers and virtual servers, you must first enable the data center.
You can also view the status of the various objects in each object's statistics screen. For information on how to configure this option, view the Configuration utility online help for the specific object for which you want to change status.
The new 3dns_backup script creates a backup file that, once restored, configures a 3-DNS Controller with the same configuration as the 3-DNS Controller that created the backup. You can copy the backup file to another computer system or to a diskette.
The 3dns_restore script restores a backup file that was created using the 3dns_backup script, and configures a 3-DNS Controller with the same configuration as the 3-DNS Controller that originally created the backup.
You can now configure multiple pools for specific wide IPs using the Configuration utility. These pools may now contain both host server and BIG-IP Controller virtual servers.
When you use NameSurfer, subnetting management is now integrated into the Configuration utility.
- When you create a wide IP, the NameSurfer zone files allow forward and reverse references to the virtual servers and the wide IP itself.
- When you delete a virtual server or wide IP using the Configuration utility, the 3-DNS Controller now deletes the appropriate forward and reverse records from the NameSurfer zones.
- When you add virtual servers to the wide IP, the 3-DNS Controller now creates the appropriate forward and reverse records in the NameSurfer zones.
- When you add or change a wide IP alias, the 3-DNS Controller now makes the appropriate changes to the NameSurfer zones.
You can now create a probing exclusion list, that contains a group of LDNS IP addresses whose paths the 3-DNS Controller will not probe. There are three different types of ACLs:
The 3-DNS Controller restricts any big3d agent from probing this group of LDNS servers. For example, in the wideip.conf file you would type:
The 3-DNS Controller restricts any big3d agent from tracerouting this group of LDNS servers. For example, in the wideip.conf file you would type:
The 3-DNS Controller restricts any big3d agents from performing port discovery on this group of LDNS servers. For example, in the wideip.conf file you would type:
When upgrading the product, the upgrade_install script rolls up the old installation. This enables you, if necessary, to uninstall the newest installation and restore the old one.
When installing the 3-DNS Controller, you now have the option to synchronize to a public time server. For more information on this feature, see Configuring NTP clocks, on page 3-15 .
The 3-DNS Controller includes a new timer_sync_state variable which enables you to specify the interval (in seconds) at which the 3-DNS Controller checks to see if it should change states (from principal to receiver or from receiver to principal).
The first enabled 3-DNS Controller listed in a sync list is the principal, and the others are receivers. The controller changes states under the following circumstances:
- If the principal is disabled, the next enabled controller listed in the sync list becomes the principal.
- When the original principal becomes enabled, it returns to a principal state, and the temporary principal returns to a receiver state.
For information on how to configure this option, view the Configuration utility online help for the System - Timers & Task Intervals screen.
The 3-DNS Controller now supplies more detailed log messages.
You can now manage F5 products from a single screen. For example, the BIG-IP Controllers screen shows all BIG-IP Controllers managed by the 3-DNS Controller. If you click a BIG-IP Controller from the Launch column, the Configuration utility for the corresponding BIG-IP Controller opens.
You can find additional technical documentation about the 3-DNS Controller in the following locations:
- Release notes
The release note for the current version of the 3-DNS Controller is available from the home page of the Configuration utility. The release note contains the latest information for the current version including a list of new features and enhancements, a list of fixes, and a list of known issues.
- Online help for 3-DNS Controller features
You can find help online in three different locations:
- The Configuration utility home page has a PDF version of this administrator guide. Note that some 3-DNS Controller upgrades replace the online administrator guide with an updated version of the guide.
- The Configuration utility also has online help for each screen. Simply click the Help button in the toolbar.
- Individual commands have online help, including command syntax and examples, in standard UNIX man page format. Simply type the command followed by the question mark option (-?), and the 3-DNS Controller displays the syntax and usage associated with the command.
- Third-party documentation for software add-ons
The Configuration utility contains online documentation for all third-party software included with the 3-DNS Controller, including NameSurfer and GateD.
- Technical support via the World Wide Web
The F5 Networks Technical Support web site, http://tech.F5.com, contains the AskF5 knowledge base and provides the latest technical notes and updates for administrator guides (in PDF and HTML formats). To access this site you must first email email@example.com and obtain a customer ID and a password.