1

Introduction

Getting started

The 3-DNS Controller Administrator Guide is designed to help you quickly configure your 3-DNS Controller to manage your wide-area network traffic and DNS. The Administrator Guide contains the following chapters:

• Essential Configuration Tasks
  This chapter describes the tasks you must complete, regardless of the type of wide-area traffic management you want to configure.
  
  
• Configuring a Globally Distributed Network
  This chapter describes the tasks you complete to set up a globally distributed network.
  
  
• Configuring a Content Delivery Network
  This chapter describes the tasks you complete to set up a network that includes a CDN provider.
  
  
• Adding 3-DNS Controllers to the Network
  This chapter describes the tasks you complete to configure additional 3-DNS Controllers in a network that already contains one or more 3-DNS Controllers.
  
  
• Administration and Monitoring
  This chapter describes the administrative tasks you complete for the 3-DNS Controller, as well as the monitoring tools that are provided with the controller.
  
  
• Additional Load Balancing Options
  This chapter describes the specialized load balancing modes that are available on the 3-DNS Controller, such as Quality of Service.
  
  

Choosing a configuration tool

The 3-DNS Controller provides the following web-based and command line administrative tools that make for easy setup and configuration.

First-Time Boot utility

The First-Time Boot utility is a wizard that walks you through the initial system setup. The utility helps you quickly define basic system settings, such as a root password and the IP addresses for the interfaces that connect the 3-DNS Controller to the network. The First-Time Boot utility also helps you configure access to the 3-DNS web server, which hosts the web-based Configuration utility, as well as the NameSurfer application that you can use for DNS zone file management.

Configuration utility

The Configuration utility is a web-based application that you use to configure and monitor the 3-DNS Controller. Using the Configuration utility, you can define the load balancing configuration along with the network setup, including data centers, sync groups, and servers used for load balancing and path probing. In addition, you can configure advanced features such as topology settings and SNMP agents. The Configuration utility also monitors network traffic, current connections, load balancing statistics, performance metrics, and the operating system itself.

The 3-DNS web server, which hosts the Configuration utility, provides convenient access to downloads such as the SNMP MIB and documentation for third-party applications such as NameSurfer^TM.

NameSurfer application

The NameSurfer application, produced by Data Fellows, is a third-party application that automatically configures DNS zone files associated with domains handled by the 3-DNS Controller. You can use NameSurfer to configure and maintain additional DNS zone files on 3-DNS Controllers that run as master DNS servers. The Configuration utility provides direct access to the NameSurfer application, as well as the corresponding documentation for the application.

3-DNS Maintenance menu

The 3-DNS Maintenance menu is a command line utility that executes scripts which assist you in configuration and administrative tasks, such as installing the latest version of the big3d agent on all your systems, or editing the load balancing configuration files. You can use the 3-DNS Maintenance menu directly on the 3-DNS Controller, or you can use the menu when connected to the controller using a remote shell, such as the SSH client (ssh is configured on crypto 3-DNS Controllers only), or a standard RSH client (if rsh is configured).

Browser support

The Configuration utility, which provides web-based access to the 3-DNS Controller system configuration and features, supports the following browser versions:

• Netscape Navigator 4.5 and 4.7
• Microsoft Internet Explorer, version 4.02 or later

Using the Administrator Kit

The 3-DNS® Controller Administrator Kit provides simple steps for quick, basic configuration, and also provides detailed information about more advanced features and tools, such as the 3dnsmaint command line utility. The information is organized into the guides described below.

• 3-DNS Controller Installation Guide
  The Installation Guide walks you through the basic steps needed to get the hardware plugged in and the system connected to the network. Most users turn to this guide only the first time that they set up a 3-DNS Controller. The Installation Guide also covers general network administration issues, such as setting up common network administration tools including Sendmail.
  
  
• 3-DNS Controller Administrator Guide
  The Administrator Guide provides essential configuration tasks, two examples of common wide-area load balancing solutions, and monitoring and administration options.
  
  
• 3-DNS Controller Reference Guide
  The Reference Guide provides basic descriptions of individual 3-DNS Controller objects, such as wide IPs, pools, virtual servers, load balancing modes, the big3d agent, resource records, and production rules. It also provides syntax information for 3dnsmaint commands, configuration utilities, configuration files, and system utilities.
  
  

Stylistic conventions

To help you easily identify and understand certain types of information, all F5 Networks administrative documentation uses the stylistic conventions described below.

Warning: All examples in F5 Networks' documentation use only non-routable IP addresses. When you set up the solutions we describe, you must use IP addresses suitable to your own network in place of our sample IP addresses.

Identifying new terms

When we first define a new term, the term is shown in bold italic text. For example, a virtual server is a the combination of an IP address and port that maps to a set of back-end servers.

Identifying references to objects, names, and commands

We apply bold text to a variety of items to help you easily pick them out of a block of text. These items include web addresses, IP addresses, utility names, and portions of commands, such as variables and keywords. For example, the nslookup command requires that you include at least one <ip_address> variable.

Identifying references to other documents

We use italic text to denote a reference to another document. In references where we provide the name of a book as well as a specific chapter or section in the book, we show the book name in bold, italic text, and the chapter/section name in italic text to help quickly differentiate the two. For example, you can find information about 3dnsmaint commands in the 3dnsmaint Command Reference section of the 3-DNS Controller Reference Guide.

Identifying command syntax

We show actual, complete commands in bold Courier text. Note that we do not include the corresponding screen prompt, unless the command is shown in a figure that depicts an entire command line screen. For example, the following command sets the 3-DNS Controller load balancing mode to Round Robin:

lb_mode rr

Table 1.1 explains additional special conventions used in command line syntax.

Command line conventions used in this manual

Item in text	Description
\	Continue to the next line without typing a line break.
< >	You enter text for the enclosed item. For example, if the command has <your name>, type in your name.
|	Separates parts of a command.
[ ]	Syntax inside the brackets is optional.
...	Indicates that you can type a series of items.

Finding help and technical support resources

You can find additional technical documentation about the 3-DNS Controller in the following locations:

• Release notes
  The release note for the current version of the 3-DNS Controller is available from the home page of the Configuration utility. The release note contains the latest information for the current version including a list of new features and enhancements, a list of fixes, and a list of known issues.
  
  
• Online help for 3-DNS Controller features
  You can find help online in three different locations:
  • The Configuration utility home page has PDF versions of the guides included in the Administrator Kit. The 3-DNS Controller software upgrades replace the guides with updated versions as appropriate.
    
    
  • The Configuration utility has online help for each screen. Simply click the Help button in the toolbar.
    
    
  • Individual commands have online help, including command syntax and examples, in standard UNIX man page format. Type the command followed by the question mark option (-?), and the 3-DNS Controller displays the syntax and usage associated with the command.
    
    
• Third-party documentation for software add-ons
  The Configuration utility contains online documentation for the third-party software included with the 3-DNS Controller, including NameSurfer.
  
  
• Technical support through the World Wide Web
  The F5 Networks Technical Support web site, http://tech.F5.com, contains the AskF5 knowledge base and provides the latest technical notes and updates for administrator guides (in PDF and HTML formats). To access this site you must first email askf5@f5.com and obtain a customer ID and a password.
  
  

What is the 3-DNS Controller?

The 3-DNS Controller is a network appliance that manages and balances traffic over global networks. The 3-DNS Controller manages network traffic patterns using load balancing algorithms, topology-based routing, and production rules that control and distribute traffic according to specific policies. The system is highly configurable, and its web-based and command line configuration utilities allow for easy system setup and monitoring.

The 3-DNS Controller provides a variety of features that meet special needs. For example, with this product you can:

• Configure a content delivery network with a CDN provider
• Guarantee multiple port availability for e-commerce sites
• Provide dynamic persistence by maintaining a connection between an LDNS IP address and a virtual server in a wide IP pool
• Restrict local clients to local servers for globally-distributed sites using Topology load balancing
• Change the load balancing configuration according to current traffic patterns or time of day
• Customize load balancing modes
• Set up load balancing among BIG-IP Controllers, EDGE-FX Caches, and other load-balancing hosts
• Monitor real-time network conditions

Internet protocol and network management support

The 3-DNS Controller supports both standard the DNS protocol and the F5 iQuery protocol (a protocol used for collecting dynamic load balancing information). The 3-DNS Controller also supports administrative protocols, such as Simple Network Management Protocol (SNMP), and Simple Mail Transfer Protocol (SMTP) (outbound only), for performance monitoring and notification of system events. For administrative purposes, you can use SSH (distributed only in crypto 3-DNS Controllers), RSH, Telnet, and FTP. The Configuration utility supports HTTPS, for secure web browser connections using SSL (distributed only in crypto 3-DNS Controllers), as well as standard HTTP connections.

The 3-DNS Controller's SNMP agent allows you to monitor status and current traffic flow using popular network management tools, including the Configuration utility. The SNMP agent provides detailed data such as current connections being handled for each virtual server.

Security features

The 3-DNS Controller offers a variety of security features that can help prevent hostile attacks on your site or equipment.

• Secure administrative connections
  crypto versions of 3-DNS Controllers support secure shell administrative connections using the Mindterm SSH console, for local administration, and open SSH for remote administration. The 3-DNS web server, which hosts the web-based Configuration utility, supports SSL connections as well as user authentication.
  
  
• Secure iQuery communications
  crypto versions of 3-DNS Controllers also support Blowfish encryption for iQuery communications between any F5 Networks appliances running the big3d agent.
  
  
• TCP wrappers
  TCP wrappers provide an extra layer of security for network connections.
  
  

Configuration scalability

The 3-DNS Controller is a highly scalable and versatile solution. You can configure the 3-DNS Controller to manage up to several hundred domain names, including full support of domain name aliases. The 3-DNS Controller supports a variety of media options, including Fast Ethernet, Gigabit Ethernet, and FDDI; the controller also supports multiple network interface cards that can provide redundant or alternate paths to the network.

System synchronization options

The 3-DNS Controller sync group feature allows you to automatically synchronize configurations from one 3-DNS Controller to the other 3-DNS Controllers in the network, simplifying administrative management. The synchronization feature offers a high degree of administrative control. For example, you can set the controller to synchronize a specific configuration file set, and you can also set which 3-DNS Controllers in the network receive the synchronized information and which ones do not.

Configuring data collection for server status and network path data

The 3-DNS Controller platform includes a big3d agent, which is an integral part of 3-DNS Controller load balancing. The big3d agent continually monitors the availability of the servers that the 3-DNS Controller load balances. It also monitors the integrity of the network paths between the servers that host the domain and the various local DNS servers that attempt to connect to the domain. The big3d agent runs on 3-DNS Controllers, BIG-IP Controllers, and EDGE-FX Caches distributed throughout your network. Each big3d agent broadcasts its collected data to all of the 3-DNS Controllers in your network, ensuring that all 3-DNS Controllers work with the latest information.

The big3d agent offers a variety of configuration options that allow you to choose the data collection methods you want to use. For example, you can configure the big3d agent to track the number of hops (intermediate system transitions) along a given network path, and you can also set the big3d agent to collect host server performance information using the SNMP protocol.

Redundant system configurations

A redundant system is essentially a pair of 3-DNS Controller units, one operating as an active unit responding to DNS queries, and one operating as a standby unit. If the active unit fails, the standby unit takes over and begins to respond to DNS queries while the other controller reboots and becomes a standby unit.

The 3-DNS Controller actually supports two methods of checking the status of the peer system in a redundant system:

• Hardware-based fail-over
  In a redundant system that has been set up with hardware-based fail-over, the two units in the system are connected to each other directly using a fail-over cable attached to the serial ports. The standby controller checks on the status of the active controller every second using this serial link.
  
  
• Network-based fail-over
  In a redundant system that has been set up with network-based fail-over, the two units in the system communicate with each other across an Ethernet network instead of going across a dedicated fail-over serial cable. The standby controller checks on the status of the active controller every second using the Ethernet.

Note: In a network-based fail-over configuration, the standby 3-DNS Controller immediately takes over if the active unit fails. If a client had queried the failed controller, and not received an answer, it automatically re-issues the request (after 5 seconds) and the standby unit, functioning as the active controller, responds.

Managing traffic on a global network

This section provides a brief overview of how 3-DNS Controllers work within a global network and how they interact with BIG-IP Controllers, EDGE-FX Caches, and host machines in the network. The section also illustrates how the 3-DNS Controller works with the big3d agents that run in various locations in the network, and with the LDNS servers that make DNS requests on behalf of clients connecting to the Internet.

The following sample configuration shows the 3-DNS Controllers that load balance connections for a sample Internet domain named domain.com.

A sample network layout

The 3-DNS Controllers in your network sit in specific data centers, and work in conjunction with BIG-IP Controllers, EDGE-FX Caches, and host servers that also sit in your network data centers. All 3-DNS Controllers in the network can receive and respond to DNS resolution requests from the LDNS servers that clients use to connect to the domain.

Figure 1.1 illustrates the layout of the 3-DNS Controllers, the BIG-IP Controllers, and the host servers in the three data centers. The Los Angeles data center houses one 3-DNS Controller and one BIG-IP Controller, as does the New York data center. The Tokyo data center houses only one 3-DNS Controller and one host server.

Figure 1.1 A sample network layout

In the Los Angeles and New York data centers, the big3d agent runs on the BIG-IP Controller, but in the Tokyo data center, the big3d agent runs on the 3-DNS Controller. Each big3d agent collects information about the network path between the data center where it is running and the client's LDNS server in Chicago, as illustrated by the red lines. Each big3d agent also broadcasts the network path information it collects to the 3-DNS Controllers running in each data center, as illustrated by the green, blue, and purple lines.

Note: Each BIG-IP Controller and 3-DNS Controller in a data center typically runs a big3d agent.

Synchronizing configurations and broadcasting performance metrics

The 3-DNS Controllers typically work in sync groups, where a group of controllers shares load balancing configuration settings. In a sync group, any controller that has new configuration changes can broadcast the changes to any other controller in the sync group, allowing for easy administrative maintenance. To distribute metrics data among the controllers in a sync group, the principal 3-DNS Controller sends requests to the big3d agents in the network, asking them to collect specific performance and path data. Once the big3d agents collect the data, they each broadcast the collected data to all controllers in the network, again allowing for simple and reliable metrics distribution.

Using a 3-DNS Controller as a standard DNS server

When a client requests a DNS resolution for a domain name, an LDNS sends the request to the 3-DNS Controller that is authoritative for the zone. The 3-DNS Controller first chooses the best available virtual server out of a pool to respond to the request, and then returns a DNS resource record to the requesting local DNS server. The LDNS server uses the answer for the period of time defined within the resource record. Once the answer expires, however, the LDNS server must request name resolution all over again to get a fresh answer.

Figure 1.2 DNS name resolution process

Figure 1.2 illustrates the specific steps in the name resolution process.

1. The client connects to an Internet Service Provider (ISP) and queries the local DNS server to resolve the domain name www.domain.com.
   
   
2. If the information is not already in the LDNS server's cache, the local DNS server queries a root server (such as InterNIC's root servers). The root server returns the IP address of a DNS associated with www.domain.com, which in this case runs on the 3-DNS Controller.
   
   
3. The LDNS then connects to the 3-DNS Controller looking to resolve the www.domain.com name. The 3-DNS Controller uses a load balancing mode to choose an appropriate server to receive the connection, and returns the server's IP address to the LDNS.
   
   
4. The LDNS ends the connection to the 3-DNS Controller and passes the IP address to the client.
   
   
5. The client connects to the IP address through an ISP.
   
   

Load balancing connections across the network

Each of the 3-DNS Controller load balancing modes can provide efficient load balancing for any network configuration. The 3-DNS Controller bases load balancing on pools of virtual servers. When a client requests a DNS resolution, the 3-DNS Controller uses the specified load balancing mode to choose a virtual server from a pool of virtual servers. The resulting answer to this resolution request is returned as a standard A record.

Although some load balancing configurations can get complex, most load balancing configurations are relatively simple, whether you use a basic, static load balancing mode or an advanced, dynamic load balancing mode. More advanced configurations can incorporate multiple pools, as well as advanced traffic control features, such as topology or production rules.

For more information on specific load balancing modes, see Load Balancing in the Reference Guide. For more information on load balancing configurations, review the sample configurations in Chapter 3, Configuring a Globally-Distributed Network , and Chapter 4, Configuring a Content Delivery Network . If you are unfamiliar with the 3-DNS Controller, you may also want to review Chapter 2 Essential Configuration Tasks .

Working with BIG-IP Controllers and other products

The 3-DNS Controller balances connections across a group of virtual servers that run in different data centers throughout the network. You can manage virtual servers from the following types of products:

• BIG-IP Controllers
  A BIG-IP Controller virtual server maps to a series of content servers.
  
  
• EDGE-FX Caches
  An EDGE-FX Cache virtual server maps to cached content that gets refreshed at frequent intervals.
  
  
• Generic hosts
  A host virtual server can be an IP address or an IP alias that hosts the content.
  
  
• Other load balancing hosts
  Other load balancing hosts map virtual servers to a series of content hosts.
  
  

Figure 1.3 illustrates the hierarchy of how the 3-DNS Controller manages virtual servers.

Figure 1.3 3-DNS Controller load balancing management

Comparing 3-DNS Controllers and BIG-IP Controllers

While both controllers provide load balancing, one of the significant differences between the 3-DNS Controller and the BIG-IP Controller is that the 3-DNS Controller responds to DNS requests issued by an LDNS on behalf of a client, while the BIG-IP Controller provides connection management between a client and a back-end server.

Once the 3-DNS Controller returns a DNS answer to an LDNS, the conversation between the LDNS and the 3-DNS Controller ends, and the client connects to the IP address returned by the 3-DNS Controller. Unlike the 3-DNS Controller, the BIG-IP Controller sits between the client and the content servers. It manages the client's entire conversation with the content server.

What's new in version 3.0

The 3-DNS Controller offers the following major new features in version 3.0, in addition to many other enhancements.

Network Map

The Network Map allows you to see your physical and logical network configurations side-by-side, using an illustrative tree. For more information on using the Network Map, see Chapter 6, Network Map, in the 3-DNS Controller Reference Guide.

ECV service monitors

With extended content verification (ECV) service monitors, you can not only monitor the availability of a port or service on a server, but also monitor the availability of content or other items hosted by that server. For more information on using ECV health checks, see Chapter 4, Extended Content Verification, in the 3-DNS Controller Reference Guide.

IP geolocation

With the IP geolocation classifier, you can set up topology records that load balance name resolution requests to the geographically closest virtual server. You can perform topology-based load balancing among wide IP pools or within a pool. The classification feature is accurate to the country level and is available on 3-DNS Controllers that support encrypted communications. For more information on using the IP geolocation classifier and topology load balancing, see Chapter 3, Configuring a Globally-Distributed Network .

EDGE-FX Cache

The 3-DNS Controller now supports the F5 Networks EDGE-FX Cache as a server type. In general, you place an EDGE-FX Cache at any location in your network where caching ability saves bandwidth and increases the quality of service to your end users. You can use the 3-DNS Controller to manage traffic to the EDGE-FX Caches in your network. For more information on using the EDGE-FX Cache with your 3-DNS Controller, see Chapter 2, Essential Delegation Tasks .

Dynamic delegation

You can now use dynamic delegation to redirect name resolution requests to third-party DNS servers by designating a pool type CDN. You can also use dynamic delegation to distribute DNS resolutions between an origin site and a content delivery network (CDN). For more information on using dynamic delegation, see Chapter 4, Configuring a Content Delivery Network .

KBPS load balancing

A new load balancing mode, kilobytes per second (KBPS), is now available for wide IPs, BIG-IP Controllers, and hosts. This mode allows you to set up load balancing based on virtual server throughput, in kilobytes per second. You can configure KBPS as a load balancing mode for pools, and you can also configure the KBPS factor in Quality of Service (QOS) load balancing. For more information on using KBPS load balancing, see Chapter 5, Load Balancing, in the 3-DNS Controller Reference Guide.

Limit checks for availability

When you set limit checks for availability, the 3-DNS Controller can detect when a managed server or virtual server (VS) is low on system resources, such as CPU, disk, memory, or network bandwidth, and redirect the traffic to another VS. Setting limits thresholds helps eliminate any negative impact on a virtual server's performance of service tasks that may be time critical, require high bandwidth, or put high demand on system resources. You can set limits thresholds for the following objects: BIG-IP Controllers, EDGE-FX Caches, hosts, virtual servers, and pools. For more information on using limits thresholds, see Chapter 3, Configuring a Globally-Distributed Network .

Last resort pool

The wide IP pool that you designate as the last resort pool, in the Configure Load Balancing for New Pool screen, is the virtual server pool that the 3-DNS Controller uses when all other pools have reached their thresholds or are unavailable for any reason. When your network includes cache appliances hosting content from an origin site, you can designate the origin site as the last resort pool to handle requests when your cache virtual servers have reached their thresholds. You can also use the last resort pool to designate an overflow network so your origin servers remain available if network traffic spikes. For more information on using a last resort pool, see Chapter 5, Load Balancing, in the 3-DNS Controller Reference Guide.

Prober, hops, and discovery ACLs

You can now define prober, hops, and discovery access control lists (ACLs) based on CIDR definitions. This allows you to block probing for members of the ACL when you are using dynamic, Round Trip Time (RTT) probing on your 3-DNS Controller. For more information on defining prober, hops, and discovery access control lists, see Chapter 2, Access Control Lists, in the 3-DNS Controller Reference Guide.

Open SSH support

The SSH client has been upgraded to Mindbright's Mindterm SSH console. With the Mindterm SSH console, you can administer the 3-DNS Controller using the command line from a remote workstation. For more information on Mindterm, visit the Mindbright website at http://www.mindbright.se/mindterm.

Note: 3-DNS Controllers distributed outside of the United States to a select few countries, regardless of system type, do not support encrypted communications. They do not include the Mindterm SSH client, nor do they support SSL connections to the 3-DNS web server. Instead, you can use the standard Telnet, FTP, and HTTP protocols to connect to the unit and perform administrative functions.