F5 Logo MyF5
Search
  1. MyF5 Home
  2. Knowledge Centers
  3. BIG-IP LTM
  4. BIG-IP DNS Services: Implementations
  5. Using ZoneRunner to Configure DNS Zones
Manual Chapter : Using ZoneRunner to Configure DNS Zones

Applies To:

Show Versions Show Versions

BIG-IP LTM

  • 13.0.1, 13.0.0

BIG-IP DNS

  • 13.0.1, 13.0.0
Manual Chapter
Table of Contents | << Previous Chapter | Next Chapter >>

About ZoneRunner

You can use the ZoneRunner™ utility to create and manage DNS zone files and configure the BIND instance on BIG-IP® DNS (formerly GTM). With the ZoneRunner utility, you can:

  • Import and transfer DNS zone files
  • Manage zone resource records
  • Manage views
  • Manage a local nameserver and the associated configuration file, named.conf
  • Transfer zone files to a nameserver
  • Import only primary zone files from a nameserver

About named.conf

named.conf contains the primary operational characteristics of BIND, including DNS views, access control list definitions, and zones. The ZoneRunner™ utility updates named.conf when you modify the local BIND instance.

Using ZoneRunner to configure named.conf

Ensure that at least one zone is configured on BIG-IP® DNS.
Use ZoneRunner™ to edit named.conf, to decrease the risk of a syntax error that prevents the BIND system from performing as expected. Zonerunner provides an automatic syntax check and displays error messages to help you write the correct syntax.
  1. On the Main tab, click DNS > Zones > ZoneRunner > named Configuration .
    The named Configuration screen opens.
  2. In the Options area, type additional configurations per your network design.
  3. Click Update.

Creating a master DNS zone

A master zone is authoritative. Create a zone when you want to use ZoneRunner™ to manage DNS zones and resource records.
Tip: The BIG-IP® system can be either a primary or secondary DNS server.
  1. On the Main tab, click DNS > Zones > ZoneRunner > Zone List .
    The Zone List screen opens.
  2. Click Create.
    The New Zone screen opens.
  3. From the View Name list, select external.
    The external view is a default view to which you can assign zones.
  4. In the Zone Name field, type a period character (.).
  5. From the Zone Type list, select Master.
  6. Clear the Zone File Name field, and type the zone file name.
    db.external.siterequest.com
    Note: Do not include a trailing dot.
  7. In the Records Creation area, type the values for the SOA and NS record parameters.
  8. Click Finished.
If you want further help creating a custom zone file, see SOL8380 on www.askf5.com for instructions.

Creating a hint zone

Hint zones designate a subset of the root nameservers list. When the local nameserver starts (or restarts), the nameserver queries the root servers in the hint zone for the most current list of root servers. The root hint is built into BIND version 9.0 and later.

Create a zone when you want to use ZoneRunner™ to manage DNS zones and resource records.

Tip: The BIG-IP® system can be either a primary or secondary DNS server.
  1. On the Main tab, click DNS > Zones > ZoneRunner > Zone List .
    The Zone List screen opens.
  2. Click Create.
    The New Zone screen opens.
  3. From the View Name list, select external.
    The external view is a default view to which you can assign zones.
  4. In the Zone Name field, type a period character (.).
  5. From the Zone Type list, select Hint.
  6. Clear the Zone File Name field, and type the zone file name.
    db.external.siterequest.com
    Note: Do not include a trailing dot.
  7. Click Finished.
If you want further help creating a custom hint file, see SOL8380 on www.askf5.com for instructions.

Configuring BIG-IP DNS to allow zone file transfers

By default, BIG-IP® DNS is configured to secure BIND to not allow zone transfers except from the localhost. However, you can configure BIG-IP DNS to allow zone file transfers to other DNS servers.
  1. On the Main tab, click DNS > Zones > ZoneRunner > named Configuration .
    The named Configuration screen opens.
  2. In the Options field, modify the allow-transfer statement to include the IP address of the BIG-IP DNS.
    You can modify the following allow-transfer statement to use the IP address of the BIG-IP DNS. 
    allow-transfer {
      
      localhost;
      
      192.168.10.105;
      
      };
  3. On the menu bar, click View List.
    The View List screen opens.
  4. Click the name of the view that contains the zone you are configuring.
    The View Configuration screen opens.
  5. In the Options area, modify the match-clients statement based on your configuration.
    View configuration type Add to match-clients statement
    Single view configuration 
    view "external" { 
         match-clients { 
           "zrd-acl-000-000"; 
           any; 
         };
    Multiple view configuration, where you want to allow transfers from BIG-IP DNS Modify the following match-clients statement to use the IP address of the BIG-IP DNS. 
    acl "internal-acl" 
     { <IP address> ; 
     }; 
     
view "internal" { 
  match-clients { 
    "zrd-acl-000-001"; 
    "internal-acl"; 
    <IP address> ; 
  }; 
  
view "external" { 
  match-clients {
    "zrd-acl-000-000"; 
    any; 
  };
  6. Click Update.
To verify that zone transfers are working properly, modify this Linux command and run it on an external computer:dig @<IP address> es.net. axfr

The command should return a response similar to this:

; <<>> DiG? 9.5.0-P2 <<>> @192.17.1.253 es.net. axfr
   ; (1 server found)
   
   ;; global options: printcmd
   
   es.net. 500 IN SOA siterequest.com.
   
   hostmaster.siterequest.com. 6 10800 3600 604800 60
   
   es.net. 500 IN NS siterequest.com.
   
   a.es.net. 30 IN A 192.17.1.100
   
   b.es.net. 30 IN A 192.18.1.100
   
   es.net. 500 IN SOA siterequest.com.
   
   hostmaster.siterequest.com. 6 10800 3600 604800 60
   
   ;; Query time: 6 msec
   
   ;; SERVER: 192.17.1.253#53(192.17.1.253)
   
   ;; WHEN: Fri Mar 11 17:20:25 2011
   
   ;; XFR size: 5 records (messages 1, bytes 180)

About DNS views

A DNS view is a modification of a nameserver configuration based on the community attempting to access it. Using views, you can build multiple nameserver configurations on the same server, and have those configurations apply dynamically when the request originates from a specified source.

If your DNS handles requests from both inside and outside your company, you can create two views: internal and external.

Creating a DNS view

It is helpful to keep in mind that ZoneRunner™ contains a default view named: external.
Create an additional DNS view to modify the local nameserver configuration to allow a specific community to access it.
  1. On the Main tab, click DNS > Zones > ZoneRunner > View List .
    The View List screen opens.
  2. Click Create.
  3. In the View Name field, type a name for the view.
  4. From the View Order list, make a selection.
    Option Description
    First In the view hierarchy, this view is listed first.
    Last In the view hierarchy, this view is listed last.
    After In the view hierarchy, this view is listed immediately following the view that you select from the View List.
  5. In the Options area, modify the match-clients statement based on your configuration.
    View configuration type Add to match-clients statement
    Single view configuration 
    view "external" { 
         match-clients { 
           "zrd-acl-000-000"; 
           any; 
         };
    Multiple view configuration, where you want to allow transfers from BIG-IP DNS Modify the following match-clients statement to use the IP address of the BIG-IP DNS. 
    acl "internal-acl" 
     { <IP address> ; 
     }; 
     
view "internal" { 
  match-clients { 
    "zrd-acl-000-001"; 
    "internal-acl"; 
    <IP address> ; 
  }; 
  
view "external" { 
  match-clients {
    "zrd-acl-000-000"; 
    any; 
  };
  6. In the Options area, type additional configurations per your network design.
  7. Click Finished.

Types of DNS zone files

This table describes the types of DNS zone files.

DNS file type Description
Primary Zone files for a primary zone contain, at minimum, the start of authority (SOA) and nameserver (NS) resource records for the zone. Primary zones are authoritative, that is, they respond to DNS queries for the domain or sub-domain. A zone can have only one SOA record, and must have at least one NS record.
Secondary Zone files for a secondary zone are copies of the principal zone files. At an interval specified in the SOA record, secondary zones query the primary zone to check for and obtain updated zone data. A secondary zone responds authoritatively for the zone provided that the zone data is valid.
Stub Stub zones are similar to secondary zones, except that stub zones contain only the NS records for the zone. Note that stub zones are a specific feature of the BIND implementation of DNS. F5 Networks recommends that you use stub zones only if you have a specific requirement for this functionality.
Forward The zone file for a forwarding zone contains only information to forward DNS queries to another nameserver on a per-zone (or per-domain) basis.
Hint The zone file for a hint zone specifies an initial set of root nameservers for the zone. Whenever the local nameserver starts, it queries a root nameserver in the hint zone file to obtain the most recent list of root nameservers. Zone file import.

Types of DNS resource records

This table describes the types of DNS resource records that ZoneRunner™ supports.

DNS file type Description
SOA (Start of authority) The start of authority resource record, SOA, starts every zone file and indicates that a nameserver is the best source of information for a particular zone. The SOA record indicates that a nameserver is authoritative for a zone. There must be exactly one SOA record per zone. Unlike other resource records, you create a SOA record only when you create a new master zone file.
A (Address) The Address record, or A record, lists the IP address for a given host name. The name field is the host’s name, and the address is the network interface address. There should be one A record for each IP address of the machine.
AAAA (IPv6 Address) The IPv6 Address record, or AAAA record, lists the 128-bit IPv6 address for a given host name.
CNAME (Canonical Name) The Canonical Name resource record, CNAME, specifies an alias or nickname for the official, or canonical, host name. This record must be the only one associated with the alias name. It is usually easier to supply one A record for a given address and use CNAME records to define alias host names for that address.
DNAME (Delegation of Reverse Name) The Delegation of Reverse Name resource record, DNAME, specifies the reverse lookup of an IPv6 address. These records substitute the suffix of one domain name with another. The DNAME record instructs DNS (BIG-IP® DNS, formerly GTM) (or any DNS server) to build an alias that substitutes a portion of the requested IP address with the data stored in the DNAME record.
HINFO (Host Information) The Host Information resource record, HINFO, contains information on the hardware and operating system relevant to BIG-IP DNS (formerly GTM) (or other DNS).
MX (Mail Exchanger) The Mail Exchange resource record, MX, defines the mail system(s) for a given domain.
NAPTR (Name Authority Pointer) The Name Authority Pointer record, NAPTR, aids in the standardization of Uniform Resource Names (URNs). NAPTR records map between sets of URNs, URLs and plain domain names and suggest to clients the protocols available for communication with the mapped resource.
NS (nameserver) The nameserver resource record, NS, defines the nameservers for a given domain, creating a delegation point and a subzone. The first name field specifies the zone that is served by the nameserver that is specified in the nameservers name field. Every zone needs at least one nameserver.
PTR (Pointer) A name pointer resource record, PTR, associates a host name with a given IP address. These records are used for reverse name lookups.
SRV (Service) The Service resource record, SRV, is a pointer with which an alias for a given service is redirected to another domain. For example, if the fictional company Site Request has an FTP archive hosted on archive.siterequest.com, the IT department can create an SRV record with which the alias ftp.siterequest.com is redirected to archive.siterequest.com.
TXT (Text) The Text resource record, TXT, allows you to supply any string of information, such as the location of a server or any other relevant information that you want available.
Table of Contents | << Previous Chapter | Next Chapter >>
Contact Support Contact Support

Have a Question?

Support and Sales >

About F5

Education

F5 Sites

Support Tasks




©2023 F5 Networks, Inc. All rights reserved.


Trademarks Policies Privacy California Privacy Do Not Sell My Personal Information