Applies To:
Show VersionsBIG-IP GTM
- 11.5.10, 11.5.9, 11.5.8, 11.5.7, 11.5.6, 11.5.5, 11.5.4, 11.5.3, 11.5.2, 11.5.1
BIG-IP LTM
- 11.5.10, 11.5.9, 11.5.8, 11.5.7, 11.5.6, 11.5.5, 11.5.4, 11.5.3, 11.5.2, 11.5.1
What is DNS Express?
DNS Express is an engine that provides the ability for the BIG-IP system to act as a high-speed, authoritative DNS server. With DNS Express configured, the BIG-IP system can answer DNS queries for a DNS zone and respond to zone transfer requests from specified DNS nameservers (clients). Additionally, zone transfer communications can be secured with TSIG keys.
About configuring DNS Express
You can configure the BIG-IP system to use the DNS Express engine to answer queries for a DNS zone. This involves a zone transfer from the authoritative DNS server into DNS Expres,s and then DNS Express can answer DNS queries for the zone. For this configuration you create the following objects in the order described.
- TSIG key (optional)
- Obtain the TSIG key data from the authoritative DNS server that hosts the zone and create a TSIG key object.
- Nameserver object
- Create a nameserver object to represent the authoritative DNS server. Optionally, add the TSIG key.
- DNS zone
- Create a zone object and in the DNS Express area, select the nameserver object that represents the authoritative DNS server that hosts the zone.
- Custom DNS profile (optional)
- Create a custom DNS profile based on your network architecture.
- DNS listener or LTM virtual server
- Create a DNS listener or LTM virtual server and select a DNS profile. You can use either the default DNS profile or the custom DNS profile.
Additionally, you can configure the BIG-IP system to use the DNS Express engine to answer zone transfer requests for a DNS zone from a DNS nameserver that answers DNS queries. For this configuration you create or modify the following objects in the order described.
- TSIG key (optional)
- Obtain the TSIG key data from the DNS nameserver client that you want to allow to send zone transfer requests for the DNS zone and create a TSIG key object.
- Nameserver object
- Create a nameserver object to represent the DNS nameserver that will make the zone transfer request. Optionally, add the TSIG key.
- DNS zone
- Modify the zone object to add zone transfer clients to the zone. In the Zone Transfer Clients area, select the nameserver object you created.
- Custom DNS profile (optional)
- Modify the DNS profile to allow zone transfers from the BIG-IP system to the client.
Configuring DNS Express to answer DNS queries
DNS Express can answer DNS queries for a DNS zone configured on and transferred to the BIG-IP system. Optionally, DNS Express can use TSIG keys to validate zone transfer communications between the BIG-IP system and the authoritative DNS server hosting the zone.
Example of loading a zone into DNS Express
In this figure, an administrator at Site Request creates a DNS zone with a DNS Express server. The name of the DNS zone on the BIG-IP system matches the name of the zone on the authoritative DNS server. The creation of the zone initiates a zone transfer request from DNS Express to the authoritative DNS server that hosts the zone. The server responds with a zone transfer and the zone is loaded into the DNS Express engine.
- Creation of siterequest.com DNS zone with a DNS Express server on the BIG-IP system initiates an unsolicited zone transfer request.
- Authoritative DNS server responds with zone transfer and DNS Express loads the zone.
Example of DNS Express answering DNS queries
In this figure, as the zone is updated, the authoritative DNS server sends a NOTIFY to DNS Express, which responds with a zone transfer request. The server responds with a zone transfer and the zone is updated in DNS Express. When the LDNS sends a query for the zone, DNS Express can answer the query faster than the authoritative DNS server.
- When zone update occurs, DNS server sends NOTIFY message to DNS Express.
- DNS Express sends zone transfer request in response.
- DNS server answers with zone transfer and DNS Express updates the zone.
- LDNS sends DNS query for the zone.
- DNS Express answers with authoritative response. The response is faster than the authoritative DNS server.
About TSIG key authentication
The BIG-IP system can use transaction signature (TSIG) keys to authenticate communications about zone transfers between the BIG-IP system and authoritative DNS servers, and between the BIG-IP system and DNS nameservers (clients). TSIG keys are generated by a third party tool such as BIND's keygen utility. Using TSIG keys is optional.
- TSIG key configured on authoritative DNS server
- You can add a TSIG key to a nameserver object that represents an authoritative DNS server. With this configuration, when the DNS server sends a NOTIFY message to the BIG-IP system, DNS Express responds with a TSIG-signed zone transfer request. Then the DNS server returns a TSIG-signed zone transfer. If required, you can disable the Verify Notify TSIG option on the DNS zone. With this configuration, DNS Express can process a NOTIFY message without a TSIG key, even when a subsequent zone transfer requires a TSIG key.
- TSIG key configured on DNS nameserver (client)
- You can add a TSIG key to a nameserver object that represents a DNS nameserver (client). When the client sends a TSIG-signed zone transfer request, DNS Express returns a TSIG-signed zone transfer.
- TSIG key configured on DNS zone
- You can add a server TSIG key to a DNS zone on the BIG-IP system. With this configuration,
the system uses this TSIG key when the zone on the BIG-IP system is a proxy for the zone on the
server. There are two possible scenarios:
- Client sends TSIG-signed zone transfer request
When the BIG-IP system receives a TSIG-signed zone transfer request from a client for a DNS zone for which it is a proxy, the system validates the client TSIG key and removes the key from the request. The system then adds the server TSIG key to the request and forwards the TSIG-signed request to the DNS server or load balances the TSIG-signed request to a pool of DNS servers. The DNS server responds with a TSIG-signed zone transfer. The BIG-IP system validates the server TSIG key and removes the key. Then the system adds the client TSIG key and returns a TSIG-signed signed zone transfer to the client.
- Client sends unsigned zone transfer request
When the BIG-IP system receives an unsigned zone transfer request from a client for a DNS zone for which it is a proxy, the system adds the server TSIG key to the request. The system then forwards the TSIG-signed request to the DNS server or load balances the TSIG-signed request to a pool of DNS servers. The DNS server responds with a TSIG-signed zone transfer. The BIG-IP system validates the server TSIG key and removes the key. Then the system returns an unsigned zone transfer to the client.
- Client sends TSIG-signed zone transfer request
About listeners
A listener is a specialized virtual server that passively checks for DNS packets on port 53 and the IP address you assign to the listener. When a DNS request is sent to the IP address of the listener, the BIG-IP system either handles the request or forwards the request to the appropriate resource.
Task summary
Perform these tasks to configure DNS Express to answer DNS queries for a DNS zone:
Configuring BIND servers to allow zone transfers
When you want to improve the speed of responses to DNS queries you can configure a BIND server to allow zone transfers only to the DNS Express engine on the BIG-IP system. You do this by adding an allow-transfer statement to named.conf on the BIND server.
Configuring local BIND to send NOTIFY messages to DNS Express
Adding TSIG keys
- If you are adding TSIG keys for DNS servers that host zones:
- Ensure that the DNS servers are configured to allow the BIG-IP system to perform zone transfers.
- Ensure that the time on the systems that use TSIG keys are sychronized.
- Obtain the TSIG key for each DNS server.
- If you are adding TSIG keys for DNS nameservers (clients)
- Ensure that the time on the systems that use TSIG keys are sychronized.
- Obtain the TSIG key for each client.
Add TSIG keys to the BIG-IP system configuration, in these cases:
- When you want to validate zone transfer communications between DNS Express and a DNS server.
- When you want to validate zone transfer communications between DNS Express and a DNS nameserver (client).
Adding namserver objects that represent DNS servers
Creating a DNS zone to answer DNS queries
- Ensure that the authoritative DNS server that currently hosts the zone is configured to allow zone transfers to the BIG-IP system.
- Ensure a nameserver object that represents the authoritative DNS server exists in the BIG-IP system configuration.
- Determine the name you want to use for the zone. The zone name must match the zone name on
the authoritative DNS server exactly. Note: Zone names are case insensitive.
Disabling TSIG verification for NOTIFY messages
Optional: Enabling DNS Express with a custom DNS profile
Creating listeners to identify DNS Express traffic
However, the best practice is to create four listeners, which allows DNS Express to handle zone transfers, should you decide to use this feature. DNS zone transfers use TCP port 53. With this configuration, you create one listener with an IPv4 address that handles UDP traffic, and one with the same IPv4 address that handles TCP traffic. You also create one listener with an IPv6 address that handles UDP traffic, and one with the same IPv6 address that handles TCP traffic.
Creating virtual servers to identify DNS Express traffic
However, the best practice is to create four listeners, which allows DNS Express to handle zone transfers, should you decide to use this feature. DNS zone transfers use TCP port 53. With this configuration, you create one virtual server with an IPv4 address that handles UDP traffic, and one with the same IPv4 address that handles TCP traffic. You also create one virtual server with an IPv6 address that handles UDP traffic, and one with the same IPv6 address that handles TCP traffic.
Configuring DNS Express to answer zone transfer requests
DNS Express can respond to zone transfer requests for a DNS zone from specified DNS nameservers (clients). Optionally, DNS Express can use TSIG keys to validate the identity of the client making the zone transfer request.
Example of DNS Express answering zone transfer requests
In this figure, as the zone is updated, the authoritative DNS server sends a NOTIFY to DNS Express, which responds with a zone transfer request. The server responds with a zone transfer and the zone is updated in DNS Express. DNS Express sends a NOTIFY to the client, and the client responds with a zone transfer request for the zone. DNS Express responds with a zone transfer and the client updates the zone.
- When zone update occurs, the DNS server sends NOTIFY message to DNS Express.
- DNS Express sends zone transfer request as a result of the NOTIFY query.
- DNS server answers with zone transfer and DNS Express updates the zone.
- DNS Express sends NOTIFY to authoritative DNS nameserver client.
- Client sends zone transfer request as a result of the NOTIFY query.
- DNS Express answers with zone transfer of siterequest.com, and client updates the zone.
Task summary
To configure the BIG-IP system to respond to zone transfer requests, perform these tasks: