Applies To:Show Versions
BIG-IP Edge Gateway
BIG-IP Link Controller
How do I configure DNS Express?
You can configure DNS Express on BIG-IP systems to mitigate distributed denial-of-service attacks (DDoS) and increase the volume of DNS request resolutions on both the local BIND server on the BIG-IP system and any back-end DNS servers.
What is DNS Express?
DNS Express provides the ability for a BIG-IP system to act as a high-speed, authoritative secondary DNS server. This makes it possible for the system to:
- Perform zone transfers from multiple primary DNS servers that are responsible for different zones.
- Perform a zone transfer from the local BIND server on the BIG-IP system.
- Serve DNS records faster than the primary DNS servers.
Perform these tasks to configure DNS Express on your BIG-IP system.
Configuring a back-end DNS server to allow zone file transfers
Creating a DNS Express TSIG key
When you want to verify the identity of the authoritative server that is sending information about the zone, create a DNS Express TSIG key.
- On the Main tab, click The DNS Express TSIG Key List screen opens. .
- Click Create. The New DNS Express TSIG Key screen opens.
- In the Name field, type a name for the key.
From the Algorithm list, select one of the following. The
system uses the algorithm that you select to authenticate updates from an approved client and
responses from an approved recursive nameserver. The algorithm is a hash function in
Algorithm Name Description HMAC MD5 Produces a 128-bit hash sequence HMAC SHA-1 Produces a 160-bit hash sequence HMAC SHA-256 Produces a 256-bit hash sequence
In the Secret field, type the phrase required for authentication of the key.
Note: The secret key is created by a third party tool such as BIND’s keygen utility.
- Click Finished.
Creating a DNS Express zone
- On the Main tab, click The DNS Express Zone List screen opens. .
- Click Create. The New DNS Express Zone screen opens.
- In the Name field, type a name for the DNS Express zone.
- In the Target IP Address field, type the IP address of the current master DNS server for the zone from which you want to transfer records. The default value 127.0.0.1 is for the BIND server on the BIG-IP system.
- To configure the system to verify the identity of the authoritative server that is sending information about the zone, from the TSIG Key list, select a key.
To specify an action for the BIG-IP system to take when
a NOTIFY query is received for a configured DNS Express zone, from the
Notify Action list, select one of the following.
Action Description Consume The NOTIFY query is seen only by DNS Express. This is the default value. Bypass Queries do not go to DNS Express, but instead go to any backend DNS resource (subject to DNS profile unhandled-query-action). Repeat The NOTIFY query goes to both DNS Express and any backend DNS resource.Tip: If a TSIG Key is configured, the signature is only validated for Consume and Repeat actions. NOTIFY responses are assumed to be sent by a backend DNS resource, except when the action is Consume and DNS Express generates a response.
- Click Finished.
Enabling DNS Express
- On the Main tab, click The DNS profile list screen opens. .
- Click Create. The New DNS Profile screen opens.
- Name the profile dns_express.
- In the Parent Profile list, accept the default dns profile.
- Select the Custom check box. The fields in the Settings area become available for revision.
- In the Global Traffic Management list, accept the default value Enabled.
- From the DNS Express list, select Enabled.
From the Unhandled Query Actions list, select how you
want the BIG-IP system to handle a query that is not for a wide IP or DNS
Option Description Allow The BIG-IP system forwards the connection request to another DNS server or DNS server pool. Note that if a DNS server pool is not associated with a listener and the Use BIND Server on BIG-IP option is set to enabled, connection requests are forwarded to the local BIND server. (Allow is the default value.) Drop The BIG-IP system does not respond to the query. Reject The BIG-IP system returns the query with the REFUSED return code. Hint The BIG-IP system returns the query with a list of root name servers. No Error The BIG-IP system returns the query with the NOERROR return code.
- From the Use BIND Server on BIG-IP list, select Disabled.
- Click Finished.
Viewing information about DNS Express zones
You can view information about the zones that are protected by DNS Express.
- On the Main tab, click The Local Traffic Statistics screen opens. .
From the Statistics Type list, select
DNS Express Zones.
Information displays about the DNS Express zones.
Record type Description SOA Records Displays start of authority record information. Resource Records Displays the number of resource records for the zone.