Configuring F5 DNS Express

One of the unused features of the F5 DNS product, formerly known as Global Traffic Manager (GTM) is the ability to host your DNS on F5’s high performing and hardened DNS implementation. In addition to screening or the typical GTM implementation of a delegated subdomain, DNS express actually hosts the DNS zone directly on the F5. It’s a lot faster than dealing with the on-box BIND or a remote BIND or Active Directory server. Also, I trust F5’s coding a lot more than Active Directory.

At a high level, the F5 is acting as a DNS slave to whatever master server you have configured. The Master DNS server pushes its config to the F5 slave. You can also have the master notify the F5 when it has updates. You’ll automatically get the updates on the DNS zone on the F5. Configured like this, you don’t need to change anything in your workflow to support your DNS infrastructure. You immediately get the benfit of F5’s high performance TMOS DNS implementation. At this point, you can set it as the resolver for internal or external DNS clients.

Alternatively, you can host your zones on the BIG-IP, but in my opinion, Zonerunner isn’t the greatest and I’d recommend just running the standard BIND implementation on a docker container, or just pulling the zones from Active Directory if you’re a windows shop.

Preparing your DNS objects

The first step in configuring DNS Express is to create a nameserver in the configuration. The Nameserver object is polled for the DNS zone.

Creating a DNS Nameserver object

Once you have the nameserver object created, you need to create the zone that will be pulled from that nameserver. This is the actual domain that is transferred from the nameserver that you just created.

Creating a DNS zone object

Once you’ve created the nameserver, you can create the DNS profile. Since I want to get analytics sent to our ELK stack, I’ll first create the logging pool and profiles. This is similar for all different types of logging profiles, first create the pool of syslog servers.

Optional: Get your logging profiles in order

Creating a pool of Log Servers

Next, you’ll create the logging destination profile and select the pool we just made.

Creating an F5 logging destination

Once you create the logging destination, you need to create a log publisher and associate it with the destination.

Create an F5 Log Publisher

Now it’s time to create the DNS logging profile. In here you can select what you want to log and where you want to log it. Where you want to log it is the log publisher we just created. I’m going to ship these off to Elasticsearch via Logstash, so I’ll log everything and parse it with my grok filter.

Creating a DNS logging profile

Now that we have all of our backend logging objects built, we can start to build the rest of the configuration. Create the DNS profile. If you are logging statistics like me, you’ll need to go to the bottom of the profile, enable logging and select the logging profile we created in the last step.

Adding an F5 DNS profile

Enabling the Log Profile on your DNS profile

DNS Listeners, the VIPs of F5 DNS Express

With your DNS profile created, it’s time to create your listeners. I like to create both a TCP and UDP listener although you can usually get by with just UDP. Most DNS implementations default to using UDP for basic usage. The exception is when you have a response that is bigger than the 4k DNS response limit. Although you will not usually have responses that are that large from the BIG-IP since the majority of those larger responses would be due to an AXFR or zone transfer or maybe DNSSEC, it won’t hurt to have it. In any case, you can optionally create a TCP and UDP profile to apply to your listeners but it’s not required.

Adding a DNS listener

One thing you’ll notice in the DNS listener options is that you can enable source address translation, and individually address and port translation. I point this out as by default all of them are disabled. The GTM/DNS listener is really a Virtual Server with a bunch of different profiles applied. If you enable Source Address Translation but do not check the boxes for Address and Port translation as well, your SNAT will not work.

Creating a DNS Listner

Finally, you should be finished. You’ll want to check your statistics on your zone and make sure that the transfer has taken place and the F5 is serving up those records.

F5 DNS Zone Statistics

If you aren’t getting the transfer to work, make sure that you allow transfers from your DNS server to your F5’s egress self IP towards the DNS server. For example, our Lab F5’s Self IP is 172.21.32.125, so in BIND I add the entire RFC 1918 172.16.0.0/12 block:

  options {
         listen-on port 53 { any; };
         allow-transfer { localhost; 172.16.0.0/12; };

In windows, you’ll need to add a new nameserver with the IP of the BIG-IP like this:

Allow Zone Transfer in Active Directory

Leave a Reply

Your email address will not be published. Required fields are marked *