agility_dns_docs_17 Documentation

Transcription

1 agility_dns_docs_17 Documentation Release 0.1 Agility DNS team Oct 06, 2017

2

3 Contents 1 Lab Environment Ravello Cloud IPv Orientation GSLB Settings Listeners Logging DNS Profile UDP Profile TCP Profile UDP IP Address TCP IP Address Datacenters Servers gtm1.site gtm1.site site1_ha-pair site2_ha-pair Device Trust Sync Group Formation LTM Virtuals Links Auto Discover Pools FQDN Delegation A Records Sub Domain CNAME Results Statistics tcpdump Analytics Logs i

4 3 Cache Transparent Resolver RPZ Forward Zones DNS Services Beyond GSLB with BIG-IP DNS (201) AUTHORITATIVE NS: SLAVE FROM OFF-BOX BIND Configuring DNS Logging Create a new DNS Profile Create DNS Listeners Create a Nameserver for Hidden Master Create a zone to transfer from Hidden Master Enable DNSSEC for the zone Authoritative Name Server: slave from ON-BOX BIND Create a new DNS Profile Edit DNS Listeners Create a Student1.com zone using ZoneRunner Create a Nameserver for on-box BIND Create a DNS Express zone to transfer from ZoneRunner Slaving off of DNS Express Create a new DNS Profile Edit DNS Listeners Create Nameservers for Zone Transfer Clients Edit Student2 Zones on BIGIP2 to allow Zone transfers Add Student2.com zone to DNS Express on BIGIP Transparent Caching Create a DNS Cache Create a new DNS Profile Create a DNS Monitor Create a Resolver Pool Create a new External DNS Listener Resolver Cache Create a new DNS Cache Create a new DNS Profile Edit DNS Listener DNSSEC Validating Resolver Create a new DNS Cache Create a new DNS Profile Edit DNS Listener Forwarders Add Forwarder to Existing Cache DNS 201 class is complete! Thanks for attending! ii

5 Contents 1

6 2 Contents

7 CHAPTER 1 Lab Environment Connect to a Windows jumpbox in the cloud. From the Windows jumpbox students will configure F5 devices across two datacenters and a branch office. The Windows jumpbox is in the branch office along with an Active Directory domain controller. 3

8 1.1 Ravello Cloud The lab environment is hosted in cloud environments managed by Ravello Systems. Login to the Ravello training portal using a browser. Ask an instructor for the login information - TODO insert updated Ravello screenshots Once logged in, you will find the URL for your windows jumpbox. NOTE: All the VMs should be in a STARTED state. Copy the FQDN located under the DNS section. Open a remote desktop client on your workstation and connect to the jumpbox. Username: user Password: Agility1 4 Chapter 1. Lab Environment

9 1.1. Ravello Cloud 5

10 1.2 IPv4 Management IP Addresses: Host Managment bigip1.site bigip2.site gtm1.site bigip1.site bigip2.site gtm1.site router01.branch Service IP Addresses: Site 1 Site 2 = = vpn.example.com = vpn.example.com = Orientation 1. Open the command prompt on the Windows jumpbox and execute the following command: dig Examine the output, and observe that an A record exists. 1. Open Internet Explorer and access Note that you accessed a web server in site1. 6 Chapter 1. Lab Environment

11 TODO Create content server page and add screenshot 2. RDP to the domain controller using: EXAMPLE\user, password Agility1. Start > Remote Desktop Connection > Orientation 7

12 8 Chapter 1. Lab Environment

13 1. Click on Server Manager, and in the top right corner choose Tools and then DNS Orientation 9

14 1. Double click on EXAMPLE.COM and examine DNS records. 10 Chapter 1. Lab Environment

15 1.3. Orientation 11

16 12 Chapter 1. Lab Environment

17 1. Connect to and list the virtual server ( ). Use Internet Explorer Browser on the jumpbox to log in via the GUI, or use Putty for SSH to get a shell. GUI username = admin/admin CLI username = root/default 1. Connect to and list the virtual servers ( ). Use Internet Explorer Browser on the jumpbox to log in via the GUI, or use Putty for SSH to get a shell. GUI username = admin/admin CLI username = root/default 1.3. Orientation 13

18 14 Chapter 1. Lab Environment

19 CHAPTER 2 GSLB Students will configure F5 DNS servers to support GSLB services on a single device in site1. Join an additional F5 DNS server in site2 to the GSLB cluster. A Windows AD DNS server is authoritative for the zone example.com and contains a static A record for which resolves to Students will add glue records and delegate gslb.example.com to the F5 GSLB DNS servers. Convert the A record to be a CNAME record pointing to At the end of the lab students will have configured F5 GSLB DNS servers to alternately resolve to and Where were you when v9 was released? 15

20 2.1 Settings Configure the global settings for GSLB according to the following table: Log into gtm1.site1 and complete the following task in the UI or cli Navigate to: DNS Settings : GSLB : General Setting Value Description Synchronize checked Not on by default Group Name EXAMPLE_group Org specific Synchronize DNS Zone Files checked BIND zone file updates tmsh modify gtm global-settings general synchronization yes synchronization-group- name EXAMPLE_group synchronize-zone-files yes 16 Chapter 2. GSLB

21 References 2.2 Listeners A listener object is an spcialized virtual server that is configured to respond to DNS queries. We will be creating both TCP and UDP based listeners Logging Configure DNS query and response logging. Navigate to DNS > Delivery > Profiles > Other > DNS Logging: Create Note: It is required to complete the following task on both gtm1.site and gtm1.site Listeners 17

22 Create a new DNS logging profile as shown in the table below. Retain the defaults if not noted in the table. Setting Name Log Publisher Log Responses Include Query ID Value example_dns_logging_profile sys-db-access-publisher enabled enabled TMSH command for both gtm1.site1 and gtm1.site2: tmsh create ltm profile dns-logging example_dns_logging_profile enable-response- logging yes include-query-id yes log-publisher local-db-publisher References DNS Profile A DNS profile controls the way a listener processes a query. Navigate to: DNS > Delivery > Profiles > DNS: Create Note: It is required to complete the following task on both gtm1.site and gtm1.site2 Create a new DNS profile as shown in the following table. Setting Name Unhandled Query Action Use BIND Server on Big-IP Logging Logging Profile AVR statistics Sample Rate Value example.com_dns_profile Drop Disabled Enabled example_dns_logging_profile Enabled, 1/1 queries sampled TMSH command for both gtm1.site1 and gtm1.site2: tmsh create ltm profile dns example.com_dns_profile use-local-bind no unhandled-query- action drop log-profile example_dns_logging_profile enable-logging yes avr-dnsstat- sample-rate 1 References UDP Profile A UDP profile is associated with a listener. Navigate to: DNS Delivery : Profiles : Protocol : UDP 18 Chapter 2. GSLB

23 2.2. Listeners 19

24 20 Chapter 2. GSLB

25 2.2. Listeners 21

26 22 Chapter 2. GSLB

27 Note: It is required to complete the following task on both gtm1.site and gtm1.site2 Create a new UDP profile as shown in the following table. Retain the defaults if the setting is not noted in the table. Setting Name Parent Profile Value example.com_udp-dns_profile udp_gtm_dns TMSH command for both gtm1.site1 and gtm1.site2: tmsh create ltm profile udp example.com_udp-dns_profile defaults-from udp_gtm_dns 2.2. Listeners 23

28 References TCP Profile A TCP profile is associated with a listener. Navigate to: DNS Delivery : Profiles : Protocol : TCP Note: It is required to complete the following task on both gtm1.site and gtm1.site2 Create a new TCP profile as shown in the following table. Setting Name Parent Profile Value example.com_tcp-dns_profile tcp-wan-optimized TMSH Command for both gtm1.site and gtm1.site2: tmsh create ltm profile tcp example.com_tcp-dns_profile defaults-from tcp-wan- optimized References UDP IP Address Navigate to: DNS Delivery : Listeners : Listener List Note: It is required to complete the following task on both gtm1.site1 and gtm1.site2 Create a UDP listener. Setting gtm1.site1 gtm1.site2 Name isp1_site1_ns1.example.com_udp_53_virtual isp2_site2_ns2.example.com_udp_53_virtual Destination Protocol Profile (Client) example.com_udp-dns_profile example.com_udp-dns_profile DNS Profile example.com_dns_profile example.com_dns_profile 24 Chapter 2. GSLB

29 2.2. Listeners 25

30 26 Chapter 2. GSLB

31 2.2. Listeners 27

32 gtm1.site1 TMSH command: tmsh create gtm listener isp1_site1_ns1.example.com_udp_53_virtual address ip-protocol udp mask port 53 profiles add { example.com_dns_ profile example.com_udp-dns_profile } gtm1.site2 TMSH command: tmsh create gtm listener isp2_site2_ns2.example.com_udp_53_virtual address ip-protocol udp mask port 53 profiles add { example.com_dns_ profile example.com_udp-dns_profile } References TCP IP Address Navigate to: DNS Delivery : Listeners : Listener List Note: It is required to complete the following task on both gtm1.site and gtm1.site2 Create a TCP listener. Setting gtm1.site1 gtm1.site2 Name isp1_site1_ns1.example.com_tcp_53_virtual isp2_site2_ns2.example.com_tcp_53_virtual Destination Protocol Profile (Client) example.com_tcp-dns_profile example.com_tcp-dns_profile DNS Profile example.com_dns_profile example.com_dns_profile 28 Chapter 2. GSLB

33 2.2. Listeners 29

34 gtm1.site1 TMSH command: 30 Chapter 2. GSLB

35 tmsh create gtm listener isp1_site1_ns1.example.com_tcp_53_virtual address ip-protocol tcp mask port 53 profiles add { example.com_dns_ profile example.com_tcp-dns_profile } gtm1.site2 TMSH command: tmsh create gtm listener isp1_site2_ns2.example.com_tcp_53_virtual address ip-protocol tcp mask port 53 profiles add { example.com_dns_ profile example.com_tcp-dns_profile } References 2.3 Datacenters Navigate to: DNS > GSLB > Data Centers > Data Center List: Create Note: The tasks in this section are to be only completed on gtm1.site1 Create two darta centers according to the table below: Setting Name Name Value site1_datacenter site2_datacenter 2.3. Datacenters 31

36 TMSH command for only site1.gtm1: tmsh create gtm datacenter site1_datacenter tmsh create gtm datacenter site2_datacenter 32 Chapter 2. GSLB

37 2.3.1 Servers gtm1.site1 Navigate to: DNS GSLB : Servers : Server List globallb/server/list.jsp Create a Server Object as defined in the table below: Setting Value Name gtm1.site1_server Data Center site1_datacenter Devices Add: gtm1.site1.example.com : Health Monitors bigip Virtual Server Discovery Disabled TMSH command for only site1.gtm1: tmsh create gtm server gtm1.site1_server datacenter site1_datacenter devices add { gtm1.site1.example.com { addresses add { } } } monitor bigip product bigip gtm1.site2 Navigate to: DNS GSLB : Servers : Server List globallb/server/list.jsp Create a Server Object as defined in the table below: Setting Value Name gtm1.site2_server Data Center site2_datacenter Devices Add: gtm1.site2.example.com : Health Monitors bigip Virtual Server Discovery Enabled TMSH command for only gtm1.site1:.. code-block:: cli tmsh create gtm server gtm1.site2_server datacenter site2_datacenter devices add { gtm1.site2.example.com { addresses add { } } } monitor bigip product bigip site1_ha-pair Navigate to: DNS > GSLB > Servers > Server List: Create jspmap/tmui/globallb/server/list.jsp Create a Server Object as defined in the table and diagram below Datacenters 33

38 34 Chapter 2. GSLB

39 2.3. Datacenters 35

40 Setting Value Name site1_ha-pair Data Center site1_datacenter Devices Add: bigip1.site1.example.com : Devices Add: bigip2.site1.example.com : Health Monitors bigip Virtual Server Discovery Enabled Link Discovery Enabled 36 Chapter 2. GSLB

41 2.3. Datacenters 37

42 TMSH command for only gtm1.site1: tmsh create gtm server site1_ha-pair datacenter site1_datacenter devices add { bigip1. site1.example.com { addresses add { { } } } bigip2.site1.example.com { addresses add { { } } } } link-discovery enabled monitor bigip product bigip virtual-server-discovery enabled site2_ha-pair Navigate to: DNS > GSLB > Servers > Server List: Create jspmap/tmui/globallb/server/list.jsp Create a Server Object as defined in the table and diagram below. Setting Value Name site2_ha-pair Data Center site2_datacenter Device Add: bigip1.site2.example.com : Device Add: bigip2.site2.example.com : Health Monitors bigip Virtual Server Discovery Enabled Link Discovery Enabled 38 Chapter 2. GSLB

43 2.3. Datacenters 39

44 TMSH command for only gtm1.site2: tmsh create gtm server site2_ha-pair datacenter site2_datacenter devices add { bigip1. site2.example.com { addresses add { { } } } bigip2.site2.example.com { addresses add { { } } } } link-discovery enabled monitor bigip product bigip virtual-server-discovery enabled Create different types of server objects. Navigate to: DNS GSLB : Servers : Server List globallb/server/list.jsp Device Trust A mesh of F5 DNS servers need to exchange keys to establish a trusted mechanism for HA communications. Lanch Putty and login to gtm1.site1.example.com username: root password: default Run the following command: bigip_add 40 Chapter 2. GSLB

45 2.3. Datacenters 41

46 In the UI you should see: server&store=iquery 42 Chapter 2. GSLB

47 2.3.3 Sync Group Formation Launch Putty and log in to gtm1.site2 Run the following command: gtm_add Datacenters 43

48 44 Chapter 2. GSLB

49 2.3.4 LTM Virtuals Virtual Servers are automatically inventoried with Auto-Discover Navigate to DNS GSLB : Servers : Server List Links Datacenter Links are automatically inventoried with Auto-Discovery enabled Navigate to DNS GSLB : Links : Link List Datacenters 45

50 2.3.6 Auto Discover Auto discover can be helpful, but after initial setup it s recomended to disable it. Navigate to DNS GSLB : Servers : Server List Links : site1_ha-pair name=%2fcommon%2fsite1_ha-pair Disable Link Auto Discovery 46 Chapter 2. GSLB

51 Navigate to DNS GSLB : Servers : Server List Virtual Servers : site1_ha-pair name=%2fcommon%2fsite1_ha-pair Disable Virtual Auto Discover and delete unused objects 2.3. Datacenters 47

52 Note: Repeat the above operations for site2_ha-pair name=%2fcommon%2fsite1_ha-pair name=%2fcommon%2fsite2_ha-pair tmsh modify gtm server site1_ha-pair link-discovery disabled virtual-server-discovery disabled tmsh modify gtm server site2_ha-pair link-discovery disabled virtual-server-discovery disabled tmsh modify gtm server site1_ha-pair virtual-servers delete { /Common/isp1_site1_vpn. example.com_tcp_http_virtual /Common/isp1_site1_vpn.example.com_tcp_https_virtual / Common/isp1_site1_www.example.com_tcp_http_virtual } tmsh modify gtm server site2_ha-pair virtual-servers delete { /Common/isp2_site2_vpn. example.com_tcp_http_virtual /Common/isp2_site2_vpn.example.com_tcp_https_virtual / Common/isp2_site2_www.example.com_tcp_http_virtual } 48 Chapter 2. GSLB

53 2.4 Pools Navigate to: DNS GSLB : Pools : Pool List Create a GTM pool of LTM Virtuals according to the following table: Setting Name Type member member Value A isp1_site1_www.example.com_tcp_https_virtual isp2_site2_www.example.com_tcp_https_virtual 2.4. Pools 49

54 50 Chapter 2. GSLB

55 2.4. Pools 51

56 TMSH command to run on only gtm1.site1: tmsh create gtm pool a { members add { site1_ha-pair:/common/ isp1_site1_www.example.com_tcp_https_virtual { member-order 0 } site2_ha-pair:/ Common/isp2_site2_www.example.com_tcp_https_virtual { member-order 1 } } } 2.5 FQDN F5 refers to an FQDN as a wide-ip, or wip. Navigate to: DNS GSLB : Wide IPs : Wide IP List Create an F5 wide IP Setting Name Type Pool Value A 52 Chapter 2. GSLB

57 2.5. FQDN 53

58 54 Chapter 2. GSLB

59 TMSH command to run on only gtm1.site1: tmsh create gtm wideip a { pools add { { order 0 } } } 2.6 Delegation Log in to the Windows Domain Controller from the jumpbox, and open the DNS management UI: 2.6. Delegation 55

60 2.6.1 A Records Create two new A records Setting Value ns1.example.com ns2.example.com Expand Forward Lookup Zones, right click on EXAMPLE.COM and select New Host 56 Chapter 2. GSLB

61 2.6.2 Sub Domain 2.6. Delegation 57

62 58 Chapter 2. GSLB

63 2.6. Delegation 59

64 60 Chapter 2. GSLB

65 2.6.3 CNAME Delete the static A record for www 2.6. Delegation 61

66 Create a new CNAME record 62 Chapter 2. GSLB

67 2.6. Delegation 63

68 64 Chapter 2. GSLB

69 2.7 Results Statistics Let s look at statistics Navigate to Statistics Module Statistics : DNS : GSLB Wide IPs : : A Results 65

70 tcpdump Let s do some tcpdump and wiresharking Analytics Let s look at some GUI stats Logs Let s look at some logs 66 Chapter 2. GSLB

71 CHAPTER 3 Cache DNS Cache 3.1 Transparent Log into the gateway device router01.brancho1 in the branch office Navigate to DNS Caches : Cache List Create a Transparent Cache according to the values in the table below: Setting Name Resolver Type Value transparent_cache Transparent 3.2 Resolver Resolver cache. 3.3 RPZ Response Policy Zone 67

72 68 Chapter 3. Cache

73 3.4 Forward Zones Forward zones are available on a resolver cache. Agility 2017 Hands-on Lab Guide Written for: TMOS v Presented by: DNS 2017 F5 Agility Team 3.4. Forward Zones 69

74 70 Chapter 3. Cache

75 CHAPTER 4 DNS Services Beyond GSLB with BIG-IP DNS (201) 4.1 AUTHORITATIVE NS: SLAVE FROM OFF-BOX BIND Objective: In this use-case, you will configure GTM as the authoritative slave using an off-box BIND server as the hidden master. This is a very common architecture to serve either external or internal zones with large scale RPS via DNS Express. You will configure the following common components: DNS Profile and Listeners DNS Express DNS Query Logging DNS Statistics DNSSEC signing Estimated completion time: 25 minutes Configuring DNS Logging You are going to configure DNS query and response logging. To do this, you must tell GTM where to send logs to (a log publisher) and what specifically to log (DNS logging profile). For lab purposes, we are going to use local-syslog as our logging destination. Note: remote high-speed logging is highly recommended for production environments. Log in to from the jumpbox desktop and using user: admin password: admin In the GUI, navigate to: System > Logs > Configuration > Log Publishers: Create Create a new DNS Log Publisher as shown in the table below. 71

76 Keep the defaults if not noted in the table. Name Destinations dns-local-syslog Move local-syslog to Selected column Click Finished to create. In the GUI, navigate to: DNS > Delivery > Profiles > Other > DNS Logging: Create Create a new DNS logging profile as shown in the table below. Keep the defaults if not noted in the table. Name Log Publisher Log Responses Include Query ID dns-logging Select dns-local-syslog Enabled Enabled Click Finished to create. Your new dns-logging profile should now have all options enabled Create a new DNS Profile A DNS profile tells the DNS Listener how to process DNS traffic. We re going to make some tweaks for our use-case and lab environment. In the GUI, navigate to: DNS > Delivery > Profiles > DNS: Create Create a new DNS profile as shown in the table below. Keep the defaults if not noted in the table. Name Unhandled Query Action Use BIND Server on Big-IP Logging Logging Profile AVR Statistics Sampling Rate AuthNS-offbox-BIND Drop Disabled Enabled dns-logging Enabled; 1/1 queries sampled Click Finished to create. For lab purposes, we are going to use sample all DNS queries with AVR. Note: production sampling rates would be a much lower rate as this would severely impact performance Create DNS Listeners We are going to create both UDP and TCP external listeners. The external Listener will be our target IP address when querying GTM. In the GUI, navigate to: DNS > Delivery > Listeners > Listener List: Create Create two external Listeners as shown in the tables below. 72 Chapter 4. DNS Services Beyond GSLB with BIG-IP DNS (201)

77 Keep the defaults if not noted in the table. Name external-listener-udp Destination Host: VLAN Traffic Enabled on.. VLANs and Tunnels External DNS Profile AuthNS-offbox-BIND Name external-listener-tcp Destination Host: VLAN Traffic Enabled on.. VLANs and Tunnels External Protocol TCP DNS Profile AuthNS-offbox-BIND For each Listener, click Finished to create. You should now have two UDP-based DNS Listeners and two TCP-based Listeners configured Create a Nameserver for Hidden Master We next need to tell GTM about our Hidden Master that DNS Express will slave from. In the GUI, navigate to: DNS > Delivery > Nameservers > Nameserver List: Create Create offbox-bind as a Nameserver as shown in the table below. Keep the defaults if not noted in the table. Name Offbox-BIND Address Click Finished to create Create a zone to transfer from Hidden Master We will now configure the specific zone for GTM to obtain from the Hidden Master. Note that the BIND server already has some key configuration elements to consider: Allow-transfer (for lab purposes, any sourceip is allowed) Also-notify for your internal Listener IP address. TSIG is disabled. Before we configure the zone, we are going to enable some debug logging so that you can see what happens underneath the covers. SSH to your F5 BIGIP1. You should have a BIGIP1 putty icon on your desktop. Use username: root password: default and issue the following TMSH command once logged in. tmsh modify sys db log.zxfrd.level value "debug" Now, view the log file real-time by issuing this command at the SSH prompt: tail -f /var/log/ltm 4.1. AUTHORITATIVE NS: SLAVE FROM OFF-BOX BIND 73

78 Note: You can make the putty window larger if needed Keep your ssh session open while performing the rest of the steps. You can break out of the tail process with <Ctrl-C>. In the GUI, navigate to: DNS > Zones > Zones > Zone List: Create Create the dnsx.com zone as shown in the figure below and then click Finished. You should see log messages in your SSH console indicating a successful transfer from the hidden master. You can also view the state of the transfer by clicking back on the newly created zone and observing the Availability as shown in the figure below. Issue the following command from SSH console to see specifics of the status and statistics related to the zone. tmsh show ltm dns zone dnsx.com more The dnsx.com zone is configured with a 60 second refresh interval meaning that DNS Express will proactively check the Master Nameserver every 60 seconds for zone updates. This very low interval is merely for lab purposes so you can view what happens in the logs. The log messages look like this: Jun 22 14:49:38 gtm1 debug zxfrd[4251]: :7: Scheduling zone transfer in 60s for dnsx.com from Jun 22 14:49:38 gtm1 debug zxfrd[4251]: :7: Availability status of dnsx.com changed from YELLOW to GREEN. Jun 22 14:50:38 gtm1 debug zxfrd[4251]: :7: Serials equal ( ); transfer for zone dnsx.com complete. Jun 22 14:50:38 gtm1 debug zxfrd[4251]: :7: Resetting transfer state for zone dnsx.com. 74 Chapter 4. DNS Services Beyond GSLB with BIG-IP DNS (201)

79 Jun 22 14:50:38 gtm1 debug zxfrd[4251]: :7: Scheduling zone transfer in 60s for dnsx.com from Now, issue the following command in the SSH console to view what is in DNS Express. dnsxdump more Open the command prompt from your windows desktop. Issue a DNS query against your external listener for a record in the dnsx.com zone and verify that it succeeds. For example: +short www1.dnsx.com Issue several more queries of different types to generate some interesting statistics. Here are some examples: +short www1.dnsx.com +short www2.dnsx.com +short www3.dnsx.com +short bigip1.dnsx.com +short bigip2.dnsx.com +short MX dnsx.com +short NS dnsx.com Now is a good time to check query logging. Look at /var/log/ltm (i.e. tail /var/log/ltm ) to ensure that you re properly logging queries and responses. It should look something like this: Jun 22 14:55:14 gtm1 info tmm[10506]: :55:14 gtm1.site1.example.com qid 340 from #50316: view none: query: www3.dnsx.com IN A + ( %0) Jun 22 14:55:14 gtm1 info tmm[10506]: :55:14 gtm1.site1.example.com qid 340 to #50316: [NOERROR qr,aa,rd] response: www3.dnsx.com. 100 IN A ; In the GUI, navigate to Statistics > Analytics > DNS. Notice that you can view statics by different data points, over different periods of time, and drill down into different aspects. Spend a few moments looking at the various options. Note: This may take up to 5 minutes to populate. If no data exists, come back after the next task Enable DNSSEC for the zone We will now sign the dnsx.com zone. In this example, we are configuring GTM to sign the zone on the fly rather than signing the actual static zone information (which can be done starting in v11.5 but is outside the scope of this lab). In the GUI, navigate to: DNS > Delivery > Keys > DNSSEC Key List: Create Create two keys as defined in the tables below. Keep the defaults if not noted in the table AUTHORITATIVE NS: SLAVE FROM OFF-BOX BIND 75

80 Name Type Key Management Certificate Private Key dnsx.com_zsk Zone Signing Key Manual default.crt default.key Name Type Key Management Certificate Private Key dnsx.com_ksk Key Signing Key Manual default.crt default.key Click Finished to create each key. In the GUI, navigate to: DNS > Zones > DNSSEC Zones > DNSSEC Zone List: Create Configure the dnsx.com zone for DNSSEC using the previously created keys as shown below. Test that the zone is successfully signed by issuing a DNSSEC query to the external listener. For example: +dnssec www1.dnsx.com You should see RRSIG records indicating that the zone is signed. You will also note signing in the query logs (/var/ log/ltm) Finally, view some other DNS statistics related to queries, DNSSEC, zone transfers, notifies, etc. In the GUI, navigate to: DNS > Zone > Zones > Zone List. Click on the dnsx.com zone and then select Statistics from the top menu bar. Select the View Details as shown in the diagram below: 76 Chapter 4. DNS Services Beyond GSLB with BIG-IP DNS (201)

81 View the types of statistics available for the zone such as serial number, number of records, etc. In the GUI, navigate to: Statistics > Module Statistics > DNS > Zones. Set Statistics Type to DNSSEC Zones. View details as performed above. Note the various DNSSEC statistics available. If the graphs from task 5 weren t available earlier, revisit Statistics > Analytics > DNS now and explore. 4.2 Authoritative Name Server: slave from ON-BOX BIND In this use-case, you will configure GTM as an authoritative slave using on-box BIND managed by ZoneRunner. Estimated completion time: 15 minutes Create a new DNS Profile In the GUI, navigate to: DNS > Delivery > Profiles > DNS: Create. Create a new DNS profile as shown in the table below. Keep the defaults if not noted in the table. Name Unhandled Query Action Use BIND Server on Big-IP Logging Logging Profile AVR Statistics Sampling Rate AuthNS-onbox-BIND Drop Disabled Enabled dns-logging Enabled; 1/1 queries sampled Click Finished to create. For lab purposes, we are going to sample all DNS queries with AVR. Note: Production sampling rates would be a much lower rate Edit DNS Listeners We need to edit the external-listeners to use the new DNS profile created above. In the GUI, navigate to: DNS > Delivery > Listeners > Listener List 4.2. Authoritative Name Server: slave from ON-BOX BIND 77

82 Edit the external-listener-udp to use the AuthNS-onbox-BIND DNS profile. Edit the external-listener-tcp to use the AuthNS-onbox-BIND DNS profile. Click Update after change DNS profile to finish edition Create a Student1.com zone using ZoneRunner In the GUI, navigate to: DNS > Zones: ZoneRunner > Zone List: Create Add a student1.com zone with the information as shown in the following screenshot. Note the also-notify message needs to be added to send a NOTIFY message to an internal GTM IP address for processing. Likewise BIND needs to allow the transfer from the loopback address. The diagram below shows the basic operation. 78 Chapter 4. DNS Services Beyond GSLB with BIG-IP DNS (201)

83 4.2.4 Create a Nameserver for on-box BIND Next, we need to tell DNS Express that on-box BIND is available to use as a source for zone transfers. In the GUI, navigate to: DNS > Delivery > Nameservers > Nameserver List: Create Create a loopback as a Nameserver as shown in the table below. Keep the defaults if not noted in the table. Name ZoneRunner Address Click Finished to create Authoritative Name Server: slave from ON-BOX BIND 79

84 4.2.5 Create a DNS Express zone to transfer from ZoneRunner We will now configure the specific zone for GTM to obtain from ZoneRunner. Note that on-box BIND already has some key configuration elements to consider: Allow-transfer from the localhost. Also-notify for DNS Express internal Listener IP address. TSIG is disabled. In the GUI, navigate to: DNS > Zones > Zones > Zone List: Create Create the student1.com zone as shown in the figure below and then click Finished. Perform the same validation steps as the previous lab for validating the successful transfer of student1.com to DNS Express View the details of the zone in the GUI Issue the following command from the ssh console: tmsh show ltm dns zone student1.com more Dump the dns express output to see the records dnsxdump more Verify logs in /var/log/ltm From a command prompt on your jumpbox, issue a query to the external listener for a record in the zone SOA student1.com Add a new record to the Student1.com zone in ZoneRunner In the GUI, navigate to: DNS > Zones: ZoneRunner > Resource Record List. Select View Name -> external Select Zone Name -> student1.com. 80 Chapter 4. DNS Services Beyond GSLB with BIG-IP DNS (201)

85 Click Create Enter a new A record similar to the figure below for your zone and click Finished. Validate the DNS Express was updated by performing a dnsxdump and/or query for your new record to the Listener. Add another record using the steps above for www2.student1.com with IP address of but before doing this, make sure to have a putty session open to your BIG-IP1 and tail the logs using tail -f /var/ log/ltm to view the changes. By making a change to the zone on the Hidden Master (in this case ZoneRunner), you will see a proactive update to DNS Express via a NOTIFY. Watch the /var/log/ltm file to see the update occur. The logs should look something like this: Jun 5 08:21:26 bigip1 notice zxfrd[6429]: c:5: Handling NOTIFY for zone student1.com. Jun 5 08:21:26 bigip1 debug zxfrd[6429]: :7: Resetting transfer state for zone student1.com. Jun 5 08:21:26 bigip1 debug zxfrd[6429]: :7: Scheduling zone transfer in 5s for student1.com from Jun 5 08:21:26 bigip1 debug zxfrd[6429]: :7: Notify response to ::1 succeeded (81:na). Jun 5 08:21:31 bigip1 notice zxfrd[6429]: f:5: IXFR Transfer of zone student1. com from succeeded. Issue a dnsxdump more command for the SSH console or a query to the listener to validate the zone file has updated. 4.3 Slaving off of DNS Express In this use-case, we will obtain a zone transfer from another F5 s DNS Express. This is a common deployment in a hybrid on-premise and cloud-based DNS solution. Our purpose here is to focus on DNS Express serving zone transfer clients. Note that zones can be signed during a transfer but this is outside the scope of this lab Estimated completion time: 10 minutes Create a new DNS Profile In the GUI, navigate to: DNS > Delivery > Profiles > DNS: Create. Create a new DNS profile as shown in the table below Slaving off of DNS Express 81

86 Keep the defaults if not noted in the table. Name Unhandled Query Action Use BIND Server on Big-IP Zone Transfer Logging Logging Profile AVR Statistics Sampling Rate AuthNS-hybrid Drop Disabled Enabled Enabled dns-logging Enabled; 1/1 queries sampled For lab purposes, we are going to use sample all DNS queries with AVR. Note: that production sampling rates would be a much lower rate Edit DNS Listeners In the GUI, navigate to: DNS > Delivery > Listeners > Listener List Edit the external-listener-tcp to use the AuthNS-hybrid DNS profile. Click Update to finish Create Nameservers for Zone Transfer Clients Your lab environment has a second pre-configured BIG-IP (BIGIP2) that we will use as the on-prem DNS Express Master. In the GUI, navigate to: DNS > Delivery > Nameservers > Nameserver List: Create Create BIGIP2 s F5 as a Nameserver as shown in the table below. You will use the External SelfIP/Listener. Keep the defaults if not noted in the table. Name site2_gtm1_master Address Edit Student2 Zones on BIGIP2 to allow Zone transfers Log in to gtm1.site2 (shortcut located on desktop) using a new browser window with the following credentials: User: admin Pass: admin In the GUI, navigate to: DNS > Zones > Zones > Zone List Edit the existing student2.com zone. Under Zone Transfer Clients, move gtm1.site1 (pre-defined to save time) to Active and click Update. Note: The internal TCP listener on BIGIP2 is using the AuthNS-hybrid profile which is setup exactly like the profile with the same name on BIGIP1. Zone Transfer = Enabled must be set in the profile on the source for this to work correctly. 82 Chapter 4. DNS Services Beyond GSLB with BIG-IP DNS (201)

87 Return to your BIGIP1 browser session Add Student2.com zone to DNS Express on BIGIP1 In the GUI on BIGIP1, navigate to: DNS > Zones > Zones > Zone List: Create Create the student2.com zone as shown in the figure below and then click Finished. Your GTM is acting as a zone transfer client in this case (looking to receive a transfer of the on-prem student2.com local zone). This example shows BIGIP1 adding the student2.com zone to pull from DNS Express on BIGIP2. Perform the same validation steps as the previous lab for validating the successful transfer of student2.com zone View the details of the zone in the GUI Issue a dnsxdump more command from SSH console Verify logs in /var/log/ltm Issue a query to the external listener for a record in the zone SOA student2.com Open putty sessions to both BIGIP1 and BIGIP2 and tail the logs using tail -f /var/log/ltm. This will allow us to see the process of adding a new record on the Master on-prem server (BIGIP2) and then it being replicated first to DNS Express on its own box, followed by an update to the cloud GTM (BIGIP1) in this scenario. Add a new record to the student2.com zone in ZoneRunner on gtm1.site2 In the GUI, navigate to: DNS > Zones: ZoneRunner > Resource Record List Select View Name -> external Select Zone Name -> student2.com. Click Create Enter a new A record based on the picture below and click Finished Slaving off of DNS Express 83

88 Notice the logs in each F5. You will see BIGIP2 perform a zone transfer from ZR after receiving a NOTIFY. You will then see BIGIP1 receive a NOTIFY and obtain a zone transfer. Notice that we didn t have to tell GTM where to send a NOTIFY. Those messages are automatically sent to the Zone Transfer Clients configured for the zone. Issue the following command from SSH console on BIGIP1 to see the status and statistics related to the zone. Take note of the Notifies Received counter. tmsh show ltm dns zone student2.com more Issue the following command from SSH console on BIGIP2 to see the status and statistics related to the zone. Take note of the Notifies To Client counter. tmsh show ltm dns zone student2.com more Validate DNS Express was updated by performing a dnsxdump more and/or query for your new record to the Listener. Close out your browser session to gtm1.site2, we will no longer be using it. 4.4 Transparent Caching In this use-case, you will configure GTM as a transparent cache to a pool of BIND servers. Estimated completion time: 10 minutes 84 Chapter 4. DNS Services Beyond GSLB with BIG-IP DNS (201)

89 4.4.1 Create a DNS Cache In the GUI, navigate to: DNS > Caches > Cache List: Create Create a new DNS profile as shown in the table below. Keep the defaults if not noted in the table. Name Resolver Type transparent-cache Transparent (none) Click Finished to create Create a new DNS Profile In the GUI, navigate to: DNS > Delivery > Profiles > DNS: Create. Create a new DNS profile as shown in the table below. Keep the defaults if not noted in the table. Name DNSSEC GSLB DNS Express DNS Cache DNS Cache Name Use BIND Server on Big-IP Logging Logging Profile AVR Statistics Sampling Rate Transparent Disabled Disabled Disabled Enabled transparent-cache Disabled Enabled dns-logging Enabled; 1/1 queries sampled 4.4. Transparent Caching 85

90 Click Finished when complete Create a DNS Monitor In the GUI, navigate to: DNS > Delivery > Load Balancing > Monitors: Create. Create a new DNS monitor as shown in the table below. Keep the defaults if not noted in the table. Name Type Query Name mon_resolver DNS Click Finished to create Create a Resolver Pool In the GUI, navigate to: DNS > Delivery > Load Balancing > Pools > Pools List: Create. Create a new pool of DNS resolvers as shown in the figure below. Add pool called pool_resolvers with health monitor (mon_resolver) and members as shown in table and diagram below: Pool Members : : :53 86 Chapter 4. DNS Services Beyond GSLB with BIG-IP DNS (201)

91 4.4.5 Create a new External DNS Listener We are going to create a new external-facing DNS Listener to cache DNS requests and load-balance non-cached requests to pool_resolvers. In the GUI, navigate to: DNS > Delivery > Listeners > Listener List: Create Create a Listener named resolver-listener as shown in the figure below. Use the Listener IP of Note: you need to be in the Advanced Menu to set some of the options Transparent Caching 87

92 From your workstation at a command prompt, perform several recursive queries to your new listener to test. You will want to repeat some of the same queries multiple times We are attempting to see cache hits. Below are some examples: You should have successful resolution. Now it s time to see statistics and cache entries. Viewing Cache Entries In the SSH shell, type the following command: 88 Chapter 4. DNS Services Beyond GSLB with BIG-IP DNS (201)

93 tmsh show ltm dns cache records rrset cache transparent-cache Your output should look similar to below with several entries If you go to the TMSH console, you can see several other ways to query the cache database. Below show some examples. View cache entries for a particular domain / owner: View cache entries of a particular RR type: There are other options... feel free to play around and familiarize yourself with the options. Viewing Cache Statistics In the SSH shell, type: 4.4. Transparent Caching 89

94 tmsh show ltm dns cache transparent transparent-cache Your output should look similar to below with statistics showing Hits and Misses in particular. In the GUI, you can find similar data as above by navigating Statistics > Module Statistics > DNS > Caches. Select Statistics Type of Caches. Select View under the Details column for transparent-cache Note that stats can also be reset from this view (Reset). Spend some time looking in the DNS Analytics to verify that AVR is graphing query stats as expected. Deleting Cache Entries Specific cache entries can be deleted via the TMSH console. Entries to be deleted can be filtered by several aspects. 90 Chapter 4. DNS Services Beyond GSLB with BIG-IP DNS (201)

95 In the TMSH shell, go to the DNS prompt and type delete cache records rrset cache transparent-cache? Now delete individual records by type and owner. Below show some examples. Clearing Entire Cache Via the GUI, navigate to Statistics > Module Statistics > DNS > Caches Set Statistics Type to Caches. You can select the cache and click Clear Cache to empty the cache. 4.5 Resolver Cache In this use case, you will configure GTM as a resolver cache which eliminates the need for the pool of resolvers. * Estimated completion time: 10 minutes 4.5. Resolver Cache 91

96 4.5.1 Create a new DNS Cache In the GUI, navigate to: DNS > Caches > Cache List: Create Create a new DNS Cache as shown in the table below. Keep the defaults if not noted in the table. Name Resolver Type resolver-cache Resolver Create a new DNS Profile In the GUI, navigate to: DNS > Delivery > Profiles > DNS: Create. Create a new DNS profile as shown in the table below. Keep the defaults if not noted in the table. Name DNSSEC GSLB DNS Express DNS Cache DNS Cache Name Unhandled Query Action Use BIND Server on Big-IP Logging Logging Profile AVR Statistics Sampling Rate Resolver Disabled Disabled Disabled Enabled resolver-cache Drop Disabled Enabled dns-logging //from previous lab Enabled; 1/1 queries sampled Edit DNS Listener We will now apply the new profile to the existing DNS Listener. 92 Chapter 4. DNS Services Beyond GSLB with BIG-IP DNS (201)

97 In the GUI, navigate to: DNS > Delivery > Listeners > Listener List Select resolver-listener and modify the following settings. Change the DNS profile to resolver and uncheck Address Translation (under Listener Advanced options). Click Update. Select Load Balancing from the middle menu above, and Select the Default Pool as None and click Update. Your Listener should now be setup as a caching resolver. From your workstation command prompt, perform several recursive queries to your external Listener to test. You will want to repeat some of the same queries multiple times. We are attempting to see cache hits and perform recursive queries. Below are some examples: Viewing Cache Statistics In the SSH shell, type the following command: tmsh show ltm dns cache resolver resolver-cache more Your output should look similar to below with statistics. Bits In/Out, Packets In/Out and Connections are of particular interest. 4.6 DNSSEC Validating Resolver In this use case, you will configure GTM as a DNSSEC validating resolver which offloads heavy CPU computation to traditional resolvers. This simply adds DNSSEC validation to the resolver-cache use-case previously configured. * Estimated completion time: 10 minutes 4.6. DNSSEC Validating Resolver 93

98 4.6.1 Create a new DNS Cache In the GUI, navigate to: DNS > Caches > Cache List: Create Create a new DNS cache as shown in the table below. Keep the defaults if not noted in the table. Name Resolver Type validating-resolver Validating Resolver A Trust Anchor must be configured so that the validating resolver has a starting point for validation. This can be done manually via the SSH console. You can obtain the root server DS keys by using dig and its related utilities as follows: Note: In the interest of time, the trust anchors are located on your desktop as a text file named TrustAnchors.txt. You can simply cut and paste the values into the GUI. If you want to run the utilities to obtain the anchors, the commands are below for your reference. Get the root name servers in DNSKEY format and output to the file root-dnskey >dig +multi +noall +answer DNSKEY. >root-dnskey Convert the root trust anchors from DNSKEY format to DS >dnssec-dsfromkey -f root-dnskey. >root-ds Output of the root DS keys >cat./root-ds IN DS B256BD09DC8DD59F0E0F0D8541B8328DD986DF6E IN DS AAC11D7B6F E54A A1A FD2CE1CDDE32 F24E8FB5 Each of the 2 lines in the TrustAnchor.txt file should be entered as a new trust anchor (2 total). In the GUI, navigate to: DNS > Caches > Cache List. Select validating-resolver and click on Trust Anchors on the top menu. Click Add. Copy each line from the TrustAnchor.txt file as a Trust Anchor entry. You should end with a total of two entries. The figure below shows what your configuration should look like Create a new DNS Profile In this task we will create a dns profile to be used by a listener for DNSSEC validation. * In the GUI, navigate to: DNS > Delivery > Profiles > DNS: Create. * Create a new DNS profile as shown in the table below. 94 Chapter 4. DNS Services Beyond GSLB with BIG-IP DNS (201)

99 Keep the defaults if not noted in the table. Name DNSSEC GSLB DNS Express DNS Cache DNS Cache Name Unhandled Query Action Use BIND Server on Big-IP Logging Logging Profile AVR Statistics Sampling Rate Validating Disabled Disabled Disabled Enabled validating-resolver Drop Disabled Enabled dns-logging //from previous lab Enabled; 1/1 queries sampled Edit DNS Listener We will now apply the new profile to the existing DNS Listener. In the GUI, navigate to: DNS > Delivery > Listeners > Listener List Select resolver-listener and modify the DNS Profile to use validating. Your Listener should now be setup as a validating resolver. Use-Case: Valid Signed Zone. From your workstation, perform several recursive queries to your external Listener to test. Perform the following command 2 or 3 times: internetsociety.org In the SSH shell, type the following: tmsh show ltm dns cache validating-resolver more Your output should look similar to below with statistics. Response Validation and DNSSEC Key stats are of particular interest in this use-case DNSSEC Validating Resolver 95

100 In the GUI, you can find similar data as above by navigating Statistics > Module Statistics > DNS > Caches. Select Statistics Type of Caches. Select View under the Details column for validating-resolver Note the size of the cache for just this single RR query. You can view what s in the cache from the CLI with: tmsh show ltm dns cache records rrset cache validating-resolver more Use-Case: Invalid Signed Zone: From your workstation, perform several recursive queries to your external Listener to test. Perform the following command 2 or 3 times: dnssec-failed.org Run the same steps above to view statistics and see the difference What happens when trust is broken. What statistic incremented? What was the query response to the client? 4.7 Forwarders In this use-case, we will configure conditional forwarders with local zone information. Estimated completion time: 5 minutes Add Forwarder to Existing Cache In the GUI, navigate to: DNS > Caches > Cache List. Click on validating-resolver from the previous exercise. Click Forward Zones from the top menu. 96 Chapter 4. DNS Services Beyond GSLB with BIG-IP DNS (201)

101 Click Add and configure as shown in the figure below and then click Finished: From your workstation, perform the following recursive queries to your external Listener to test. mail.forward.com In the SSH shell, type the following tmsh command: tmsh show ltm dns cache validating-resolver more Your output should look similar to below with statistics. Forwarder Activity stats are of particular interest in this use-case. In the GUI, you can find similar data as above by navigating Statistics > Module Statistics > DNS > Caches Forwarders 97