Community Training Classes & Labs > DNS Services Index
DNS Services¶
Class 1 - Availability¶
- Students will configure F5 DNS servers to support GSLB services on a single device in site1.
- Join an additional F5 DNS server in site2 to the GSLB cluster.
- An Internal group of DNS servers is authoritative for the zone example.com and contains a static A record for “www.example.com”, which resolves to 203.0.113.9.
- Students will add glue records and delegate gslb.example.com to the F5 GSLB DNS servers.
- Convert the A record “www.example.com” to be a CNAME record pointing to www.gslb.example.com.
At the end of the lab students will have configured F5 GSLB DNS servers to alternately resolve www.example.com to 203.0.113.9 and 198.51.100.41.
Settings¶
A site specific sync group name will be created, and synchronization will be enabled.
Navigate to: DNS ›› Settings : GSLB : General
Configure the global settings for GSLB according to the following table:
| Setting | Value |
|---|---|
| Synchronize | checked |
| Group Name | EXAMPLE_group |
| Synchronize DNS Zone Files | checked |
https://gtm1.site1.example.com/tmui/Control/jspmap/tmui/dns/settings/gslb/properties_general.jsp
TMSH
tmsh modify gtm global-settings general synchronization yes synchronization-group-name EXAMPLE_group synchronize-zone-files yes
Listeners¶
A listener object is an specialized virtual server that is configured to respond to DNS queries.
We will be creating both TCP and UDP based listeners.
Logging¶
Configure DNS query and response logging. Create a “Log Publisher”, and a “Logging Profile”
Note
It is required to complete the following task on both gtm1.site1 and gtm1.site2
Navigate to: System ›› Logs : Configuration : Log Publishers
Create a local syslog publisher according to the table below:
Setting Value Name local-syslog-publisher Destinations local-syslog 
https://gtm1.site1.example.com/tmui/Control/jspmap/tmui/system/log/create_publisher.jsp
https://gtm1.site2.example.com/tmui/Control/jspmap/tmui/system/log/create_publisher.jsp
On both gtm1.site1 and gtm1.site run the following command:
TMSH
tmsh create sys log-config publisher local-syslog-publisher { destinations { local-syslog { } } }
Navigate to: DNS > Delivery > Profiles > Other > DNS Logging: Create
Create a new DNS logging profile as shown in the table below.
Setting Value Name example_dns_logging_profile Log Publisher local-syslog-publisher Log Responses enabled Include Query ID enabled 
https://gtm1.site1.example.com/tmui/Control/jspmap/tmui/dns/profile/dns_log/create.jsp
https://gtm1.site2.example.com/tmui/Control/jspmap/tmui/dns/profile/dns_log/create.jsp
TMSH command for both gtm1.site1 and gtm1.site2:
TMSH
tmsh create ltm profile dns-logging example_dns_logging_profile enable-response-logging yes include-query-id yes log-publisher local-syslog-publisher
DNS Profile¶
A DNS profile controls the way a listener processes a query.
Note
It is required to complete the following task on both gtm1.site1 and gtm1.site2
Navigate to: DNS > Delivery > Profiles > DNS: Create
Create a new DNS profile as shown in the following table.
| Setting | Value |
|---|---|
| Name | example.com_dns_profile |
| Unhandled Query Action | Drop |
| Use BIND Server on Big-IP | Disabled |
| Logging | Enabled |
| Logging Profile | example_dns_logging_profile |
| AVR statistics Sample Rate | Enabled, 1/1 queries sampled |
https://gtm1.site1.example.com/tmui/Control/jspmap/tmui/dns/profile/dns/create.jsp
https://gtm1.site2.example.com/tmui/Control/jspmap/tmui/dns/profile/dns/create.jsp
TMSH command for both gtm1.site1 and gtm1.site2:
TMSH
tmsh create ltm profile dns example.com_dns_profile use-local-bind no unhandled-query-action drop log-profile example_dns_logging_profile enable-logging yes avr-dnsstat-sample-rate 1
UDP Profile¶
A UDP profile is associated with a listener.
Note
It is required to complete the following task on both gtm1.site1 and gtm1.site2
Navigate to: DNS ›› Delivery : Profiles : Protocol : UDP
Create a new UDP profile as shown in the following table:
| Setting | Value |
|---|---|
| Name | example.com_udp-dns_profile |
| Parent Profile | udp_gtm_dns |
https://gtm1.site1.example.com/tmui/Control/jspmap/tmui/dns/profile/udp/create.jsp
https://gtm1.site2.example.com/tmui/Control/jspmap/tmui/dns/profile/udp/create.jsp
TMSH command for both gtm1.site1 and gtm1.site2:
TMSH
tmsh create ltm profile udp example.com_udp-dns_profile defaults-from udp_gtm_dns
TCP Profile¶
A TCP profile is associated with a listener.
Note
It is required to complete the following task on both gtm1.site1 and gtm1.site2
Navigate to: DNS ›› Delivery : Profiles : Protocol : TCP
Create a new TCP profile as shown in the following table.
| Setting | Value |
|---|---|
| Name | example.com_tcp-dns_profile |
| Parent Profile | f5-tcp-wan |
https://gtm1.site2.example.com/tmui/Control/jspmap/tmui/dns/profile/tcp/create.jsp
https://gtm1.site2.example.com/tmui/Control/jspmap/tmui/dns/profile/tcp/create.jsp
TMSH Command for both gtm1.site and gtm1.site2:
TMSH
tmsh create ltm profile tcp example.com_tcp-dns_profile defaults-from tcp-wan-optimized
UDP IP Address¶
A UDP listener will receive and process DNS queries.
Note
It is required to complete the following task on both gtm1.site1 and gtm1.site2
Navigate to: DNS ›› Delivery : Listeners : Listener List
Create a UDP listener according to the following table:
| Setting | gtm1.site1 | gtm1.site2 |
|---|---|---|
| Name | isp1_site1_ns1.example.com_udp_53_virtual | isp2_site2_ns2.example.com_udp_53_virtual |
| Destination | 203.0.113.8 | 198.51.100.40 |
| Protocol Profile (Client) | example.com_udp-dns_profile | example.com_udp-dns_profile |
| DNS Profile | example.com_dns_profile | example.com_dns_profile |
https://gtm1.site1.example.com/tmui/Control/jspmap/tmui/dns/listener/create.jsp
https://gtm1.site2.example.com/tmui/Control/jspmap/tmui/dns/listener/create.jsp
gtm1.site1 TMSH command:
TMSH
tmsh create gtm listener isp1_site1_ns1.example.com_udp_53_virtual address 203.0.113.8 ip-protocol udp mask 255.255.255.255 port 53 profiles add { example.com_dns_profile example.com_udp-dns_profile }
gtm1.site2 TMSH command:
TMSH
tmsh create gtm listener isp2_site2_ns2.example.com_udp_53_virtual address 198.51.100.40 ip-protocol udp mask 255.255.255.255 port 53 profiles add { example.com_dns_profile example.com_udp-dns_profile }
TCP IP Address¶
A TCP listener will receive and process DNS queries.
Note
It is required to complete the following task on both gtm1.site and gtm1.site2
Navigate to: DNS ›› Delivery : Listeners : Listener List
Create a TCP listener.
| Setting | gtm1.site1 | gtm1.site2 |
|---|---|---|
| Name | isp1_site1_ns1.example.com_tcp_53_virtual | isp2_site2_ns2.example.com_tcp_53_virtual |
| Destination | 203.0.113.8 | 198.51.100.40 |
| Protocol Profile (Client) | example.com_tcp-dns_profile | example.com_tcp-dns_profile |
| DNS Profile | example.com_dns_profile | example.com_dns_profile |
https://gtm1.site1.example.com/tmui/Control/jspmap/tmui/dns/listener/create.jsp
https://gtm1.site2.example.com/tmui/Control/jspmap/tmui/dns/listener/create.jsp
gtm1.site1 TMSH command:
TMSH
tmsh create gtm listener isp1_site1_ns1.example.com_tcp_53_virtual address 203.0.113.8 ip-protocol tcp mask 255.255.255.255 port 53 profiles add { example.com_dns_profile example.com_tcp-dns_profile }
gtm1.site2 TMSH command:
TMSH
tmsh create gtm listener isp1_site2_ns2.example.com_tcp_53_virtual address 198.51.100.40 ip-protocol tcp mask 255.255.255.255 port 53 profiles add { example.com_dns_profile example.com_tcp-dns_profile }
Datacenters¶
Datacenters are logical groupings of devices that share a gateway.
Note
The tasks in this section are to be only completed on gtm1.site1
Navigate to: DNS > GSLB > Data Centers > Data Center List: Create
https://gtm1.site1.example.com/tmui/Control/jspmap/xsl/gtm_dc/list
Create two data centers according to the table below:
| Setting | Value |
|---|---|
| Name | site1_datacenter |
| Name | site2_datacenter |
https://gtm1.site1.example.com/tmui/Control/jspmap/tmui/globallb/data_center/create.jsp
TMSH command for only site1.gtm1:
TMSH
tmsh create gtm datacenter site1_datacenter
TMSH
tmsh create gtm datacenter site2_datacenter
Servers¶
Server objects need to be defined and grouped into a Datacenter
Navigate to: DNS ›› GSLB : Servers : Server List
https://gtm1.site1.example.com/tmui/Control/jspmap/tmui/globallb/server/list.jsp
gtm1.site1¶
All GTM devices need to be defined. Create a server object for gtm1.site1
Click “Create” to define gtm1.site1 as defined in the table below:
| Setting | Value |
|---|---|
| Name | gtm1.site1_server |
| Data Center | site1_datacenter |
| Devices Add: | gtm1.site1.example.com : 203.0.113.7 |
| Health Monitors | bigip |
Fill in the Name and Datacenter
Click the “Add” button to define IP addresses
Complete the form and associate the “bigip” “Health Monitor”
https://gtm1.site1.example.com/tmui/Control/jspmap/tmui/globallb/server/create.jsp
TMSH
tmsh create gtm server gtm1.site1_server datacenter site1_datacenter devices add { gtm1.site1.example.com { addresses add { 203.0.113.7 } } } monitor bigip product bigip
gtm1.site2¶
All GTM devices need to be defined. Create a server object for gtm1.site1
Click “Create” to define gtm1.site1 as defined in the table below:
| Setting | Value |
|---|---|
| Name | gtm1.site2_server |
| Data Center | site2_datacenter |
| Devices Add: | gtm1.site2.example.com : 198.51.100.39 |
| Health Monitors | bigip |
Fill in the Name and Datacenter
Click the “Add” button to define IP addresses
Complete the form and associate the “bigip” “Health Monitor”
https://gtm1.site1.example.com/tmui/Control/jspmap/tmui/globallb/server/create.jsp
TMSH
tmsh create gtm server gtm1.site2_server datacenter site2_datacenter devices add { gtm1.site2.example.com { addresses add { 198.51.100.39 } } } monitor bigip product bigip
site1_ha-pair¶
LTM devices need to be defined. Create a server object for the bigip1.site1 and bigip2.site1 HA pair
Create a Server Object as defined in the table below:
| Setting | Value |
|---|---|
| Name | site1_ha-pair |
| Data Center | site1_datacenter |
| Devices Add: | bigip1.site1.example.com : 203.0.113.5 |
| Devices Add: | bigip2.site1.example.com : 203.0.113.6 |
| Health Monitors | bigip |
| Virtual Server Discovery | Enabled |
| Link Discovery | Enabled |
Fill in the Name and Datacenter
Click the “Add” button to define IP addresses
Click “Add” again to define the other BIG-IP in the HA pair.
Click the “Add” button to define IP addresses
Complete the form and associate the “bigip” “Health Monitor”
https://gtm1.site1.example.com/tmui/Control/jspmap/tmui/globallb/server/create.jsp
TMSH
tmsh create gtm server site1_ha-pair datacenter site1_datacenter devices add { bigip1.site1.example.com { addresses add { 203.0.113.5 { } } } bigip2.site1.example.com { addresses add { 203.0.113.6 { } } } } link-discovery enabled monitor bigip product bigip virtual-server-discovery enabled
site2_ha-pair¶
LTM devices need to be defined. Create a server object for the bigip1.site1 and bigip2.site1 HA pair
Create a Server Object as defined in the table below:
| Setting | Value |
|---|---|
| Name | site2_ha-pair |
| Data Center | site2_datacenter |
| Device Add: | bigip1.site2.example.com : 198.51.100.37 |
| Device Add: | bigip2.site2.example.com : 198.51.100.38 |
| Health Monitors | bigip |
| Virtual Server Discovery | Enabled |
| Link Discovery | Enabled |
Fill in the Name and Datacenter
Click the “Add” button to define IP addresses
Click “Add” again to define the other BIG-IP in the HA pair.
Click the “Add” button to define IP addresses
Complete the form and associate the “bigip” “Health Monitor”
https://gtm1.site1.example.com/tmui/Control/jspmap/tmui/globallb/server/create.jsp
TMSH
tmsh create gtm server site2_ha-pair datacenter site2_datacenter devices add { bigip1.site2.example.com { addresses add { 198.51.100.37 { } } } bigip2.site2.example.com { addresses add { 198.51.100.38 { } } } } link-discovery enabled monitor bigip product bigip virtual-server-discovery enabled
Device Trust¶
A mesh of F5 DNS servers need to exchange keys to establish a trusted mechanism for HA communications.
Launch Putty and login to gtm1.site1.example.com
Run the following command:
When prompted for a password use “default”.
TMSH
bigip_add
Navigate to: DNS ›› GSLB : Servers : Trusted Server Certificates
Sync Group¶
After the BIG-IP DNS server in datacenter 2 is joined to the sync group, administrators may make changes to either F5 DNS server.
Changes will be automatically replicated across all F5 DNS servers.
Launch Putty and log in to gtm1.site2
Run the following command: Enter the password “default” when prompted.
Select “y” to allow the bigip-ip to join the mesh.
TMSH
gtm_add 203.0.113.7
Pools¶
LTM virtual server objects are grouped together into GTM pools.
Navigate to: DNS ›› GSLB : Pools : Pool List
Create a Pool of LTM Virtuals according to the following table:
| Setting | Value |
|---|---|
| Name | www.example.com_pool |
| Type | A |
| member | isp1_site1_www.example.com_tcp_https_virtual |
| member | isp2_site2_www.example.com_tcp_https_virtual |
https://gtm1.site1.example.com/tmui/Control/jspmap/tmui/globallb/pool/create.jsp
TMSH command to run on only gtm1.site1:
TMSH
tmsh create gtm pool a www.example.com_pool { members add { site1_ha-pair:/Common/isp1_site1_www.example.com_tcp_https_virtual { member-order 0 } site2_ha-pair:/Common/isp2_site2_www.example.com_tcp_https_virtual { member-order 1 } } }
FQDN¶
F5 refers to an FQDN as a “wide-ip”, or “wip”.
Navigate to: DNS ›› GSLB : Wide IPs : Wide IP List
Create an F5 “wide IP”
| Setting | Value |
|---|---|
| Name | www.gslb.example.com |
| Type | A |
| Pool | www.example.com_pool |
https://gtm1.site1.example.com/tmui/Control/jspmap/tmui/globallb/wideip/list.jsp
TMSH command to run on only gtm1.site1:
TMSH
tmsh create gtm wideip a www.gslb.example.com { pools add { www.example.com_pool { order 0 } } }
Delegation¶
Log in to the DNS server from the jumpbox, and open the DNS management UI:
A Records¶
Create two new A records for the new BIGP-IP nameservers.
| Setting | Value |
|---|---|
| ns1.example.com. | 203.0.113.8 |
| ns2.example.com. | 198.51.100.40 |
Expand “Forward Lookup Zones”, right click on EXAMPLE.COM and select “New Host”
Sub Domain¶
Expand “Forward Lookup Zones”, and right click on “EXAMPLE.com
Create the “gslb” subdomain.
Step through the Delegation Wizard. Add “ns1.example.com - 203.0.113.8”
Also add “ns2.example.com - 198.51.100.40”
Make sure both ns1.example.com and ns2.example.com are added
Click “Finish”
CNAME¶
Make sure “Forward Lookup Zones” and “EXAMPLE.COM” is expanded. Right click on “www”, and select delete.
Right click on “EXAMPLE.COM”, and select “New Alias (CNAME)”
Add “www - www.gslb.example.com”
Results¶
From the Workstation command prompt type “dig www.example.com”
Observe WIDEIP statistics on gtm1.site1: Statistics ›› Module Statistics : DNS : GSLB ›› Wide IPs : www.gslb.example.com : A
TMSH
tmsh show gtm wideip a www.gslb.example.com
Observe WIDEIP statistics on gtm1.site2: Statistics ›› Module Statistics : DNS : GSLB ›› Wide IPs : www.gslb.example.com : A
Disable physical interfaces on gtm1.site2:
TMSH command to run on only gtm1.site2:
TMSH
tmsh modify net interface all disabled
Refresh statistics on gtm1.site1 and make sure DNS requests are still resolving.
Re-enable interfaces on gtm1.site2, disable interfaces on gtm1.site1. Observe statistics on gtm1.site2 and make sure DNS requests are still resolving.
TMSH command to run on only gtm1.site2:
TMSH
tmsh modify net interface all enabled
Observe pool statistics on gtm1.site1: Statistics ›› Module Statistics : DNS : GSLB ›› Pools : www.example.com_pool : A
TMSH
show gtm pool a www.example.com_pool
Using Putty, ssh into gtm1.site1 and run the following command to watch logs:
TMSH
tail -f /var/log/ltm
Persistence¶
Modify the GSLB configuration so that LDNS servers continually receive the same DNS answer.
On gtm1.site1 navigate to: DNS ›› GSLB : Pools : Pool List ›› Members : www.example.com_pool
https://gtm1.site1.example.com/tmui/Control/jspmap/tmui/globallb/wideip/list.jsp
Click into the “Pools” tab:
Enable Persistence
TMSH
tmsh modify gtm wideip a www.gslb.example.com persistence enabled
View Persistence Records
TMSH
tmsh show gtm persist
LB Methods¶
Modify the GSLB configuration so that site2 is a standby DR site.
Introduce a network problem that causes the isp1 link monitor to fail.
An ISP network outage can automatically cause DR activation.
On gtm1.site1 navigate to: DNS ›› GSLB : Pools : Pool List ›› Members : www.example.com_pool
Modify the “Load Balancing Method” -> “Preferred” to “Global Availability”
TMSH
tmsh modify gtm pool a www.example.com_pool load-balancing-mode global-availability
Introduce a network problem in the ISP at site1
Log into the router and disable interface 1.6 connecting ISP1 to site1
https://router01.branch01.example.com/tmui/Control/jspmap/tmui/locallb/network/interface/list.jsp
TMSH command to run on the router01 to simulate an ISP failure
TMSH
tmsh modify interface 1.6 disabled
View the effect
Log into gtm1.site2 and observe the status of “Link” objects:
https://gtm1.site2.example.com/tmui/Control/jspmap/xsl/gtm_link/list
TMSH
tmsh show gtm link
Set the site1 isp link back up
Log into the router and enable the interface 1.6 connecting ISP1 to site1
https://router01.branch01.example.com/tmui/Control/jspmap/tmui/locallb/network/interface/list.jsp
TMSH
tmsh modify interface 1.6 enabled
Note: Even though you re-enabled the primary site1, a persistence record from the previous lab is still in place.
Class 2 - Security¶
The lab environment consists of a Lan of workstations in a remote location with internal DNS servers behind an F5 firewall.
The F5 device is directly connected to the internet.
Students will work with the following concepts as part of a group of lab exercises.
- Transparent Cache
- Hidden Master
- DNSSec
- Validating Resolver
- RPZ
- URL Categorization
Transparent Cache¶
Monitors¶
A DNS application specific health monitor provides intelligence in the steering DNS queries towards the fastest responding DNS server.
Navigate to: Delivery : Load Balancing : Monitors
https://router01.branch01.example.com/tmui/Control/jspmap/tmui/dns/monitor/list.jsp
Create a monitor according to the following table:
| Setting | Value |
|---|---|
| Name | example.com_dns_monitor |
| Type | DNS |
| Query Name | www.example.com |
https://router01.branch01.example.com/tmui/Control/jspmap/tmui/dns/monitor/create.jsp
TMSH
tmsh create ltm monitor dns example.com_dns_monitor defaults-from dns qname www.example.com
Load Balancing¶
Augment and scale an existing DNS infrastructure by Load Balancing DNS queries across a pool of DNS servers.
Navigate to: Delivery : Load Balancing : Pools : Pool List
Create a pool according to the following table:
| Setting | Value |
|---|---|
| Name | branch01_dns_pool |
| Health Monitors | example.com_dns_monitor |
|
dc01.branch01.example.com_node |
|
10.1.70.200 |
|
53 |
|
dc02.branch01.example.com_node |
|
10.1.70.210 |
|
53 |
https://router01.branch01.example.com/tmui/Control/jspmap/tmui/dns/pool/create.jsp
TMSH
tmsh create ltm pool branch01_dns_pool members add { dc01.branch01.example.com_node:53 { address 10.1.70.200 } dc02.branch01.example.com_node:53 { address 10.1.70.210 } } monitor example.com_dns_monitor
Results¶
Navigate to: DNS ›› Delivery : Load Balancing : Pools : Pool List
Click to select the branch01_dns_pool, and then click “Members”
https://router01.branch01.example.com/tmui/Control/jspmap/tmui/dns/pool/list.jsp
Click to select “branch01_dns_pool”, and then select “Members”
Notice the health status of the existing DNS infrastructure.
TMSH
tmsh show ltm pool branch01_dns_pool detail
In this module we will prepare the objects required to build a transparent cache.
In the next exercise a DNS profile will reference the cache and a Listener will forward traffic to a healthy backend DNS server
Enabling a transparent cache on the BIG-IP will offload some DNS queries from being sent to the internal DNS servers.
Log into the gateway device router01.brancho1 in the branch office
Navigate to DNS ›› Caches : Cache List
Create a transparent cache
| Setting | Value |
|---|---|
| Name | transparent_cache |
| Resolver Type | Transparent |
https://router01.branch01.example.com/tmui/Control/jspmap/tmui/dns/cache/create.jsp
TMSH command for router01.branch01:
TMSH
tmsh create ltm dns cache transparent transparent_cache
Listeners¶
A listener object is an specialized virtual server that is configured to respond to DNS queries.
We will be creating both TCP and UDP based listeners that have the same IP address of the existing DNS server.
Note: the Workstation is configured to use 10.1.70.200 and 10.1.70.210 for DNS.
After this module students will have enabled the BIG-IP to intercept and cache DNS requests.
Log Profile¶
Configure DNS query and response logging.
Create a “Log Publisher” for local syslog.
Navigate to: System ›› Logs : Configuration : Log Publishers
Create a local syslog publisher as shown in the table below:
Setting Value Name local-syslog-publisher Destinations local-syslog
https://router01.branch01.example.com/tmui/Control/jspmap/tmui/system/log/create_publisher.jsp
TMSH
tmsh create sys log-config publisher local-syslog-publisher { destinations add { local-syslog { } } }
Create a “Logging Profile”
Navigate to DNS ›› Delivery : Profiles : Other : DNS Logging
Create a DNS logging profile as shown in the table below:
Setting Value Name example_dns_logging_profile Log Publisher local-syslog-publisher Log Responses enabled Include Query ID enabled 
https://router01.branch01.example.com/tmui/Control/jspmap/tmui/locallb/profile/dns_log/create.jsp
TMSH
tmsh create ltm profile dns-logging example_dns_logging_profile enable-response-logging yes include-query-id yes log-publisher local-syslog-publisher
DNS Profile¶
A DNS profile will control which features are enabled as part of processing a query.
Navigate to: DNS ›› Delivery : Profiles : DNS
Create a DNS profile as shown in the table below.
| Setting | Value |
|---|---|
| Name | example.com_dns_profile |
| DNS Cache | Enabled |
| DNS Cache Name | transparent_cache |
| Use BIND Server on Big-IP | Disabled |
| Logging | Enabled |
| Logging Profile | example_dns_logging_profile |
| AVR statistics Sample Rate | Enabled, 1/1 queries sampled |
https://router01.branch01.example.com/tmui/Control/jspmap/tmui/locallb/profile/dns/create.jsp
TMSH
tmsh create ltm profile dns example.com_dns_profile { avr-dnsstat-sample-rate 1 cache transparent_cache defaults-from dns enable-cache yes enable-logging yes log-profile example_dns_logging_profile use-local-bind no }
UDP Profile¶
A UDP profile controls the way the platform processes UDP traffic.
Navigate to: DNS ›› Delivery : Profiles : Protocol : UDP
https://router01.branch01.example.com/tmui/Control/jspmap/tmui/dns/profile/udp/list.jsp
Create a UDP profile as shown in the following table.
| Setting | Value |
|---|---|
| Name | example.com_udp-dns_profile |
| Parent Profile | udp_gtm_dns |
https://router01.branch01.example.com/tmui/Control/jspmap/tmui/dns/profile/udp/create.jsp
TMSH
tmsh create ltm profile udp example.com_udp-dns_profile defaults-from udp_gtm_dns
TCP Profile¶
A TCP profile controls the way the platform processes TCP traffic.
Navigate to: DNS ›› Delivery : Profiles : Protocol : TCP
https://router01.branch01.example.com/tmui/Control/jspmap/tmui/dns/profile/tcp/list.jsp
Create a TCP profile as shown in the following table.
| Setting | Value |
|---|---|
| Name | example.com_tcp-dns_profile |
| Parent Profile | f5-tcp-lan |
https://router01.branch01.example.com/tmui/Control/jspmap/tmui/dns/profile/tcp/create.jsp
TMSH
tmsh create ltm profile tcp example.com_tcp-dns_profile defaults-from f5-tcp-lan
UDP Listener¶
A UDP listener is an IP address that will receive DNS queries.
Navigate to: DNS ›› Delivery : Listeners : Listener List
https://router01.branch01.example.com/tmui/Control/jspmap/tmui/dns/listener/list.jsp
Create two UDP listeners according to the tables below:
| Setting | Value |
|---|---|
| Name | DC01_udp_53_virtual |
| Destination Address | 10.1.70.200 |
| Service Port | DNS 53 |
| VLAN and Tunnel Traffic -> Enabled on.. | branch01_vlan |
| Protocol | UDP |
| Protocol Profile (Client) | example.com_udp-dns_profile |
| DNS Profile | example.com_dns_profile |
| Default Pool | branch01_dns_pool |
| Setting | Value |
|---|---|
| Name | DC02_udp_53_virtual |
| Destination Address | 10.1.70.210 |
| Service Port | DNS 53 |
| VLAN and Tunnel Traffic -> Enabled on.. | branch01_vlan |
| Protocol | UDP |
| Protocol Profile (Client) | example.com_udp-dns_profile |
| DNS Profile | example.com_dns_profile |
| Default Pool | branch01_dns_pool |
https://router01.branch01.example.com/tmui/Control/jspmap/tmui/locallb/virtual_server/create.jsp
TMSH
tmsh create gtm listener DC01_udp_virtual address 10.1.70.200 port 53 ip-protocol udp pool branch01_dns_pool profiles add { example.com_dns_profile example.com_udp-dns_profile } vlans add { branch01_vlan } vlans-enabled
TMSH
tmsh create gtm listener DC02_udp_virtual address 10.1.70.210 port 53 ip-protocol udp pool branch01_dns_pool profiles add { example.com_dns_profile example.com_udp-dns_profile } vlans add { branch01_vlan } vlans-enabled
TCP Listeners¶
A TCP listener is an IP address that will receive DNS queries.
Navigate to: DNS ›› Delivery : Listeners : Listener List
https://router01.branch01.example.com/tmui/Control/jspmap/tmui/dns/listener/list.jsp
Create two TCP listeners according to the table below:
| Setting | Value |
|---|---|
| Name | DC01_tcp_53_virtual |
| Destination | 10.1.70.200 |
| Service Port | DNS 53 |
| VLAN and Tunnel Traffic -> Enabled on.. | branch01_vlan |
| Protocol | TCP |
| Protocol Profile (Client) | example.com_tcp-dns_profile |
| DNS Profile | example.com_dns_profile |
| Pool | branch01_dns_pool |
| Setting | Value |
|---|---|
| Name | DC02_tcp_53_virtual |
| Destination | 10.1.70.210 |
| Service Port | DNS 53 |
| VLAN and Tunnel Traffic -> Enabled on.. | branch01_vlan |
| Protocol | TCP |
| Protocol Profile (Client) | example.com_tcp-dns_profile |
| DNS Profile | example.com_dns_profile |
| Pool | branch01_dns_pool |
https://router01.branch01.example.com/tmui/Control/jspmap/tmui/dns/listener/create.jsp
TMSH
tmsh create gtm listener DC01_tcp_virtual address 10.1.70.200 port 53 ip-protocol tcp pool branch01_dns_pool profiles add { example.com_dns_profile example.com_tcp-dns_profile } vlans add { branch01_vlan } vlans-enabled
TMSH
tmsh create gtm listener DC02_tcp_virtual address 10.1.70.210 port 53 ip-protocol tcp pool branch01_dns_pool profiles add { example.com_dns_profile example.com_tcp-dns_profile } vlans add { branch01_vlan } vlans-enabled
Results¶
From the jumpbox open a command prompt, perform several recursive queries to your new listener to test.
Repeat some of the same queries multiple times
dig www.f5.com dig www.wikipedia.org dig www.ncsu.edu dig www.example.com
Viewing Cache Entries
Navigate to: DNS ›› Caches : Cache List ›› Properties : transparent_cache
Navigate to: Statistics ›› Module Statistics : DNS : Caches ›› Caches
Navigate to: Statistics ›› Module Statistics : DNS : Caches ›› Caches : transparent_cache
TMSH
tmsh show ltm dns cache records rrset cache transparent_cache
show ltm dns cache transparent transparent_cache
Clearing Entire Cache
Navigate to Statistics > Module Statistics > DNS > Caches
Set “Statistics Type” to “Caches”.
Select the cache and click “Clear Cache” to empty the cache.
DNSSec¶
Zone Signing Key¶
Navigate to: DNS ›› Delivery : Keys : DNSSEC Key List
Create zone signing key according the following table:
| Setting | Value |
|---|---|
| Name | example.com_zsk |
| Type | Zone Signing Key |
| Key Management | Manual |
| Certificate | default.crt |
| Private Key | default.key |
https://router01.branch01.example.com/tmui/Control/jspmap/tmui/dns/dnssec_key/create.jsp
TMSH
tmsh create ltm dns dnssec key example.com_zsk key-type zsk certificate-file default.crt key-file default.key
Key Signing Key¶
Navigate to: DNS ›› Delivery : Keys : DNSSEC Key List
Create a key signing key according to the following table:
| Setting | Value |
|---|---|
| Name | example.com_ksk |
| Type | Key Signing Key |
| Key Management | Manual |
| Certificate | default.crt |
| Private Key | default.key |
https://router01.branch01.example.com/tmui/Control/jspmap/tmui/dns/dnssec_key/create.jsp
TMSH commands for Key Signing key creation:
TMSH
tmsh create ltm dns dnssec key example.com_ksk key-type ksk certificate-file default.crt key-file default.key
Signed Zone¶
Navigate to: DNS ›› Zones : DNSSEC Zones : DNSSEC Zone List
Create DNS Express zone signed by DNSSEC
| Setting | Value |
|---|---|
| Name | example.com |
| Zone Signing Key | example.com_zsk |
| Key Signing Key | example.com_ksk |
TMSH commands for DNSSEC signed zone creation:
TMSH
tmsh create ltm dns dnssec zone example.com keys add { example.com_ksk example.com_zsk }
Results¶
From the CLI on the router01.branch01 BIGIP run tail -f /var/log/ltm
From the Workstation CMD prompt run: “dig example.com +dnssec”
Validating Resolver¶
Trust Anchors¶
Create a trust anchor to validate content in a DNS response.
Using Putty, ssh into router01.branch01 and run the following command:
TMSH
dig dnskey . | grep 257 > /root/dnskey.txt
dnssec-dsfromkey -f /root/dnskey.txt .
Navigate to: DNS ›› Caches : Cache List ›› validating-resolver_cache : Trust Anchors
Select the validating-resolver_cache and click “Trust Anchors”
For each line of output from the preceding command create a “Trust Anchor”
1 | tmsh modify ltm dns cache validating-resolver validating-resolver_cache trust-anchors replace-all-with { ". IN DS 19036 8 1 B256BD09DC8DD59F0E0F0D8541B8328DD986DF6E" ". IN DS 19036 8 2 49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5" ". IN DS 20326 8 1 AE1EA5B974D4C858B740BD03E3CED7EBFCBD1724" ". IN DS 20326 8 2 E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D" }
|
DLV Anchors¶
To cache a validated response for the signed zones, you need to obtain a trust and DLV anchor.
Using Putty, ssh into router01.branch01 and run the following command:
TMSH
dig dnskey dlv.isc.org. | grep 257 > /root/DLVdnskey.txt
dnssec-dsfromkey -f /root/DLVdnskey.txt dlv.isc.org.
Navigate to: DNS ›› Caches : Cache List ›› validating-resolver_cache : DLV Anchors
For each line of output from the preceding command create a “DLV Anchor”
1 | tmsh modify ltm dns cache validating-resolver validating-resolver_cache dlv-anchors replace-all-with { "dlv.isc.org. IN DS 19297 5 1 7D480DBEF530374D8A4333FCB22106EB10013B46" "dlv.isc.org. IN DS 19297 5 2 A11D16F6733983E159EDF8053B2FB57B479D81A309A50EAA79A81AF48A47C617" }
|
Modify DNS Profile¶
In order to activate the new “Validating Resolver”, modify the DNS profile example.com_dns_profile.
Navigate to: DNS ›› Delivery : Profiles : DNS
Select the profile “example.com_dns_profile”
Modify the DNS profile to activate the new validating-resolver_cache.
TMSH
tmsh modify ltm profile dns example.com_dns_profile cache validating-resolver_cache
Results¶
From the CLI on the router01.branch01 BIGIP run
tail -f /var/log/ltm
From the Workstation CMD prompt run: “dig ghghghghg.com”
From the Workstation CMD prompt run: “dig google.com”
From the Workstation CMD prompt run: “dig dnssec-deployment.org +dnssec”
From the Workstation CMD prompt run: “dig dnssec-failed.org +dnssec”
http://www.internetsociety.org/deploy360/resources/dnssec-test-sites/
Configure a validating resolver cache on the BIG-IP® system to recursively query public DNS servers, validate the identity of the DNS server sending the responses, and then cache the responses.
After completing this lab students will entirely offload DNS queries from internal masters.
Navigate to DNS ›› Caches : Cache List
https://router01.branch01.example.com/tmui/Control/jspmap/tmui/dns/cache/list.jsp
Create a validating resolver cache according to the table below:
| Setting | Value |
|---|---|
| Name | validating-resolver_cache |
| Resolver Type | Validating Resolver |
| Answer default zones | Checked - Enabled |
https://router01.branch01.example.com/tmui/Control/jspmap/tmui/dns/cache/create.jsp
TMSH
tmsh create ltm dns cache validating-resolver validating-resolver_cache answer-default-zones yes
RPZ¶
Response Policy Zone will be turned on to stop clients from trying to resolve blacklisted domains.
Zone Runner¶
Customers will subscribe to their RPZ vendor of choice.
Use Zonerunner to create a custom RPZ zone for our lab.
Navigate to DNS ›› Zones : ZoneRunner : Zone List
https://router01.branch01.example.com/tmui/Control/jspmap/tmui/globallb/zfd/zone/create.jsp
Create a zone according to the following table:
| Setting | Value |
|---|---|
| View Name | external |
| Zone Name | rpz.example.com |
| Zone Type | Master |
| Zone File Name | db.external.rpz.example.com |
| Options | also-notify { ::1 port 5353; }; |
| TTL | 300 |
| Master Server | router01.branch01.example.com. |
| Email Contact | hostmaster.example.com. |
| NS Record: TTL | 300 |
| NS Record: Nameserver | router01.branch01.example.com. |
| Create A Record | Checked - Enabled |
| A Record: IP Address | 10.1.71.1 |
Navigate to: DNS ›› Zones : ZoneRunner : Resource Record List
https://router01.branch01.example.com/tmui/Control/jspmap/tmui/globallb/zfd/record/create.jsp
Create a resource record according to the following table:
| Setting | Value |
|---|---|
| View Name | external |
| Zone Name | rpz.example.com |
| Name | *.guns.com.rpz.example.com. |
| TTL | 300 |
| Type | CNAME |
| CNAME | . |
Name Server¶
Navigate to DNS ›› Delivery : Nameservers : Nameserver List
https://router01.branch01.example.com/tmui/Control/jspmap/tmui/dns/nameserver/list.jsp
Create a nameserver according to the following table:
| Setting | Value |
|---|---|
| Name | localhost |
https://router01.branch01.example.com/tmui/Control/jspmap/tmui/dns/nameserver/create.jsp
TMSH
tmsh create ltm dns nameserver localhost { address 127.0.0.1 tsig-key none }
DNS Express¶
Navigate to DNS ›› Zones : Zones : Zone List
https://router01.branch01.example.com/tmui/Control/jspmap/tmui/dns/zone/create.jsp
Create a DNS Express zone according to the following table:
| Setting | Value |
|---|---|
| Name | rpz.example.com |
| Server | localhost |
| Allow NOTIFY From | 127.0.0.1 |
| Response Policy | checked |
TMSH
tmsh create ltm dns zone rpz.example.com { dns-express-server localhost response-policy yes dns-express-allow-notify add { 127.0.0.1 } dns-express-notify-tsig-verify no }
Local Zone¶
Navigate to: DNS ›› Caches : Cache List
https://router01.branch01.example.com/tmui/Control/jspmap/tmui/dns/cache/list.jsp
Select validating-resolver_cache, click “Local Zones”, and click “Add”
Create a local zone entry according to the following table:
| Setting | Value |
|---|---|
| Name | sorry.example.com |
| Type | Static |
| Records | sorry.example.com. IN A 10.1.71.21 |
TMSH commands for router01.branch01:
TMSH
tmsh modify ltm dns cache validating-resolver validating-resolver_cache local-zones { { name sorry.example.com records add { “sorry.example.com. IN A 10.1.71.21” } type static } }
Walled Garden¶
Navigate to: DNS ›› Caches : Cache List
https://router01.branch01.example.com/tmui/Control/jspmap/tmui/dns/cache/list.jsp
Click “validating-resolver_cache”
Select validating-resolver_cache, click “Response Policy Zones”, and then click “Add”
Create a local zone entry according to the following table:
| Setting | Value |
|---|---|
| Zone | rpz.example.com |
| Action | Walled Garden |
| Walled Garden | sorry.example.com |
TMSH commands for router01.branch01:
TMSH
tmsh modify ltm dns cache resolver validating-resolver_cache response-policy-zones add { rpz.example.com { action walled-garden walled-garden sorry.example.com } }
Results¶
From a Workstation command prompt run “dig www.guns.com”
Try running additional dig commands to verify that other domains still resolve as expected.
dig www.f5.com
URL Categorization¶
Configure DNS queries filtering based on the category of the requested domain. This will be done with using F5 iRules and built-in categorization database.
Create an iRule¶
Navigate to: DNS ›› Delivery : iRules : iRules List
https://router01.branch01.example.com/tmui/Control/jspmap/tmui/dns/rule/list.jsp
Create new iRule, copy the content below and paste it.
| Setting | Value |
|---|---|
| Name | DNS-query-filtering |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 | when RULE_INIT {
# Set categories to block for DNS hosts
set static::blocked_categories {
/Common/Bot_Networks
/Common/Spyware
/Common/Malicious_Web_Sites
/Common/Adult_Content
/Common/Sex
}
# CONFIGURATION
# Check all requests by default
set static::request_check 1
# If the category returns as blocked, return NXDOMAIN (1)
# Otherwise if (0), return a statically defined IP address
set static::request_return_nxdomain 0
set static::request_redirect_to "10.1.71.21"
# Toggle for debug logs
set static::request_debug 1
}
when DNS_REQUEST {
if { $static::request_check } {
set lookup_category [getfield [CATEGORY::lookup "http://[DNS::question name]"] " " 1]
if { [lsearch -exact $static::blocked_categories $lookup_category] >= 1 } {
if { $static::request_debug } {
log local0. "BLOCKED: Category $lookup_category matching [DNS::question name] is filtered."
}
DNS::answer clear
if { $static::request_return_nxdomain } {
DNS::header opcode QUERY
DNS::header rcode NXDOMAIN
} else {
if { [DNS::question type] equals "A" } {
DNS::answer insert "[DNS::question name]. 111 [DNS::question class] [DNS::question type] $static::request_redirect_to"
}
}
DNS::return
} else {
if { $static::request_debug } {
log local0. "Category $lookup_category matching [DNS::question name] is not filtered"
}
}
}
}
|
TMSH commands for router01.branch01 (Make sure you use text editor to copy content above and paste it)
TMSH
tmsh create ltm rule DNS-query-filtering
iRule assignment¶
Navigate to: DNS ›› Delivery : Listeners : Listener List
Navigate to the listener DC01_udp_virtual
Navigate to iRules section
Navigate to Manage
Highlight DNS-query-filtering iRule and move it to Selected column
TMSH commands for router01.branch01
TMSH
tmsh modify ltm virtual branch01_udp_53_virtual rules { DNS-query-filtering }
Results¶
From the CLI on the router01.branch01 BIGIP run
tail -f /var/log/ltm
From the Workstation command prompt run “dig example.com” and check for the results
From the Workstation command prompt run “dig porno.com” and check for the results
Navigate to: DNS ›› Delivery : iRules : iRules List
https://router01.branch01.example.com/tmui/Control/jspmap/tmui/dns/rule/list.jsp
Click on the DNS-query-filtering iRule and add new filtering category “News_and_Media”
From the Workstation command prompt run “dig cnn.com” and check for the results
IP Intelligence¶
Create an iRule¶
Navigate to: DNS ›› Delivery : iRules : iRules List
https://router01.branch01.example.com/tmui/Control/jspmap/tmui/dns/rule/list.jsp
Create new iRule, copy the content below and paste it.
when DNS_RESPONSE {
# If Query type was A and response is an answer. if { ([DNS::question type] eq “A”) and ([DNS::ptype] == “ANSWER”) } {
set rrs [DNS::answer] foreach rr $rrs {
if { [DNS::type $rr] eq “A” } {if {[llength [IP::reputation [DNS::rdata $rr]]] != 0} {
# Bad IP Reputation for destination detected log local0. “$rr: “[IP::reputation $ip]”, count: [llength [IP::reputation $rr]]”
- }
- }
}
}
}
| Setting | Value |
|---|---|
| Name | IPI_irule |
TODO: get updated irule from Brian Van Lieu
TMSH
tmsh create ltm rule IPI_irule
iRule assignment¶
Navigate to: DNS ›› Delivery : Listeners : Listener List
Navigate to the listener DC01_udp_virtual
Navigate to iRules section
Navigate to Manage
Highlight IPI iRule and move it to Selected column
TMSH commands for router01.branch01
TMSH
tmsh modify ltm virtual branch01_udp_53_virtual rules add { IPI_irule }
Results¶
From the CLI on the router01.branch01 BIGIP run
tail -f /var/log/ltm
TODO: put the results screenshots here
Credits¶
Agility 2017:
Bill Wester
Boris Gekhtman
Brendan Gladney
Brian Buback
Dave Doucette
Emilio Torres
Josh Anderson
Robin Mordasiewicz
Advisors:
Brian Van Lieu
Hitesh Patel
Joe Hermes
Jonathan Dehaan
Pat Chang
Pat Fiorino