BIG-IP DNS

(previously GTM)
F5 Partner Technical Boot Camp
Written for TMOS v13.0
• Lesson 1: DNS Review and Deploying BIG-IP DNS
• Lesson 2: BIG-IP DNS Services
• Lesson 3: Global Server Load Balancing (GSLB)
Hosted DNS

• Hosting provider manages authoritative DNS name servers

Pros Cons

• Easier administration • Reduced control

• Reduced bandwidth usage • Harder to customize / extend service
• Improved reliability • More expensive
• Protection against DDoS attacks
• Good for smaller organizations
In-House DNS

• IT department manages DNS servers

Pros Cons

• More control of DNS service • Expensive internal resources

• More flexible • Complex, requires special skills
• Software cost often free • BIND needs patches for
vulnerabilities
Split DNS

• Combines in-house and hosting provider for DNS

• In-house manages inside company firewall
• Hosting provider manages external name servers

Pros

• Seamless access to local and external

resources
• Easier administration of client
addresses to internal DNS servers
How Does DNS Work?
LDNS
Is there a record for
www.domain.com?

Go ask The local cache

.com DNS
is checked
A user browses to
The LDNS asks domain.com for
www.domain.com
www.domain.com, and if match
then it returns an A record
Go ask
domain.com

Root DNS server 66.163.171.12

9 Is there a record for
www.domain.com?

The LDNS asks .com for

www.domain.com, which returns
an NS record for domain.com

.com DNS server

domain.com
DNS server
How Does DNS Work?
LDNS
Is there a record for
www.domain.com?

66.163.171.12
9
66.163.171.129

The LDNS returns the

A record to the client
The browser opens a connection which is cached locally
to address and performs an
HTTP GET command
Root DNS server
The server returns the
web page response
App
Servers

66.163.171.129
Web server

.com DNS server

domain.com
DNS server
Limitations of Standard DNS

Does not provide “true” high availability

DNS cannot determine if site is up or even exists

Only supports round robin load balancing

What are the DNS will continue to resolve to a site, even if the site is down
limitations of
standard DNS?
No ability to “persist” if an application is stateful

Changes require manual intervention and can result in high-impact errors

Can only answer a limited number of DNS queries per second

Vulnerable to DDoS attacks

Delegation Mode
LDNS
Is there a record for
www.domain.com?

Go ask
.com DNS

Go ask Return CNAME Is there a record for

domain.com www.subzone.domain.com www.company.com?
Root DNS server
Data Center

DNS LTM

www.subzone.domain.com domain.com
.com DNS server DNS server
domain.com
DNS server
Delegation Mode
LDNS
Is there a record for
www.domain.com?

66.163.171.129

Is there a record for

www.subzone.domain.com?

66.163.171.129

Data Center

X
DNS LTM
App App
Servers Servers

72.68.171.103 66.163.171.129
Web server Web server www.subzone.domain.com domain.com
domain.com DNS server
DNS server
Authoritative or Inline Mode

• Needed for both

• DNS Express
• DNSSEC LDNS

Data Center

DNS LTM

zone.domain.com

Servers
domain.com domain.com
DNS server
Authoritative Screening (Inline)

LDNS
Resolved DNS
request First, BIG-IP DNS checks
In Authoritative
wide Mode,
IPs, and if matched,
BIG-IP to
resolves DNStheisbest
inline to
answer
existing DNS Servers Finally, BIG-IP DNS
forwards to existing
DNS servers
Data Center

DNS LTM
BIG-IP DNS listener
intercepts all DNS requests
zone.domain.com

Servers
Next, BIG-IP DNSdomain.com domain.com
DNS server
checks name against
DNS Express zones
• Lesson 1: DNS Review and Deploying BIG-IP DNS
• Lesson 2: BIG-IP DNS Services
• Lesson 3: Global Server Load Balancing (GSLB)
F5 DNS Services Vision

• History - Global Server Load Balancing (GSLB)

• Ensure application availability
• Improve application performance
• Other DNS Services
• DNSSEC – DNS Security Extensions DNS
• DNS Express – DDoS protection and scalability
• DNS64 – IPv6 to IPv4 translation
• DNS caching and resolver
 Int
e g ra
ted
LT
M /GS
Ful
l IPv LB
6 sup

10.X
por
DN
SS t
EC
wit
Ge h rea
o- l -t i

Comprehensive GSLB
loc me
a ti o n sig
nin
sup
po r g
t
DN
Sp
ro t
oco
l va
DN li d a
S Exp tion
re ss /D

11.0
NS
DN p rox
S6- y

DNS delivery
>4
s

High performance
upp
IP A ort
ny c
ast
su p
por
t

Per
-pa
c ket
F5 DNS – GSLB to DNS Delivery

i Ru
Hig l es
h per
DN
S
f orm beh
11.1 / 11.2

a vi
DN anc
eD or
SS
High performance

EC NS
v C
caching and resolving

alid ach
a t io n i ng
+R
eso
lve
r

Hig
h spe
ed
log
Ad gi n
11.3

van g/
ce d re Qu
ery
DD
por
t a nd
oS i ng r esp
thr s up o nse
Visibility and reporting

esh por
o ld t
ale
rtin
DN g
Sm
enu
rev
AX am
FR p
Fro
m DN
Sta SE
ti cz xpr
o ne ess
11.4 / 11.5

DN
SS
enhancements.

Off EC
-bo
x s ig
and service provider

usa n in
g g
Ease of use deployment

Zo e fo
ne r ge
fo r o lo
wa cat
rde
r io n
BIG-IP GTM is Now BIG-IP DNS

BIG-IP DNS

BIG-IP GTM
BIG-IP v12.0
DNS DDoS Attacks are Common

• DNS is now the second most targeted protocol after HTTP

• DNS DDoS techniques range from:
• Flooding requests to a given host
• Reflection attacks against DNS infrastructure
• Reflect / amplification attacks 100

• DNS cache poisoning attempts 90% 86%

80%
70%
70%

60%

50%

40% 37%
31%
30%

20% 17%

9% 10%
10%

0%
HTT DNS SIP IRC
DNS Express

• High-speed response and DDoS protection

• Authoritative DNS serving out of RAM
• Configuration size for tens of millions of records
• Scale 200x traditional DNS server (up to 40M RPS)
DNS servers

DNS Express
DNS
Answer Manage
DNS DNS
BIG-IP Query Records

Answer Answer
DNS DNS
Query Query Admin
OS Auth
Roles
Answer Answer
DNS DNS
Query Query Dynamic
NIC DNS
DHCP
DNS Express vs. DNS Caching
DNS Express
• Has the whole zone and is
authoritative for that zone
• More like a high speed slave server,
not a cache
• Does not query DNS server for
unknown names in the zone
DNS Cache
• Asks the real authoritative server on
each new query
• Stores the query answer to other
requests for same query
• Rarely has whole configuration, only the
most requested items
• Good
• Saves internal users from
constantly resolving
• Bad
• Easily beaten by DDoS attacks
varying DNS query each request
Order of Precedence – Answers to DNS Query

DNS Listener

Wide IP (3DNS, v3) Intelligent GSLB

DNS Express (v11.0) Zone transfer (RAM)

DNS Cache (v11.2) Cached in RAM

DNS Pool (v10.2) Load Balance servers

Cache Resolver (v11.2) Go find answer

Local BIND (3DNS, v3) BIND on BIG-IP

DNS Configuration Objects

DNS Listener

Wide IP (3DNS, v3)

DNS Express (v11.0)

DNS Cache (v11.2)

DNS Pool (v10.2)

Cache Resolver (v11.2)

Local BIND (3DNS, v3)

DNS Profile Per Listener

DNS Listener

Wide IP (3DNS, v3)

DNS Express (v11.0)

DNS Cache (v11.2)

DNS Pool (v10.2)

Cache Resolver (v11.2)

Local BIND (3DNS, v3)

DNS vs. GTM Menus

v11.5 – DNS / Zones v11.4 and prior – Local Traffic

Test DNS Listeners

• “dnsxdump” – contents DNS Express zones

• Can’t test name resolution from BIG-IP
• Use remote system (PC)
• dig
• nslookup
• Use DNS listener as IP address
DNS Exercise 1: Create a DNS Services Listener

• In this exercise you will:

• Provision DNS on bigipA
• Configure a listener
• Add DNS pool
• Configure DNS Express
• Add simple WIP
• Estimated completion time : 40 minutes
• Lesson 1: DNS Review and Deploying BIG-IP DNS
• Lesson 2: BIG-IP DNS Services
• Lesson 3: Global Server Load Balancing (GSLB)
Data Centers, iQuery, and Server Objects
Global Server Load Balancing

Is a wide-area load balancer (across data centers)

Uses DNS as the traffic management mechanism

What’s GSLB?

Monitors site availability and performance

Puts intelligence into the DNS resolution process

Objects in the BIG-IP DNS Architecture
ServerData
objects are grouped
Center (DC)
in Data Centers
objects are physical
• BIG-IP DNS of devices
groupings
• BIG-IP LTMs
• Standalone servers and other
load balancers

Server Servers Servers Server Servers

Primary DC Secondary DC Disaster Recover DC

Objects in the DNS Architecture
Virtual
Pool server objects
objects
•• Groups
IP address:port
of virtualcombinations
servers on server objects
Wide IP (WIP) objects www.f5.com: to •be Applications
load balanced to load balance / resolve too
• Fully Qualified Domain • 73.37.1.1 or • May represent:
Names (FQDNs) associated • 68.28.1.1 or • Multiple real servers (load balancers)
with one or more pools • A single physical (standalone) server
• 205.33.1.1
• Server objects often host multiple virtual servers

DNS pool

VS: 73.37.1.1:80 VS: 68.28.1.1:80

VS: 73.37.1.11:21
VS: 205.33.1.1:80

Server Servers Servers Server Servers

Primary DC Secondary DC Disaster Recover DC

Configure a Server – General Properties

Select the server type:

• BIG-IP System
• Generic Load Balancer Server data center
• Generic Host
Configure Server – Devices

The Address field is the NAT

address, the public (outside)
address clients connect too

The Translation field is the

real/local (inside) IP
address of the server object
Configure a Server – Configuration
Configure a Server – Resources

Enable or disable
virtual server discovery

Add virtual
servers manually
F5 iQuery Protocol

• F5 proprietary protocol used for BIG-IP DNS communication

• Enables BIG-IP DNS:
• To receive configuration and status from other BIG-IP systems
• To synchronize configuration and metrics with other BIG-IP DNS systems
• iQuery communications uses TCP port 4353
• If BIG-IP systems are behind firewalls, open TCP port 4353
• iQuery communications are encrypted
• iqdump is an iQuery protocol analyzer
Before Adding BIG-IP Server Objects

• Configure NTP on BIG-IP systems

• Exchange SSL certificates
bigip_add

• Ensure big3d compatible on BIG-IPs

big3d_install
DNS Exercise 2: Create Data Centers and Servers

• In this exercise you will:

• Configure bigipB.f5demo.com
• Create data center objects
• Run bigip_add and big3d_install scripts
• Create server objects
• Estimated completion time : 40 minutes
• Lesson 1: DNS Review and Deploying BIG-IP DNS
• Lesson 2: BIG-IP DNS Services
• Lesson 3: Global Server Load Balancing (GSLB)
Virtual Servers, DNS Pools, and Wide IPs
Review: Virtual Servers in BIG-IP DNS

A virtual server is an
IP address and port
representing an application
The IP address is
used in the DNS
The port is required
resolution process
for monitoring

VS: 73.37.1.1:21 VS: 68.28.1.1:21

Server Servers Servers

Primary DC Secondary DC
Add Virtual Servers to Server Objects

• Non-BIG-IP server configured manually

• For BIG-IP server objects, VS Auto Discover possible:
• Disabled by default
• Can’t be used if address translation needed

VS: 73.37.1.1:21

Server Servers

Primary DC
Add Virtual Servers Manually

IP address and port; include

translations if needed

Other virtual servers

required to support
the application
BIG-IP DNS Load Balancing

• A tiered load balancing model where:

• A Wide IP can load balance between multiple pools
• A pool can load balance between its pool members

Wide IP
Load Balancing

Pool Pool

Load Load
Balancing Balancing

Virtual Virtual Virtual Virtual

Server Server Server Server
Example of Tiered Load Balancing

LDNS The DNS in DC1 matches

the name requested to a
Wide IP and uses Topology
to resolve to europe_pool

Wide IP Topology

The DNS in DC1

us_pool europe_pool
receives a DNS request
from anLeast
LDNS Connections
in LondonWhich uses Least Least Connections
Connections load
balancing to resolve to IP
address of Virtual Server 4
Virtual server 1 Virtual server 2 Virtual server 3 Virtual server 4

Europe Data Europe Data

US Data Center 1 US Data Center 2 Center 1 Center 2
Configure BIG-IP DNS Pools

Three
methods?

Add virtual servers

(pool members) to
the pool
Configure a Wide IP

Name of Wide IP
must match FQDN

Add the pools associated

with this Wide IP
DNS Exercise 3: Create Virtual Servers, DNS Pools,
and Wide IPs

• In this exercise you will:

• Discover virtual servers
• Create BIG-IP DNS pools
• Create a Wide IP and test
• Change health monitors
• Estimated completion time : 40 minutes