F5 Big-Ip Dns (Or GTM) : Rakesh

Page |1
F5 BIG-IP DNS (or GTM)

Rakesh A
Network Security Engineer
https://www.linkedin.com/in/rakesh-sa-b2b664167
RAKESH https://www.linkedin.com/in/rakesh-sa-b2b664167
Page |2
F5 BIG-IP DNS(Formerly Global Traffic Manger)

What is DNS?
DNS is a hierarchical distributed naming system for computers, services, or other resources
connected to the Internet. It associates various information with domain names that are assigned to
each of the participating DNS entries.
How DNS Works
The user types the address of the site (www.f5.com as an example) into the web browser. The
browser has no clue where www.f5.com is, so it sends a request to the Local DNS Server (LDNS) to
ask if it has a record for www.f5.com. If the LDNS does not have a record for that particular site, it
begins a recursive search of the Internet domains to find out who owns www.f5.com.
First, the LDNS contacts one of the Root DNS Servers, and the Root Server responds by telling the
LDNS to contact the .com DNS Server. The LDNS then asks the .com DNS Server if it has a record for
www.f5.com, and the .com DNS Server determines the owner of www.f5.com and returns a Name
Server (NS) record for f5.com. Check out the diagram below:
Next, the LDNS queries the f5.com DNS Server NS record. The f5.com DNS Server looks up the name:
www.f5.com. If it finds the name, it returns an Address (A) record to the LDNS. The A record contains
the name, IP address, and Time to Live (TTL). The TTL (measured in seconds) tells the LDNS how long
to maintain the A record before it asks the f5.com DNS Server again.
Page |3
When the LDNS receives the A record, it caches the IP address for the time specified in the TTL. Now
that the LDNS had the A record for www.f5.com, it can answer future requests from its own cache
rather than completing the entire recursive search again. LDNS returns the IP address of www.f5.com
to the host computer, and the local browser caches the IP address on the computer for the time
specified in the TTL. After all, if it can hold on to the info locally, it won't need to keep asking the
LDNS.
The browser then uses the IP address to open a connection to www.f5.com:80 and sends
a GET /... and the web server returns the web page response.
Page |4
F5 BIG-IP DNS(Formerly Global Traffic Manger) Definition
It is Load Balancer for DNS queries(caching, traffic management),decision making to load balance
between datacentres
How BIG-IP DNS Works
BIG-IP DNS has grown over the years to incorporate many new features, but we'll stick to discussing
the core global server load balancing (GSLB) functionality. Let's first take a look at a traditional DNS
query (we're assuming no system has example cached):
• Client queries www.example.com to local DNS (LDNS)

• LDNS queries ROOT Servers
• ROOT Servers send the query to the .com TLD server
• TLD Servers provide the name server IP for example.com to LDNS server (glue records if you
got em)
• example.com name servers lookup www entry and send to LDNS request
• LDNS Server returns IP for www.example.com to client
• Client is now browsing.
Page |5
BIG-IP DNS enters the picture at step 5 and adds a few extra steps:
5.BIG-IP DNS Listener receives the query for example.com
6.The Wide-IP associated to example.com makes a load balancing decision on what pool to send the
request to
7.The chosen pool makes a secondary load balancing decision on what virtual server to send the
request to
8.The virtual server IP is returned to the originating LDNS server
9.Client is more happy because they were routed to a regionally located server with faster response
times.
In this scenario, the BIG-IP DNS provided a faster application experience for the user by determining
the region the user resided and provided the fastest performing server's as the IP for the FQDN
requested by DNS.
What is Difference between BIG IP DNS Server
i) Checks the Availability before giving the response
--> BIG IP DNS can check the availability of the server before providing the server IP address in the
DNS Response whereas the Normal DNS Server does not have this capability.
--> Normal DNS Server provides the server IP address in the DNS response even the server is not
available or down.
Page |6
ii) Supports Static and Dynamic Load Balancing Methods
--> Normal DNS Server does not have the capability to check the load on the servers before giving
the DNS Response. They simply support only round-robin load balancing.
--> BIG IP DNS supports static as well dynamic level load balancing methods.
--> We can configure the BIG IP DNS to provide the server IP address after checking the load on the
server by using a dynamic load balancing method.
iii) No need to restart the services for changing the records in BIG IP DNS
--> Normal DNS Server requires restart of services if you perform any modification/changes in the
DNS Zone.
--> Most of changes done by using CLI which is prone to errors
. --> Changes on BIG IP DNS Server done using GUI and no need to restart any services for
changes/modifications in the DNS Zone.
iv) Does not support stateful applications
--> Normal DNS Server does not support stateful applications as the persistence concept is not
present in the Normal DNS Server.
--> BIG IP DNS Server supports stateful applications as well distributed applicated due to the support
of persistence
--> BIG IP DNS Server can provide the server IP address which is near to the client's location that is
not possible in Normal DNS Server.
v) Protects from DDOS Attacks
--> Normal DNS Server can only support limited number of queries per seconds and they are
vulnerable to DDOS attacks.
--> BIG IP DNS Server can support up to millions of queries per second depends upon the hardware
being used.
--> BIG IP DNS Server can provide accelerated DNS resolution by using features such as DNSSEC/DNS
Express/ DNS Caching
Vi) Scalable
--> Normal DNS Server uses the separate load balancer to add more DNS Servers whereas BIG IP DNS
has an inbuilt load balancer.
--> Normal DNS Server requires separate firewall which reduces the DNS Performance whereas the
BIG IP DNS has an inbuilt firewall
Page |7
--> BIG IP DNS Server discards/drops the DNS Queries which does not match the protocol validations.
--> BIG IP DNS Server is more scalable than Normal DNS Servers
============= =====================
F5 BIG-IP DNS (Or GTM)
F5 BIG-IP DNS adds intelligence to the DNS resolution process by directing traffic to the best
available resource based on user-defined criteria and run-time gathered metrics. The result? A
better, faster, more reliable and scalable quality of experience for end users.
The Role of BIG-IP DNS in Name Resolution
• An Internet service provider or other large company might implement BIG-IP DNS to
accelerate their DNS resolution process and to implement the protection services provided
by its DNSSEC features.
• For example, you can configure BIG-IP DNS to load balance queries to an existing pool of
recursive name servers, and then cache the responses within the BIG-IP system. You can
configure BIG-IP DNS to perform the recursion process itself, securely resolving queries and
caching the validated results internally. You can even configure BIG-IP DNS to behave as a
high-performance, secondary authoritive DNS name server. And finally, if your organization
manages authoritive name servers, you can use BIG-IP DNS in that role to intelligently
resolve queries based on criteria that you define.
BIG-IP DNS Intelligent DNS Resolution:
The intelligent DNS resolution feature is designed to deliver a query response that will ultimately
direct traffic to the best available resource based on user-defined policies and run-time gathered
metrics.
Intelligent DNS Building Blocks:
Listeners
Page |8
--> A Listener configured on DNS can do following tasks:
1) Intelligent DNS Resolution ( By configuring WIDE IP)
2) Accelerated DNS resolution ( By using DNS Express or Assigning Pool of DNS Servers to the
Listener)
-> Listeners are stored in /config/bigip.conf file.
--> A Listener can be configured in three ways
1) Standalone BIG IP System: Self IP address of the DNS System ( You have only one DNS server in
the network)
2) Redundant BIG IP System: Floating Self IP address of the DNS System in the case of Active/Passive
and Self IP address of the DNS System in the case of Active/Active BIG IP DNS.
3) Anycast Listener: With the help of the routing module on F5 BIG IP DNS we can use the same IP
address on Listener on multiple DNS.
Create a DNS Listener:
--> To configure the Listener on the F5 DNS navigate to ( DNS > Delivery > Listeners > Listeners List >
New
After Creating a listener, while BIG-IP is now ready to process DNS queries it’s not configured to
answer any names or even to support recursion.so let’s begin configuring our system for one type of
query response, intelligent DNS resolution
BIG-IP DNS Intelligent Resolution Perspective
Intelligent DNS, also known as Global server load balancing (or GSLB) is just one of the many ways
you can configure BIG-IP DNS to resolve queries.
in order to determine the best available response, BIG-IP DNS needs to know quite a bit about the
physical and logical aspects of your application delivery network. Why? so that it can monitor these
Page |9
components, collecting the performance availability, geolocation, and other metrics that it will then
use to determine what the best response is
Physical Objects: Data Centers, Servers, and Virtual Servers
Servers for the FQDN www.dnstraining.com. These physical components are described to BIG-IP
using three configuration objects: Data centers, Servers, and Virtual Servers.
A data center is a container object that represents the location of application delivery components,
including servers and virtual servers.
A server is also a container object, and represents a system on which application delivery
components are hosted. It’s also used to define BIG-IP DNS systems to one another. A server
references the data centre in which it’s located. In the BIG-IP world. There are really two types of
servers, and everything else.
The virtual servers that BIG-IP DNS references represent the IP address and port of a service that is
hosted on a server located in a data center. For convenience, BIG-IP DNS calls the IP addresses and
ports of services on non-F5 devices virtual servers, also. During intelligent resolution, BIG-IP DNS
selects the IP address of the virtual server that represents the optimal answer, and provides it in its
query response.
P a g e | 10
Create a Physical Objects:
Configure Data Centers
Configure Servers
Configure Virtual Servers
Bigip_add Utility
After adding the BIG-IP LTM server, you will need to establish iQuery communication between the
BIG-IP DNS and LTM systems. You do this using the Bigip_add Utility, an interactive script that
exchanges SSL certificates with a remote BIG-IP system, then begins communicating with that system
using iQuery ,to delegate monitoring tasks and to receive information about the status of the servers
hosted on that system.
To run the bigip_add script, log in to the command line of the BIG-IP DNS system, and enter the
command bigip_add, followed generally by the IP address of the BIG-IP LTM system you wish to start
communication with.
Logical Objects: Pools and Wide Ips
Once the physical objects have been configured, and communication established between the BIG-IP
DNS systems and any other BIG-IP servers, the next step is to logically organize the virtual servers you
defined into various pools for the purposes of intelligent DNS resolution.
Pool
P a g e | 11
On BIG-IP DNS, related virtual servers can be grouped together into a container object called a global
server load balancing pool. Pool configuration is unique to each implementation, and many different
options exist. It’s one of the flexibilities of the BIG-IP DNS product.
Wide-IP One or more pools are then logically grouped into a larger container object called a Wide-IP.
A wide ip maps an FQDN, such a www.google.com, to a set of virtual servers that host the domain’s
service for the purposes of selecting the best available response.
Beginning in BIG-IP DNS version 12, wide Ips and wide IP pools carry an additional designation that
indicates the type of query they can resolve. BIG-IP DNS supports queries for the following record
types:A,AAAA,CNAME,MX,NAPTR, and SRV.
When BIG-IP DNS receives a query whose query domain name and type matches that of a wide IP, it
first selects the pool it will use to satisfy the response from, then it selects the virtual server in that
pool whose IP address will actually be provided in the response. finally, it sends the response. Which
poll and which pool and which virtual server are selected depends on the load balancing methods
specified at each level, and the availability of resources at a run-time.
Logical objects
Configure pool
Configure wide IP
P a g e | 12
Test DNS query for www.google.com
dig DNS Resolution Tool
The dig DNS resolution utility is a handy tool for testing our new wide IP configuration. You can
download it to your PC from many different sites on the internet.
BIG-IP DNS Global Server Load Balancing
BIG-IP DNS supports many different load balancing methods to support many different DNS
resolution scenarios. There are two types of load balancing:
Static and Dynamic
The distribution pattern in a static load balancing method is predefined, and varies little at run time
except in response to changes in resource availability.
The distribution pattern in a dynamic load balancing method are predefined, but the distribution
pattern is adjusted at run time based on the BIG-IP DNS system’s observations of the run-time
environment.
P a g e | 13
Each deployment of the BIG-IP DNS system is unique, and the selection of load balancing method
depends on a number of different factors, not the least of which is the location, availability, and
behavior of the applications you want to direct traffic to.
BIG-IP DNS Load Balancing methods
Dynamic LB Methods
Hops:
• Uses traceroute to track the number of L3 devices/Routers in between the Data Center and
Local DNS Server.
• The HOP count value will be calculated for each and every data center configured under BIG
IP DNS.
Round Trip Time
• Uses big3d agent to collect the information for the Round Trip Time.
• The Round trip time value will be calculated for each and every data center configured
under BIG IP DNS.
Least Connections
• Uses big3d agent ( For BIG IP Systems) and SNMP agent ( For Non-BIG IP Systems) to collect
the information for the Least Connection Load Balancing
• The Least Connections Value will be calculated for each and every data center configured
under BIG IP DNS.
Completion Rate
• Uses big3d agent to collect the information for the Completion Rate
• The Completion Rate value ( Dropped or Timeout Packets) will be calculated for each and
every data center configured under BIG IP DNS.
P a g e | 14
Kilo Bytes/Second
• Uses big3d agent ( For BIG IP Systems) and SNMP agent ( For Non-BIG IP Systems) to collect
the information for the Least Connection Load Balancing
• The Kilo Bytes/Second value will be calculated for each and every data center configured
under BIG IP DNS.
Packet Rate
• Uses bigip agent ( For BIG IP Systems) and SNMP agent ( For Non-BIG IP Systems) to collect
the information for the Least Connection Load Balancing.
• The Packet Rate value will be calculated for each and every data center configured under BIG
IP DNS.
Virtual Server Score
• Each and every Virtual Server is assigned with a manual score under the Pool on the BIG IP
DNS
• The Virtual Server with the highest score will be selected in the DNS Query Response to the
Local DNS Server.
Virtual Server Capacity
• Each and every Virtual Server is assigned automatically a value based upon the number of
virtual servers configured on the pool.
• Selects the Virtual Server from the pool that has the most available virtual servers which
were not sent in the DNS Query Response.
Static LB Methods:-
1) Round Robin Load Balancing Method
• It is recommended to use the round-robin load-balancing method when all the Virtual
Servers need to serve the traffic equally.
• Distributes the DNS Query requests equally to all the Virtual Servers configured within the
Pool.
• The Virtual Server IP address which is unavailable/down will not be taken into consideration
2) Ratio Load Balancing Method
• It is recommended to use the ratio load balancing method when you want some of the
virtual servers to receive the traffic more than other virtual servers within the pool.
• By default, The ratio value 1 is assigned to all the virtual servers configured within the
Pool.
• You need to configure higher ratio value on the virtual server to receive more traffic than
others.
Topology Load Balancing
P a g e | 15
• Topology Load Balancing is used to select the virtual server IP address in the DNS response
depends upon the location/closeness of the Local DNS Server.
• Requires Topology records need to be created on the BIG IP DNS.
Static Persist
• It is recommended to use the Static Persist Load Balancing algorithm when you want the
traffic from a particular Local DNS Server always resolves to only one Virtual Server.
• Similar to Global Availability Load Balancing Algorithm, It forwards the first Virtual Server IP
address which is available in the DNS Query Response.
Fallback IP
• Fallback IP address is provided as the DNS Query Response to the Local DNS Server
• Fallback IP address generally the DR Virtual Server IP address.
Drop Packet
• It is recommended to use the Drop Packet Load balancing method when you do not want to
return any virtual server IP address in the DNS response.
• BIG IP DNS receives the DNS Query from Local DNS Server and then the BIG IP DNS simply
drops the DNS query.
Global Availability
• It is recommended to use the Global Availability Load Balancing algorithm when you want
the traffic to be sent to only one virtual server always.
• Uses the order of the virtual server configured within the pool.
Return to DNS
• Return to DNS Load balancing makes the BIG IP DNS to follow the order of DNS Express/DNS
Cache/Bind/Load Balancing Pool depends upon what is enabled on the DNS profile.
None
• None Load Balancing makes the BIG IP DNS not to perform any kind of Load Balancing.
Topology load balancing
Topology load balancing allows you to respond to a query based on geolocation information
For example, you can configure BIG-IP DNS to provide a response based on the physical proximity of
the resource-such as a particular data center, server,or virtual server-to the LDNS making the
request. You can also configure BIG-IP DNS to provide a response that will ultimately direct the client
to region-specific content such as news and weather based on geolocation.
P a g e | 16
Topology load balancing can be assigned to either a wide IP or to a pool, although it’s more common
to assign it to a pool.in either case, BIG-IP DNS relies on two other configuration objects that you
define -topology records and, optionally topology regions-as well as a special F5-provided IP
geolocation database to help make the correct decision.
Topology records
Topology records are the key to providing a DNS response based on geolocation. Defined at the
system level, they apply to any wide IP or pool that is configured with topology load balancing.
Within each record are several settings that you define.
Sync Groups
Synchronization group is a collection of multiple BIG-IP DNS systems that synchronize BIG-IP DNS
configuration settings and metrics information to resolve DNS queries.
P a g e | 17
Setting up configuration synchronization
By default configuration synchronization is disabled. After enabling it, and later adding other BIG-IP
DNS systems to the group, the systems in the group periodically query each other to obtain and
distribute configuration data and metrics.obviously,there’s only one BIG-IP DNS system in the group.
You add other BIG-IP DNS systems to the sync group using the gtm_add utility.
gtm_add Utility
With synchronization enabled and our sync group named, we can now log onto the our A_DNS
system and add it to the sync group that B_DNS is in using the gtm_add utility.
Secure DNS Query Responses with DNSSEC
Implementing DNSSEC:
Here how the BIG-IP DNS system uses Domain Name System Security Extensions, or DNSSEC, which
uses public key cryptography to digitally sign DNS response data, thereby ensuring its validity.
P a g e | 18
• Digitally signs DNS responses

• DNS data origin authentication
• Authenticated denial of existence
• Data integrity
• Building the chain of trust
DNS Query Resolution with DNSSEC
• At a very high level, when an end user wants to access a service by its domain name, a stub
resolver on the user’s computer requests the service’s IP address from a recursive name
server. The stub resolver indicates it is DNSSEC aware it is DNSSEC OK bit in the request.
• Starting with the root name server, the recursive name server uses the normal DNS
resolution mechanisms to work its way down through the DNS hierarchy to the authoritative
name server for the domain owner.
• The authoritive name server replies with the appropriate address record and the DNSSEC key
associated with the zone. The recursive name server then works its way back up to the top of
the DNS hierarchy, validating the DNSSEC keys at each zone.
P a g e | 19
DNSSEC Record Types
A DNSSEC response contains not only the record that the resolver, but also a Resource Record
Signature “or RRSIG record, which is the digital signature for the response.
In order to verify the RRSIG record, the resolver must have a copy of the DNS server’s Public key. Its
this from the DNSKEY record is analogous to a web server’s digital certificate. Each key on the server,
both key signing or zone signing, has a corresponding DNSKEY record.
1.RRSIG (Resource Record Signature)
-Digital signature in DNS response
2.DNSKEY
-DNS server’s public key
3.DS(Delegation Signer)
-Validate the DNSKEY
4.NSEC/NSEC3(Next Secure)
-Denies the existence of a given name
P a g e | 20
Configuring DNSSEC on BIG-IP DNS
DNSSEC uses two different kinds of private keys.
1.Zone Signing Key (ZSK)
2.Key Signing Keys (KSK)
Zone Signing Key(ZSK): is used to create both RRSIG and NSEC records. The DNSKEY record contains
the public key that is paired with the Zone Signing Key. Zone signing keys are typically configured to
roll over frequently (often a matter of days or weeks)
Key Signing Keys (KSK): are significantly more significantly more sensitive and longer livid than Zone
Signing Keys, and used to sign DNSKEY records and nay DS records for delegated sub-domains.
Implementing DNSSEC
Create Key Signing Key
Create Zone Signing Key
Create DNSSEC Zone
Use dig command to test
Accelerating DNS Resolution with DNS Express
DNS Express is an engine that provides the ability for the BIG-IP system to act as a high-speed,
authoritive DNS server. With DNS Express Configured, the BIG-IP system can answer DNS queries for
a DNS zone and respond to zone transfer request from specified DNS nameservers.
P a g e | 21
Additionally, zone transfer communication can be secured with TSIG keys. DNS Express also helps to
mitigate distributed denial-of-service attacks.
You can configure the BIG-IP system to use the DNS Express engine to answer queries for a DNS zone.
This involves a zone transfer from the authoritive DNS server into DNS Express.at that point, the DNS
Express can answer DNS queries for the zone.
Implementing DNS Express
To Implement DNS Express you must have a listener with a DNS profile that has DNS Express enabled.
Next, configure one of more nameservers. Specify one or more DNS Express zones and optionally
associate each zone with one or more nameservers. It’s important that the name of the DNS Express
zone must exactly match the name of the zone on the primary DNS server.
Optionally, create a TSIG based on a secret known only to your Primary DNS severs, and associate it
with the DNS Express zone.
You can configure the primary DNS server to allow zone transfers to the BIG-IP DNS system.
Optionally, you can add a BIG-IP listener address to the notify list.
P a g e | 22
Steps to implement DNS Express
Create a nameserver that points to the primary nameserver
Create a DNS zone using nameserver created previously
View zone transfer
Use the dig command to test
Accelerating DNS Resolution using DNS Cache:
The BIG-IP DNS system can be configured as the local DNS server, performing recursive lookups,
caching responses, and even validating DNS responses for DNSSEC signatures. These features are
enabled through the system’s DNS cache. As a result. Local DNS systems can now benefit from the
speed and security of BIG-IP DNS architecture.
The BIG-IP DNS system supports three types of DNS caches:
1.Transparent cache
2.Resolver cache
3.Resolver cache with validation.
Accelerating DNS Resolution with Transparent Cache:
You can configure a transparent cache on the BIG-IP system to use external DNS resolvers to resolve
queries, and then cache the responses from the resolvers.
The next time the system receives a query for a response that exists in the cache, the system
immediately returns the response from the cache. The transparent cache contains messages and
resource records.
Step 1:
P a g e | 23
Step 2:
Step 3:
Accelerated DNS Resolution with Resolver Cache
A resolver cache goes through the entire resolving process and then cache the response.the next
time the system receives a query for a response that exists in the cache,the system returns the
response from the cache.
P a g e | 24
Validating resolver cache:
This cache on the BIG-IP system is used to recursively query public DNS servers, validate the identity
of the DNSSEC compliant server sending the responses, respond with a DNS-compliant response, and
then cache the responses.
The next time the system receives a query for a response that exists in the cache, the system returns
a DNSSEC-compliant response from the cache.
Configuring DNS Transparent Cache:
1.First configure the DNS cache global settings
2.Create a Transparent cache
3.Create DNS profile and associate it with the cache
4.Associate the DNS profile with the DNS listener.
P a g e | 25
Implementing DNS Transparent Cache:
• Create a DNS monitor

• Create a pool of DNS servers
• Associate the pool to the listener
• Configure transparent DNS cache
• Create a custom DNS Profile
• Associate the profile to the listener
• Use the dig command to test
BIG-IP DNS Order of Operation
1) DNS Query is matching with the Domain name configured under Wide IP then the F5 GTM
performs Intelligent DNS Resolution
2) If the Domain Name is not present in the Wide IP then the F5 DNS Checks for the Domain Name
under DNS Express Zone to perform the Accelerated DNS Resolution
3) Transparent DNS Cache ( Accelerated DNS Resolution)
4) Resolving DNS Cache to perform DNS Lookup by F5 DNS ( Accelerated DNS Resolution)
P a g e | 26
5) Listener with Pool
6) Local Bind
7) Listener is not the Self IP address then forward the DNS Query to Remote DNS Server for DNS
Resolution.
THANK YOU.
I hope you like this technical article.
Feel free to send me any questions or concerns on my linked-in message.

F5 Big-Ip Dns (Or GTM) : Rakesh

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

F5 Big-Ip Dns (Or GTM) : Rakesh

Uploaded by

Copyright:

Available Formats

Page |1

F5 BIG-IP DNS (or GTM)

Network Security Engineer

F5 BIG-IP DNS(Formerly Global Traffic Manger)

How DNS Works

F5 BIG-IP DNS(Formerly Global Traffic Manger) Definition

How BIG-IP DNS Works

• Client queries www.example.com to local DNS (LDNS)

5.BIG-IP DNS Listener receives the query for example.com

8.The virtual server IP is returned to the originating LDNS server

What is Difference between BIG IP DNS Server

i) Checks the Availability before giving the response

ii) Supports Static and Dynamic Load Balancing Methods

--> Most of changes done by using CLI which is prone to errors

iv) Does not support stateful applications

v) Protects from DDOS Attacks

F5 BIG-IP DNS (Or GTM)

The Role of BIG-IP DNS in Name Resolution

BIG-IP DNS Intelligent DNS Resolution:

Intelligent DNS Building Blocks:

--> A Listener configured on DNS can do following tasks:

1) Intelligent DNS Resolution ( By configuring WIDE IP)

-> Listeners are stored in /config/bigip.conf file.

--> A Listener can be configured in three ways

Create a DNS Listener:

BIG-IP DNS Intelligent Resolution Perspective

Physical Objects: Data Centers, Servers, and Virtual Servers

Create a Physical Objects:

Configure Data Centers

Configure Virtual Servers

Logical Objects: Pools and Wide Ips

Test DNS query for www.google.com

dig DNS Resolution Tool

BIG-IP DNS Global Server Load Balancing

Static and Dynamic

BIG-IP DNS Load Balancing methods

Round Trip Time

Virtual Server Score

Virtual Server Capacity

1) Round Robin Load Balancing Method

2) Ratio Load Balancing Method

Topology Load Balancing

Topology load balancing

Setting up configuration synchronization

Secure DNS Query Responses with DNSSEC

• Digitally signs DNS responses

DNS Query Resolution with DNSSEC

DNSSEC Record Types

1.RRSIG (Resource Record Signature)

-Digital signature in DNS response

-DNS server’s public key

-Validate the DNSKEY

-Denies the existence of a given name

Configuring DNSSEC on BIG-IP DNS

DNSSEC uses two different kinds of private keys.

1.Zone Signing Key (ZSK)

2.Key Signing Keys (KSK)

Create Key Signing Key

Create Zone Signing Key

Create DNSSEC Zone

Use dig command to test

Accelerating DNS Resolution with DNS Express