Manage DNS Zone
Objective
This guide provides instructions on how to set up primary and secondary Domain Name System (DNS) zones and associated DNS service for your applications using F5® Distributed Cloud Services. A DNS zone is a distinct division or subdivision of domain namespace that is managed by an entity such as an organization. A DNS zone allows you to exercise granular control on the components such as name servers which hold the DNS records for the domain namespace represented by the zone.
Using this service, you can set up zones for your primary and secondary DNS servers and configure encrypted connection between them for record synchronization.
Prerequisites
The following prerequisites apply:
-
A Distributed Cloud Services Account. If you do not have an account, see Create an Account.
-
A DNS domain for your web application. Obtain a domain from the Internet domain registrar.
-
Name servers for managing your DNS records.
-
To ensure that zone transfers are successful, add the following IP addresses to your firewall or ACL
allow
list:52.14.213.208
3.140.118.214
Configuration
Creating and managing zones involve creating a primary DNS zone and a secondary zone, configuring settings such as records, encryption mechanism, etc.
Create Primary Zone
Log into Console and perform the following:
Step 1: Navigate to zone management and start adding a zone.
- Click
DNS Management
service on the Console home page.
Figure: Navigate to DNS Management
-
Select
DNS Management
option in the primary navigation menu located on the left side of the page. -
Click
Add Zone
.
Figure: Add Zone
-
Enter domain or subdomain name in the
Domain Name
field in the metadata section. -
Optionally, set labels and add a description for your zone.
Step 2: Start configuring primary zone.
Select Primary DNS Configuration
for the Zone Type
field in the DNS Zone Configuration
section. Click Edit Configuration
under the Primary DNS Configuration
field. Do the following in the zone configuration form:
- In the
SOA Record Parameters
section, theUse Default Parameters
is populated by default. To customize this, selectSOA Record Parameters
option, clickView Configuration
, and set the SOA parameters such as refresh interval, retry interval, TTL, etc.
Figure: SOA Custom Configuration
Step 3: Configure resource record sets for the default group.
-
Go to
Resource Record Sets
section and clickAdd Item
. The resource record sets configuration form opens. -
Enter a value for the
Time to live
field. -
Select a record type for the
Record Set
field, enter a name for your record name in theRecord Name
field, and set the fields as per your record type selection. Refer to the following table for the record type and field mapping:
Record Type | Fields | Notes |
---|---|---|
A | List of IPv4 Addresses | Enter IPv4 addresses. |
AAAA | List of IPv6 Addresses | Enter IPv6 addresses. |
ALIAS | Domain | Enter alias domain name. |
CAA | Tags and Value | Enter a tag and its value. |
CNAME | Domain | Enter domain name. |
MX | Domain and Priority | Enter domain and priority in the MX Record Value section. |
NS | List of Name servers | Enter the FQDN for the name servers. |
PTR | List of Name servers | Enter the FQDN for the name servers. |
SRV | Priority, Weight, Port, Target | Click Add Item in the SRV Value section and set the parameters. |
TXT | List of Text | Add the TXT record. |
DNS Load Balancer | DNS Load Balancer Records | Add the DNS Load Balancer record. |
NAPTR | Naming Authority Pointer | Enter regex based domain names used in URIs. |
DS | Delegation signer | Enter the signer to identify DNSSEC signing key of a delegated zone. |
CDS | Child DS | Enter Child copy of DS record, for transfer to parent. |
EUI48 | MAC address (EUI-48) | Add uniquely identified MAC address as per the EUI-48 specification. |
EUI64 | MAC address (EUI-64) | Add uniquely identified MAC address as per the EUI-48 specification. |
AFS | AFS record | Enter the AFS record. |
DNSKEY | DNS Key | Enter the type, protocol, algorithm, and public key. |
CDNSKEY | Child DNS Key | Enter the type, protocol, algorithm, and public key. |
LOC | Location information | Enter geographical details such as latitude, longitude, hemispheres, etc. |
SSHFP | SSH Key Fingerprint | Enter the fingerprint algorithm, type, and hexadecimal hash result of the ssh key. |
TLSA | TLS Certificate Association | Enter the usage, selector, matching type, and association data. |
CERT | Public Key Certificate | Enter the type, key tag, algorithm, and certificate. |
Note: Use the
Add item
button available in each record type configuration to add more than one record for that record. See DNS Load Balancer for instructions on how to configure DNS load balancer for your zone.
Figure: Resource Record Set
- Click
Add Item
to add the resource record set to the list of resource record sets. Use theAdd Item
button to add more than one resource record step.
Step 4: Configure specific resource record sets group.
This step configures specific groups for resource record sets. A resource record sets group allows grouping of DNS records to make it easier to manage them. For example, you can group DNS records that belong to the same application.
-
Enable
Show Advanced Fields
in theResource Record Sets
section. -
Click
Add Item
in the appearedAdditional Resource Record Sets
section. This opens new resource record sets form. -
Enter a
Name
in the metadata section. -
Click
Add Item
in theResource Record Sets
section. This opens the resource record sets configuration form. -
Configure the records in the same way as mentioned in previous step.
-
Click
Add Item
to add the resource record set to the group. Use theAdd Item
button to add more than one resource record set. -
Click
Add Item
in theResource Record Sets
form to add the group to theAdditional Resource Record Sets
section. Use theAdd Item
button to add more than one group.
Step 5: Optionally, enable DNSSEC and load balancer management.
- In the
DNSSEC Mode
section, selectEnable
for theDNSSEC Mode
field if you want to use DNS security extensions (DNSSEC) to authenticate DNS response data.
Note:
DNSSEC Mode
is disabled by default.
- Check the
Allow HTTP Load Balancer Managed Records
. This is only optional for a legacy delegated domain.
Note:
Allow HTTP Load Balancer Managed Records
is unchecked by default, which might have made sense for a delegated domain. However, Distributed Cloud Services has deprecated the Delegated Domain capability, which means that new domains will need to be setup as a Primary DNS zone corresponding to your HTTP Load Balancer (which is what you created in these steps), and you must check theAllow HTTP Load Balancer Managed Records
checkbox for the HTTP Load Balancer to work properly.
Step 6: Complete creating the primary zone.
- Click
Apply
in the primary zone configuration form.
Figure: Primary Zone Configuration
- Click
Save and Exit
in the main zone configuration form to complete creating the primary zone.
Note: In case you enabled the DNSSEC, the system generates a DS record and displays it in the
DNSSEC DS Record
column. Click on the displayed value, clickCopy DS Record
on the displayed window, add the DS record to your parent zone. After primary zone is created, you can use thedig ds <domain name>
command to verify that the DS record digest is displayed in the output. This indicates that DNSSEC is functional.
Create Secondary Zone
Prior to creating secondary zone, ensure that you allow queries from F5 Distributed Cloud IP ranges to your DNS servers.
Log into Console and perform the following:
Step 1: Navigate to zone management and start adding a zone.
- Click
DNS Management
service on the Console home page.
Figure: Navigate to DNS Management
-
Select
DNS Management
option in the primary navigation menu located on the left side of the page. -
Click
Add Zone
. -
Enter domain or subdomain name in the
Domain Name
field in the metadata section. Ensure that you enter the same domain name used in primary zone configuration. -
Optionally, set labels and add a description.
Step 2: Start configuring secondary zone.
Select Secondary DNS Configuration
for the Zone Type
field in the DNS Zone Configuration
section. Click Configure
under the Secondary DNS Configuration
field. Do the following in the zone configuration form:
-
Enter IP addresses for the list of primary zone servers in the
List of zone primary servers
field. Use theAdd item
button to add more than one primary server. -
Enter the Transaction Signature (TSIG) key name in the
TSIG key name as used in TSIG protocol extension
field. -
Click on the
TSIG Key algorithm
field and select an algorithm from the drop-down. Ensure that the key value for the key specified is compatible with the algorithm being selected.
Note: Configuring TSIG key and algorithm is optional. However, it is recommended that you use at least the
HMAC-SHA256
algorithm in case you configure TSIG.
-
Click
Configure
in theTSIG key value in base 64 format
section to encrypt your secret, and do one of the following:- Paste your secret in the
Secret to Blindfold
field, and clickApply
. The secret typeBlindfolded Secret
and actionBlindfold New Secret
are set by default and your secret is encrypted using Blindfold. You can optionally change the action toUse Existing Blindfolded Secret
to add an existing encrypted secret, or use a custom policy instead of a built-in policy using thePolicy Type
field. - In case you want to use a clear secret, select
Clear Secret
for theSecret Type
field, and paste secret in theSecret
field. The optiontext
is populated by default, and you can apply Base64 encoding by changing the selection toBase64
. ClickApply
- Paste your secret in the
Note: Ensure you obtain the base64 encoded secret if you choose
Base64
option for clear secret. You can useecho -n <TSIG KEY> | base64
to convert your secret to Base64 encoded format.
- Click
Apply
.
Figure: Secondary Zone Configuration
Step 3: Complete configuring secondary zone.
Click Save and Exit
in the main zone configuration form to create secondary zone.
Step 4: Inspect the secondary zone file.
-
Select
...
>View Zone File
in theActions
column for your secondary zone object. This opens the secondary zone file records in a read-only window and displays the record name, TTL, record type, and record values. -
Click on any record name to open detailed information of that record.
Import Zone
If you have an existing zone outside of F5 Distributed Cloud, you can import the zone. Note that only the primary zone can be imported using the import option.
Note: If you have DNSSEC records, those records are not imported. Also, importing an ALIAS record (or any other type of DNSLB record) is not supported.
Do the following to import a zone:
Step 1: Navigate to DNS Zone Management.
-
Click
DNS Management
service on the Console home page. -
Select
DNS Zone Management
option in the primary navigation menu located on the left side of the page.
Figure: DNS Zone Management
Step 2: Import from a zone file
Use the Import DNS Zone
drop-down menu to import from one of the following zone file types:
Figure: DNS Zone Management
Import from an AXFR zone file
- Select
AXFR Import
from theImport DNS Zone
drop-down menu.
Figure: Import from AXFR
-
Enter domain name in the
Domain Name
field. -
Enter the IP address of your primary DNS server in the
Primary DNS Server
field. -
Optionally, set TSIG configuration.
-
Click
Configure
in theTSIG Configuration
section. -
Enter the Transaction Signature (TSIG) key name in the
TSIG key name
field. -
Click on the
TSIG Key algorithm
field and select an algorithm from the drop-down. Ensure that the key value for the key specified is compatible with the algorithm being selected. -
Click
Configure
in theTSIG key value in base 64 format
section. -
Encrypt your secret. Paste your secret in the
Secret to Blindfold
section. ClickApply
. -
Click
Apply
in the TSIG configuration form.
-
Import from a BIND zone file
- Select
BIND Import
from theImport DNS Zone
drop-down menu.
Figure: Import from BIND file
-
Optionally enter a description.
-
Click
Import from File
in theDNS Zones
section. -
Click
Upload File
in theImport from File
panel. -
Use the system file browser to select and open your BIND File. The BIND file must be a compressed zip file no larger than 1MB.
-
Click
Import
at the bottom of theImport from File
panel.
Step 4: Complete importing the zone.
Click Save and Exit
in the import configuration form to import your zone.
Monitor DNS Zone Performance
-
In the
DNS Management
service, clickOverview
>Performance
to see a list of DNS zones. -
Click the name of the zone you want to observe.
Dashboard Tab
Figure: DNS Zone Dashboard
The Dashboard
tab provides an overview of the traffic through the load balancer over the time period shown in the right-justified, top bar of options.
Dashboard Time Period
- The time drop-down allows you to specify the time period for the data shown, including both quick-pick options like
Last 24 hours
and the ability to specify a custom time period. Custom time periods are limited to ranges within the last 30 days. - Click the
Refresh
button next to the time drop-down to update the contents of the dashboard manually.
Information Sections
-
The
Traffic Distribution
section shows the distribution of DNS traffic per country. Hover over a colored country to see a pop-up showing the amount of traffic for that country.Figure: DNS Zone Traffic by Country
-
The
Top Requests
section shows the number of requests for the most requested DNS records. -
The
Total Queries
section shows the distribution of DNS queries over time in a histogram. Hover over a bar (time period) to see a pop-up showing the number of requests for that time period.Figure: Queries by Time Period
-
The
Query Type
section shows the distribution of requests by query type. -
The
Response Type (by RCODE)
section shows the response type quantities over time. Click an RCODE checkbox to show/hide that information in the graph. Hover over the graph to see the response count for that time.Figure: Response Type Trend
-
The
DNS Query Rate (by Query Type)
section shows the query rate by query types over time. Click a query-type checkbox to show/hide that information in the graph. Hover over the graph to see the query type quantities for that time.Figure: DNS Query Rate
Requests Tab
Figure: DNS Zone Requests
The Requests
tab shows both request statistics (in the bar chart) and the specific requests received (in the table below). Use the Show/Hide Chart
and Show/Hide Filter
to customize the display.
Requests Time Period
The dashboard contents are dependent on the settings in the right-justified, top bar of options.
- The time drop-down allows you to specify the time period for the data shown, including both quick-pick options like
Last 24 hours
and the ability to specify a custom time period. Custom time periods are limited to ranges within the last 30 days. - Click the
Refresh
button next to the time drop-down to update the contents of the dashboard manually.
Filter Options
Filtering options are above the graph and affect what's shown in the graph.
- Use
Add Filter
to exclude or show only requests with specified characteristics. For example, selectGelocation
,Not in
, andUS
to show only requests that did not come from the United States. Note that if you do not have any requests from the US, thenUS
will not be an option. - Check or uncheck the colored checkboxes to quickly filter by return code. The color of the checkboxes correspond to the column colors.
Request Chart Options
- Hover over a bar in the chart to see specifics for that time period.
- Click and drag within the chart to zoom into that time period. This will also create a time-period link above the graph (and below the checkboxes) for the previous time period. Click on a link to return to that time period.
Request Table Options
- Use the
Search
field to only show entries containing that string. - Use the
Download CSV (#)
to download a comma separated values (CSV) file of all requests in the table. The number in parentheses shows the number of entries in the table, which may be more than the number of entries shown on the page. - Click the gear icon ( ⚙ ) to change the columns shown in the requests table.
- Click
>
at the left of a request in the table to see details for that request in JSON format. Once the JSON is shown, you can switch it to YAML by using theJSON
drop-down menu. - Click
10
,50
,100
below the table to change the number of table entries shown on the page.