Manage DNS Zone

Objective

This guide provides instructions on how to set up primary and secondary Domain Name System (DNS) zones and associated DNS service for your applications using F5® Distributed Cloud Services. A DNS zone is a distinct division or subdivision of domain namespace that is managed by an entity such as an organization. A DNS zone allows you to exercise granular control on the components such as name servers which hold the DNS records for the domain namespace represented by the zone.

Using this service, you can set up zones for your primary and secondary DNS servers and configure encrypted connection between them for record synchronization.

Prerequisites

The following prerequisites apply:

A Distributed Cloud Services Account. If you do not have an account, see Create an Account.
A DNS domain for your web application. Obtain a domain from the Internet domain registrar.
Name servers for managing your DNS records.
To ensure that zone transfers are successful, add the following IP addresses to your firewall or ACL allow list:
- 52.14.213.208
- 3.140.118.214

Configuration

Creating and managing zones involve creating a primary DNS zone and a secondary zone, configuring settings such as records, encryption mechanism, etc.

Create Primary Zone

Log into Console and perform the following:

Step 1: Navigate to zone management and start adding a zone.

Click DNS Management service on the Console home page.

Figure: Navigate to DNS Management

Select DNS Management option in the primary navigation menu located on the left side of the page.
Click Add Zone.

Figure: Add Zone

Enter domain or subdomain name in the Domain Name field in the metadata section.
Optionally, set labels and add a description for your zone.

Step 2: Start configuring primary zone.

Select Primary DNS Configuration for the Zone Type field in the DNS Zone Configuration section. Click Edit Configuration under the Primary DNS Configuration field. Do the following in the zone configuration form:

In the SOA Record Parameters section, the Use Default Parameters is populated by default. To customize this, select SOA Record Parameters option, click View Configuration, and set the SOA parameters such as refresh interval, retry interval, TTL, etc.

Figure: SOA Custom Configuration

Step 3: Configure resource record sets for the default group.

Go to Resource Record Sets section and click Add Item. The resource record sets configuration form opens.
Enter a value for the Time to live field.
Select a record type for the Record Set field, enter a name for your record name in the Record Name field, and set the fields as per your record type selection. Refer to the following table for the record type and field mapping:

Record Type	Fields	Notes
A	List of IPv4 Addresses	Enter IPv4 addresses.
AAAA	List of IPv6 Addresses	Enter IPv6 addresses.
ALIAS	Domain	Enter alias domain name.
CAA	Tags and Value	Enter a tag and its value.
CNAME	Domain	Enter domain name.
MX	Domain and Priority	Enter domain and priority in the `MX Record Value` section.
NS	List of Name servers	Enter the FQDN for the name servers.
PTR	List of Name servers	Enter the FQDN for the name servers.
SRV	Priority, Weight, Port, Target	Click `Add Item` in the `SRV Value` section and set the parameters.
TXT	List of Text	Add the TXT record.
DNS Load Balancer	DNS Load Balancer Records	Add the DNS Load Balancer record.
NAPTR	Naming Authority Pointer	Enter regex based domain names used in URIs.
DS	Delegation signer	Enter the signer to identify DNSSEC signing key of a delegated zone.
CDS	Child DS	Enter Child copy of DS record, for transfer to parent.
EUI48	MAC address (EUI-48)	Add uniquely identified MAC address as per the EUI-48 specification.
EUI64	MAC address (EUI-64)	Add uniquely identified MAC address as per the EUI-48 specification.
AFS	AFS record	Enter the AFS record.
DNSKEY	DNS Key	Enter the type, protocol, algorithm, and public key.
CDNSKEY	Child DNS Key	Enter the type, protocol, algorithm, and public key.
LOC	Location information	Enter geographical details such as latitude, longitude, hemispheres, etc.
SSHFP	SSH Key Fingerprint	Enter the fingerprint algorithm, type, and hexadecimal hash result of the ssh key.
TLSA	TLS Certificate Association	Enter the usage, selector, matching type, and association data.
CERT	Public Key Certificate	Enter the type, key tag, algorithm, and certificate.

Note: Use the Add item button available in each record type configuration to add more than one record for that record. See DNS Load Balancer for instructions on how to configure DNS load balancer for your zone.

Figure: Resource Record Set

Click Add Item to add the resource record set to the list of resource record sets. Use the Add Item button to add more than one resource record step.

Step 4: Configure specific resource record sets group.

This step configures specific groups for resource record sets. A resource record sets group allows grouping of DNS records to make it easier to manage them. For example, you can group DNS records that belong to the same application.

Enable Show Advanced Fields in the Resource Record Sets section.
Click Add Item in the appeared Additional Resource Record Sets section. This opens new resource record sets form.
Enter a Name in the metadata section.
Click Add Item in the Resource Record Sets section. This opens the resource record sets configuration form.
Configure the records in the same way as mentioned in previous step.
Click Add Item to add the resource record set to the group. Use the Add Item button to add more than one resource record set.
Click Add Item in the Resource Record Sets form to add the group to the Additional Resource Record Sets section. Use the Add Item button to add more than one group.

Step 5: Optionally, enable DNSSEC and load balancer management.

In the DNSSEC Mode section, select Enable for the DNSSEC Mode field if you want to use DNS security extensions (DNSSEC) to authenticate DNS response data.

Note: DNSSEC Mode is disabled by default.

Check the Allow HTTP Load Balancer Managed Records. This is only optional for a legacy delegated domain.

Note: Allow HTTP Load Balancer Managed Records is unchecked by default, which might have made sense for a delegated domain. However, Distributed Cloud Services has deprecated the Delegated Domain capability, which means that new domains will need to be setup as a Primary DNS zone corresponding to your HTTP Load Balancer (which is what you created in these steps), and you must check the Allow HTTP Load Balancer Managed Records checkbox for the HTTP Load Balancer to work properly.

Step 6: Complete creating the primary zone.

Click Apply in the primary zone configuration form.

Figure: Primary Zone Configuration

Click Save and Exit in the main zone configuration form to complete creating the primary zone.

Note: In case you enabled the DNSSEC, the system generates a DS record and displays it in the DNSSEC DS Record column. Click on the displayed value, click Copy DS Record on the displayed window, add the DS record to your parent zone. After primary zone is created, you can use the dig ds <domain name> command to verify that the DS record digest is displayed in the output. This indicates that DNSSEC is functional.

Create Secondary Zone

Prior to creating secondary zone, ensure that you allow queries from F5 Distributed Cloud IP ranges to your DNS servers.

Log into Console and perform the following:

Step 1: Navigate to zone management and start adding a zone.

Click DNS Management service on the Console home page.

Figure: Navigate to DNS Management

Select DNS Management option in the primary navigation menu located on the left side of the page.
Click Add Zone.
Enter domain or subdomain name in the Domain Name field in the metadata section. Ensure that you enter the same domain name used in primary zone configuration.
Optionally, set labels and add a description.

Step 2: Start configuring secondary zone.

Select Secondary DNS Configuration for the Zone Type field in the DNS Zone Configuration section. Click Configure under the Secondary DNS Configuration field. Do the following in the zone configuration form:

Enter IP addresses for the list of primary zone servers in the List of zone primary servers field. Use the Add item button to add more than one primary server.
Enter the Transaction Signature (TSIG) key name in the TSIG key name as used in TSIG protocol extension field.
Click on the TSIG Key algorithm field and select an algorithm from the drop-down. Ensure that the key value for the key specified is compatible with the algorithm being selected.

Note: Configuring TSIG key and algorithm is optional. However, it is recommended that you use at least the HMAC-SHA256 algorithm in case you configure TSIG.

Click Configure in the TSIG key value in base 64 format section to encrypt your secret, and do one of the following:
- Paste your secret in the Secret to Blindfold field, and click Apply. The secret type Blindfolded Secret and action Blindfold New Secret are set by default and your secret is encrypted using Blindfold. You can optionally change the action to Use Existing Blindfolded Secret to add an existing encrypted secret, or use a custom policy instead of a built-in policy using the Policy Type field.
- In case you want to use a clear secret, select Clear Secret for the Secret Type field, and paste secret in the Secret field. The option text is populated by default, and you can apply Base64 encoding by changing the selection to Base64. Click Apply

Note: Ensure you obtain the base64 encoded secret if you choose Base64 option for clear secret. You can use echo -n <TSIG KEY> | base64 to convert your secret to Base64 encoded format.

Click Apply.

Figure: Secondary Zone Configuration

Step 3: Complete configuring secondary zone.

Click Save and Exit in the main zone configuration form to create secondary zone.

Step 4: Inspect the secondary zone file.

Select ... > View Zone File in the Actions column for your secondary zone object. This opens the secondary zone file records in a read-only window and displays the record name, TTL, record type, and record values.
Click on any record name to open detailed information of that record.

Import Zone

If you have an existing zone outside of F5 Distributed Cloud, you can import the zone. Note that only the primary zone can be imported using the import option.

Note: If you have DNSSEC records, those records are not imported. Also, importing an ALIAS record (or any other type of DNSLB record) is not supported.

Do the following to import a zone:

Step 1: Navigate to DNS Zone Management.

Click DNS Management service on the Console home page.
Select DNS Zone Management option in the primary navigation menu located on the left side of the page.

Figure: DNS Zone Management

Step 2: Import from a zone file

Use the Import DNS Zone drop-down menu to import from one of the following zone file types:

Figure: DNS Zone Management

Import from an AXFR zone file

Select AXFR Import from the Import DNS Zone drop-down menu.

Figure: Import from AXFR

Enter domain name in the Domain Name field.
Enter the IP address of your primary DNS server in the Primary DNS Server field.
Optionally, set TSIG configuration.
- Click Configure in the TSIG Configuration section.
- Enter the Transaction Signature (TSIG) key name in the TSIG key name field.
- Click on the TSIG Key algorithm field and select an algorithm from the drop-down. Ensure that the key value for the key specified is compatible with the algorithm being selected.
- Click Configure in the TSIG key value in base 64 format section.
- Encrypt your secret. Paste your secret in the Secret to Blindfold section. Click Apply.
- Click Apply in the TSIG configuration form.

Import from a BIND zone file

Select BIND Import from the Import DNS Zone drop-down menu.

Figure: Import from BIND file

Optionally enter a description.
Click Import from File in the DNS Zones section.
Click Upload File in the Import from File panel.
Use the system file browser to select and open your BIND File. The BIND file must be a compressed zip file no larger than 1MB.
Click Import at the bottom of the Import from File panel.

Step 4: Complete importing the zone.

Click Save and Exit in the import configuration form to import your zone.

Monitor DNS Zone Performance

In the DNS Management service, click Overview > Performance to see how your DNS setup is performing. The Performance page provides two tabs for different views.

Figure: DNS Zone Dashboard

Dashboard Tab

The Dashboard tab provides an overview of the traffic through the load balancer over the time period shown in the right-justified, top bar of options.

DNS Zone Selector

Use the DNS Zone drop-down menu above the widgets to select up to five zones or all zones (the default). The data in the widgets below will be specifically for the zone(s) you select.
To return to seeing data from all zones, click Deselect All in the DNS Zone drop-down menu.

Dashboard Time Period

The time drop-down allows you to specify the time period for the data shown, including both quick-pick options like Last 24 hours and the ability to specify a custom time period. Custom time periods are limited to ranges within the last 30 days.
Click the Refresh button next to the time drop-down to update the contents of the dashboard manually.

Information Sections

The Traffic Distribution widget shows the distribution of DNS traffic per country. Hover over a colored country to see a pop-up showing the amount of traffic for that country.

Figure: DNS Zone Traffic by Country
The Top Requests widget shows the number of requests for the most requested DNS records.
The Total Queries widget shows the distribution of DNS queries over time in a histogram. Hover over a bar (time period) to see a pop-up showing the number of requests for that time period.

Figure: Queries by Time Period
The Query Type widget shows the distribution of requests by query type.
The Response Type (by RCODE) widget shows the response type quantities over time. Click an RCODE checkbox to show/hide that information in the graph. Hover over the graph to see the response count for that time.

Figure: Response Type Trend
The DNS Query Rate (by Query Type) widget shows the query rate by query types over time. Click a query-type checkbox to show/hide that information in the graph. Hover over the graph to see the query type quantities for that time.

Figure: DNS Query Rate
The DNS Zones widget shows a list of your DNS zones.
- Use Add DNS Zone to add a new zone.
- Enter a zone name or partial name into the Search field, and only matching zone names will show in the list.
- Click ... > Manage Configuration to view zone configuration details. From there you can click Edit Configuration to make changes.

Requests Tab

Figure: DNS Zone Requests

The Requests tab shows both request statistics (in the bar chart) and the specific requests received (in the table below). Use the Show/Hide Chart and Show/Hide Filter to customize the display.

DNS Zone Selector

Use the DNS Zone drop-down menu above the widgets to select up to five zones or all zones (the default). The data in the widgets below will be specifically for the zone(s) you select.
To return to seeing data from all zones, click Deselect All in the DNS Zone drop-down menu.

Requests Time Period

The dashboard contents are dependent on the settings in the right-justified, top bar of options.

The time drop-down allows you to specify the time period for the data shown, including both quick-pick options like Last 24 hours and the ability to specify a custom time period. Custom time periods are limited to ranges within the last 30 days.
Click the Refresh button next to the time drop-down to update the contents of the dashboard manually.

Filter Options

Filtering options are above the graph and affect what's shown in the graph.

Use Add Filter to exclude or show only requests with specified characteristics. For example, select Gelocation, Not in, and US to show only requests that did not come from the United States. Note that if you do not have any requests from the US, then US will not be an option.
Check or uncheck the colored checkboxes to quickly filter by return code. The color of the checkboxes correspond to the column colors.

Request Chart Options

Hover over a bar in the chart to see specifics for that time period.
Click and drag within the chart to zoom into that time period. This will also create a time-period link above the graph (and below the checkboxes) for the previous time period. Click on a link to return to that time period.

Request Table Options

Use the Search field to only show entries containing that string.
Use the Download CSV (#) to download a comma separated values (CSV) file of all requests in the table. The number in parentheses shows the number of entries in the table, which may be more than the number of entries shown on the page.
Click the gear icon ( ⚙ ) to change the columns shown in the requests table.
Click > at the left of a request in the table to see details for that request in JSON format. Once the JSON is shown, you can switch it to YAML by using the JSON drop-down menu.
Click 10, 50, 100 below the table to change the number of table entries shown on the page.

Monitor DNS Load Balancers

In the DNS Management service, click Overview > DNS Load Balancers to get an overview the health and status of your load balancers.

Figure: DNS Load Balancers Dashboard

Dashboard Specifics

The DNS Load Balancers Health and the Pools Overview widgets show the current health of all of your DNS load balancers and pool, divided between Healthy, Unhealthy, and Degraded.
The DNS Load Balancers widget shows a list of your load balancers.
- Click Add DNS Load Balancer above the table to create a new DNS Load Balancer.
- Click the gear icon ( ⚙ ) to change the columns shown in the table.
- Enter a string into the Search field, and only line items containing that string will show in the list.
- Click ... > Manage Configuration in the Action column for a specific load balancer to view or edit the configuration of that load balancer.
- Click the name of a DNS load balancer in the list to see the dashboard for that specific load balancer.
  Figure: Specific DNS Load Balancer Dashboard
The Pool Members widget shows a list all your pool members.
- Use the All|Unhealthy selector to which pool members you see in the table.
- Click the gear icon ( ⚙ ) to change the columns shown in the table.
- Enter a string into the Search field, and only line items containing that string will show in the list.
- The Pool Name column shows which pool the pool member (endpoint) is a member of. Click the pool name for an endpoint to see configuration details for that pool in a sliding panel.
  Figure: Specific DNS Load Balancer Dashboard
- The DNS Load Balancer column shows which load balancer the pool member (endpoint) is a member of. Click the load balancer name for an endpoint to see that load balancer's dashboard.