Manage DNS Zone
On This Page:
Objective
This guide provides instructions on how to set up primary and secondary Domain Name System (DNS) zones and associated DNS service for your applications using F5® Distributed Cloud Services. A DNS zone is a distinct division or subdivision of domain namespace that is managed by an entity such as an organization. A DNS zone allows you to exercise granular control on the components such as name servers which hold the DNS records for the domain namespace represented by the zone.
Using this service, you can set up zones for your primary and secondary DNS servers and configure encrypted connection between them for record synchronization.
Prerequisites
The following prerequisites apply:
-
A Distributed Cloud Services Account. If you do not have an account, see Create an Account.
-
A DNS domain for your web application. Obtain a domain from the Internet domain registrar.
-
Name servers for managing your DNS records.
-
To ensure that zone transfers are successful, add the following IP addresses to your firewall or ACL
allow
list:52.14.213.208
3.140.118.214
Configuration
Creating and managing zones involve creating a primary DNS zone and a secondary zone, configuring settings such as records, encryption mechanism, etc.
Create Primary Zone
Log into Console and perform the following:
Step 1: Navigate to zone management and start adding a zone.
- Click
DNS Management
service on the Console home page.

-
Select
DNS Management
option in the primary navigation menu located on the left side of the page. -
Click
Add Zone
.

-
Enter domain or subdomain name in the
Domain Name
field in the metadata section. -
Optionally, set labels and add a description for your zone.
Step 2: Start configuring primary zone.
Select Primary DNS Configuration
for the Zone Type
field in the DNS Zone Configuration
section. Click Edit Configuration
under the Primary DNS Configuration
field. Do the following in the zone configuration form:
- In the
SOA Record Parameters
section, theUse Default Parameters
is populated by default. To customize this, selectSOA Record Parameters
option, clickView Configuration
, and set the SOA parameters such as refresh interval, retry interval, TTL, etc.

Step 3: Configure resource record sets for the default group.
-
Go to
Resource Record Sets
section and clickAdd Item
. The resource record sets configuration form opens. -
Enter a value for the
Time to live
field. -
Select a record type for the
Record Set
field, enter a name for your record name in theRecord Name
field, and set the fields as per your record type selection. Refer to the following table for the record type and field mapping:
Record Type | Fields | Notes |
---|---|---|
A | List of IPv4 Addresses | Enter IPv4 addresses. |
AAAA | List of IPv6 Addresses | Enter IPv6 addresses. |
ALIAS | Domain | Enter alias domain name. |
CAA | Tags and Value | Enter a tag and its value. |
CNAME | Domain | Enter domain name. |
MX | Domain and Priority | Enter domain and priority in the MX Record Value section. |
NS | List of Name servers | Enter the FQDN for the name servers. |
PTR | List of Name servers | Enter the FQDN for the name servers. |
SRV | Priority, Weight, Port, Target | Click Add Item in the SRV Value section and set the parameters. |
TXT | List of Text | Add the TXT record. |
DNS Load Balancer | DNS Load Balancer Records | Add the DNS Load Balancer record. |
NAPTR | Naming Authority Pointer | Enter regex based domain names used in URIs. |
DS | Delegation signer | Enter the signer to identify DNSSEC signing key of a delegated zone. |
CDS | Child DS | Enter Child copy of DS record, for transfer to parent. |
EUI48 | MAC address (EUI-48) | Add uniquely identified MAC address as per the EUI-48 specification. |
EUI64 | MAC address (EUI-64) | Add uniquely identified MAC address as per the EUI-48 specification. |
AFS | AFS record | Enter the AFS record. |
DNSKEY | DNS Key | Enter the type, protocol, algorithm, and public key. |
CDNSKEY | Child DNS Key | Enter the type, protocol, algorithm, and public key. |
LOC | Location information | Enter geographical details such as latitude, longitude, hemispheres, etc. |
SSHFP | SSH Key Fingerprint | Enter the fingerprint algorithm, type, and hexadecimal hash result of the ssh key. |
TLSA | TLS Certificate Association | Enter the usage, selector, matching type, and association data. |
CERT | Public Key Certificate | Enter the type, key tag, algorithm, and certificate. |
Note: Use the
Add item
button available in each record type configuration to add more than one record for that record. See DNS Load Balancer for instructions on how to configure DNS load balancer for your zone. Also, note that subdomains are not supported for DNS load balancer record names. In case you want to use a subdomain, create another DNS zone with the subdomain included in the zone name and add the load balancer record to that zone.

- Click
Add Item
to add the resource record set to the list of resource record sets. Use theAdd Item
button to add more than one resource record step.
Step 4: Configure specific resource record sets group.
This step configures specific groups for resource record sets. A resource record sets group allows grouping of DNS records to make it easier to manage them. For example, you can group DNS records that belong to the same application.
-
Enable
Show Advanced Fields
in theResource Record Sets
section. -
Click
Add Item
in the appearedAdditional Resource Record Sets
section. This opens new resource record sets form. -
Enter a
Name
in the metadata section. -
Click
Add Item
in theResource Record Sets
section. This opens the resource record sets configuration form. -
Configure the records in the same way as mentioned in previous step.
-
Click
Add Item
to add the resource record set to the group. Use theAdd Item
button to add more than one resource record set. -
Click
Add Item
in theResource Record Sets
form to add the group to theAdditional Resource Record Sets
section. Use theAdd Item
button to add more than one group.
Step 5: Optionally, enable DNSSEC and load balancer management.
- In the
DNSSEC Mode
section, selectEnable
for theDNSSEC Mode
field if you want to use DNS security extensions (DNSSEC) to authenticate DNS response data.
Note:
DNSSEC Mode
is disabled by default.
- Check the
Allow HTTP Load Balancer Managed Records
checkbox if you want your load balancer to manage your zone records.
Note:
Allow HTTP Load Balancer Managed Records
is unchecked by default. In the future, Distributed Cloud Services will remove the entry for Delegated Domain from the Console, which means that you will need to create a DNS zone corresponding to your HTTP Load Balancer (which is what you created in these steps), and you must check theAllow HTTP Load Balancer Managed Records
checkbox for the HTTP Load Balancer to work properly. Also, the DNS delegation from the parent zone (registrar most of the times) must be done towardsns1.f5clouddns.com
andns2.f5clouddns.com
.
Step 6: Complete creating the primary zone.
- Click
Apply
in the primary zone configuration form.

- Click
Save and Exit
in the main zone configuration form to complete creating the primary zone.
Note: In case you enabled the DNSSEC, the system generates a DS record and displays it in the
DNSSEC DS Record
column. Click on the displayed value, clickCopy DS Record
on the displayed window, add the DS record to your parent zone. After primary zone is created, you can use thedig ds <domain name>
command to verify that the DS record digest is displayed in the output. This indicates that DNSSEC is functional.
Create Secondary Zone
Log into Console and perform the following:
Step 1: Navigate to zone management and start adding a zone.
- Click
DNS Management
service on the Console home page.

-
Select
DNS Management
option in the primary navigation menu located on the left side of the page. -
Click
Add Zone
. -
Enter domain or subdomain name in the
Domain Name
field in the metadata section. Ensure that you enter the same domain name used in primary zone configuration. -
Optionally, set labels and add a description.
Step 2: Start configuring secondary zone.
Select Secondary DNS Configuration
for the Zone Type
field in the DNS Zone Configuration
section. Click Configure
under the Secondary DNS Configuration
field. Do the following in the zone configuration form:
-
Enter IP addresses for the list of primary zone servers in the
List of zone primary servers
field. Use theAdd item
button to add more than one primary server. -
Enter the Transaction Signature (TSIG) key name in the
TSIG key name as used in TSIG protocol extension
field. -
Click on the
TSIG Key algorithm
field and select an algorithm from the drop-down. Ensure that the key value for the key specified is compatible with the algorithm being selected.
Note: Configuring TSIG key and algorithm is optional.
-
Encrypt your secret. Paste your secret in the
Secret Info
section, ensure that theType
isText
, and clickBlindfold
. -
Wait for the encryption to complete and click
Apply
.

Step 3: Complete configuring secondary zone.
Click Save and Exit
in the main zone configuration form to create secondary zone.
Step 4: Inspect the secondary zone file.
-
Select
...
>View Zone File
in theActions
column for your secondary zone object. This opens the secondary zone file records in a read-only window and displays the record name, TTL, record type, and record values. -
Click on any record name to open detailed information of that record.
Import Zone
In case you have an existing zone outside of F5 Distributed Cloud, you can import the zone. Note that only primary zone can be imported using the import option.
Note: If you have DNSSEC records, those records are not imported. Also, importing ALIAS record (or any other type of DNSLB record) is not supported.
Do the following to import a zone:
Step 1: Start importing zone.
-
Click
DNS Management
service on the Console home page. -
Select
DNS Zone Management
option in the primary navigation menu located on the left side of the page. -
Click
Import DNS Zone
.
Step 2: Set domain name and DNS server.
-
Enter domain name in the
Domain Name
field. -
Enter the IP address of your primary DNS server in the
Primary DNS Server
field.
Step 3: Optionally, set TSIG configuration.
-
Click
Configure
in theTSIG Configuration
section. -
Enter the Transaction Signature (TSIG) key name in the
TSIG key name
field. -
Click on the
TSIG Key algorithm
field and select an algorithm from the drop-down. Ensure that the key value for the key specified is compatible with the algorithm being selected. -
Click
Configure
in theTSIG key value in base 64 format
section. -
Encrypt your secret. Paste your secret in the
Secret to Blindfold
section. ClickApply
. -
Click
Apply
in the TSIG configuration form.
Step 4: Complete importing the zone.
Click Save and Exit
in the import configuration form to import your zone.
DNS Overview
In the DNS Management
service, the Overview
section in the left navigation provides a couple of ways to observe your DNS status and operation.
Performance
- provides a list of your DNS zones along with some basic information about each zone. Click on a zone name to see the performance dashboard.DNS Load Balancers
- provides a list of your DNS load balancers with some basic information for each load balancer. Click on a load balancer name to see the DNS load balancer dashboard.
Performance Dashboard
-
In the
DNS Management
service, clickOverview
>Performance
to see a list of DNS zones. -
Click the name of the zone you want to observe.

Dashboard Time Period
The dashboard contents are dependent on the settings in the right-justified, top bar of options.
- The time drop-down allows you to specify the time period for the data shown, including both quick-pick options like
Last 24 hours
and the ability to specify a custom time period. Custom time periods are limited to ranges within the last 30 days. - Click the
Refresh
button next to the time drop-down to update the contents of the dashboard manually.
Information Sections
-
The
Traffic Distribution
section shows the distribution of DNS traffic per country. Hover over a colored country to see a pop-up showing the amount of traffic for that country.Figure: DNS Zone Traffic by Country -
The
Top Requests
section shows the number of requests for the most requested DNS records. -
The
Total Queries
section shows the distribution of DNS queries over time in a histogram. Hover over a bar (time period) to see a pop-up showing the number of requests for that time period.Figure: Queries by Time Period -
The
Query Type
section shows the distribution of requests by query type. -
The
Response Type (by RCODE)
section shows the response type quantities over time. Click an RCODE checkbox to show/hide that information in the graph. Hover over the graph to see the response count for that time.Figure: Response Type Trend -
The
DNS Query Rate (by Query Type)
section shows the query rate by query types over time. Click a query-type checkbox to show/hide that information in the graph. Hover over the graph to see the query type quantities for that time.Figure: DNS Query Rate
DNS Load Balancer Dashboard
-
In the
DNS Management
service, clickOverview
>DNS Load Balancer
to see a list of DNS load balancers. -
Click the name of the load balancer you want to observe.

-
Click the
Refresh
button next in the upper right to update the contents of the dashboard. -
The
Health
section shows the overall health of the load balancer. -
The
Pools Overview
section provides overview health information for the pools in the load balancer. -
The
Pools
list provides some details for each pool.- Enter a string into the
Search
field to only show pool names containing that string. - Click the gear icon ( âš™ ) to change the columns shown in the pools table.
- Click on a column name to sort the table by that column.
- Hover over a column name to see the drag icon ( â ¿ ). Click and drag the icon to move the column.
- Click on a pool name to get health information for individual members (IP endpoints) in that pool.
Figure: Pool Member Health
- Enter a string into the