Manage DNS Zone

Objective

This guide provides instructions on how to set up primary and secondary Domain Name System (DNS) zones and associated DNS service for your applications using F5® Distributed Cloud Services. A DNS zone is a distinct division or subdivision of domain namespace that is managed by an entity such as an organization. A DNS zone allows you to exercise granular control on the components such as name servers which hold the DNS records for the domain namespace represented by the zone.

Using this service, you can set up zones for your primary and secondary DNS servers and configure encrypted connection between them for record synchronization.


Prerequisites

The following prerequisites apply:

  • A Distributed Cloud Services Account. If you do not have an account, see Create an Account.

  • A DNS domain for your web application. Obtain a domain from the Internet domain registrar.

  • Name servers for managing your DNS records.

  • To ensure that zone transfers are successful, add the following IP addresses to your firewall or ACL allow list:

    • 52.14.213.208
    • 3.140.118.214

Configuration

Creating and managing zones involve creating a primary DNS zone and a secondary zone, configuring settings such as records, encryption mechanism, etc.

Create Primary Zone

Log into Console and perform the following:

Step 1: Navigate to zone management and start adding a zone.
  • Click DNS Management service on the Console home page.
NavigateToDNS
Figure: Navigate to DNS Management
  • Select DNS Management option in the primary navigation menu located on the left side of the page.

  • Click Add Zone.

AddZone
Figure: Add Zone
  • Enter domain or subdomain name in the Domain Name field in the metadata section.

  • Optionally, set labels and add a description for your zone.

Step 2: Start configuring primary zone.

Select Primary DNS Configuration for the Zone Type field in the DNS Zone Configuration section. Click Edit Configuration under the Primary DNS Configuration field. Do the following in the zone configuration form:

  • In the SOA Record Parameters section, the Use Default Parameters is populated by default. To customize this, select SOA Record Parameters option, click View Configuration, and set the SOA parameters such as refresh interval, retry interval, TTL, etc.
SOACustom
Figure: SOA Custom Configuration
Step 3: Configure resource record sets for the default group.
  • Go to Resource Record Sets section and click Add Item. The resource record sets configuration form opens.

  • Enter a value for the Time to live field.

  • Select a record type for the Record Set field, enter a name for your record name in the Record Name field, and set the fields as per your record type selection. Refer to the following table for the record type and field mapping:

Record TypeFieldsNotes
AList of IPv4 AddressesEnter IPv4 addresses.
AAAAList of IPv6 AddressesEnter IPv6 addresses.
ALIASDomainEnter alias domain name.
CAATags and ValueEnter a tag and its value.
CNAMEDomainEnter domain name.
MXDomain and PriorityEnter domain and priority in the MX Record Value section.
NSList of Name serversEnter the FQDN for the name servers.
PTRList of Name serversEnter the FQDN for the name servers.
SRVPriority, Weight, Port, TargetClick Add Item in the SRV Value section and set the parameters.
TXTList of TextAdd the TXT record.
DNS Load BalancerDNS Load Balancer RecordsAdd the DNS Load Balancer record.
NAPTRNaming Authority PointerEnter regex based domain names used in URIs.
DSDelegation signerEnter the signer to identify DNSSEC signing key of a delegated zone.
CDSChild DSEnter Child copy of DS record, for transfer to parent.
EUI48MAC address (EUI-48)Add uniquely identified MAC address as per the EUI-48 specification.
EUI64MAC address (EUI-64)Add uniquely identified MAC address as per the EUI-48 specification.
AFSAFS recordEnter the AFS record.
DNSKEYDNS KeyEnter the type, protocol, algorithm, and public key.
CDNSKEYChild DNS KeyEnter the type, protocol, algorithm, and public key.
LOCLocation informationEnter geographical details such as latitude, longitude, hemispheres, etc.
SSHFPSSH Key FingerprintEnter the fingerprint algorithm, type, and hexadecimal hash result of the ssh key.
TLSATLS Certificate AssociationEnter the usage, selector, matching type, and association data.
CERTPublic Key CertificateEnter the type, key tag, algorithm, and certificate.

Note: Use the Add item button available in each record type configuration to add more than one record for that record. See DNS Load Balancer for instructions on how to configure DNS load balancer for your zone. Also, note that subdomains are not supported for DNS load balancer record names. In case you want to use a subdomain, create another DNS zone with the subdomain included in the zone name and add the load balancer record to that zone.

ResourceRecordSet
Figure: Resource Record Set
  • Click Add Item to add the resource record set to the list of resource record sets. Use the Add Item button to add more than one resource record step.
Step 4: Configure specific resource record sets group.

This step configures specific groups for resource record sets. A resource record sets group allows grouping of DNS records to make it easier to manage them. For example, you can group DNS records that belong to the same application.

  • Enable Show Advanced Fields in the Resource Record Sets section.

  • Click Add Item in the appeared Additional Resource Record Sets section. This opens new resource record sets form.

  • Enter a Name in the metadata section.

  • Click Add Item in the Resource Record Sets section. This opens the resource record sets configuration form.

  • Configure the records in the same way as mentioned in previous step.

  • Click Add Item to add the resource record set to the group. Use the Add Item button to add more than one resource record set.

  • Click Add Item in the Resource Record Sets form to add the group to the Additional Resource Record Sets section. Use the Add Item button to add more than one group.

Step 5: Optionally, enable DNSSEC and load balancer management.
  • In the DNSSEC Mode section, select Enable for the DNSSEC Mode field if you want to use DNS security extensions (DNSSEC) to authenticate DNS response data.

Note: DNSSEC Mode is disabled by default.

  • Check the Allow HTTP Load Balancer Managed Records checkbox if you want your load balancer to manage your zone records.

Note: Allow HTTP Load Balancer Managed Records is unchecked by default. In the future, Distributed Cloud Services will remove the entry for Delegated Domain from the Console, which means that you will need to create a DNS zone corresponding to your HTTP Load Balancer (which is what you created in these steps), and you must check the Allow HTTP Load Balancer Managed Records checkbox for the HTTP Load Balancer to work properly. Also, the DNS delegation from the parent zone (registrar most of the times) must be done towards ns1.f5clouddns.com and ns2.f5clouddns.com.

Step 6: Complete creating the primary zone.
  • Click Apply in the primary zone configuration form.
PrimaryZoneConfig
Figure: Primary Zone Configuration
  • Click Save and Exit in the main zone configuration form to complete creating the primary zone.

Note: In case you enabled the DNSSEC, the system generates a DS record and displays it in the DNSSEC DS Record column. Click on the displayed value, click Copy DS Record on the displayed window, add the DS record to your parent zone. After primary zone is created, you can use the dig ds <domain name> command to verify that the DS record digest is displayed in the output. This indicates that DNSSEC is functional.


Create Secondary Zone

Log into Console and perform the following:

Step 1: Navigate to zone management and start adding a zone.
  • Click DNS Management service on the Console home page.
NavigateToDNS
Figure: Navigate to DNS Management
  • Select DNS Management option in the primary navigation menu located on the left side of the page.

  • Click Add Zone.

  • Enter domain or subdomain name in the Domain Name field in the metadata section. Ensure that you enter the same domain name used in primary zone configuration.

  • Optionally, set labels and add a description.

Step 2: Start configuring secondary zone.

Select Secondary DNS Configuration for the Zone Type field in the DNS Zone Configuration section. Click Configure under the Secondary DNS Configuration field. Do the following in the zone configuration form:

  • Enter IP addresses for the list of primary zone servers in the List of zone primary servers field. Use the Add item button to add more than one primary server.

  • Enter the Transaction Signature (TSIG) key name in the TSIG key name as used in TSIG protocol extension field.

  • Click on the TSIG Key algorithm field and select an algorithm from the drop-down. Ensure that the key value for the key specified is compatible with the algorithm being selected.

Note: Configuring TSIG key and algorithm is optional.

  • Encrypt your secret. Paste your secret in the Secret Info section, ensure that the Type is Text, and click Blindfold.

  • Wait for the encryption to complete and click Apply.

SecondaryZoneConfig
Figure: Secondary Zone Configuration
Step 3: Complete configuring secondary zone.

Click Save and Exit in the main zone configuration form to create secondary zone.

Step 4: Inspect the secondary zone file.
  • Select ... > View Zone File in the Actions column for your secondary zone object. This opens the secondary zone file records in a read-only window and displays the record name, TTL, record type, and record values.

  • Click on any record name to open detailed information of that record.


Import Zone

In case you have an existing zone outside of F5 Distributed Cloud, you can import the zone. Note that only primary zone can be imported using the import option.

Note: If you have DNSSEC records, those records are not imported. Also, importing ALIAS record (or any other type of DNSLB record) is not supported.

Do the following to import a zone:

Step 1: Start importing zone.
  • Click DNS Management service on the Console home page.

  • Select DNS Zone Management option in the primary navigation menu located on the left side of the page.

  • Click Import DNS Zone.

Step 2: Set domain name and DNS server.
  • Enter domain name in the Domain Name field.

  • Enter the IP address of your primary DNS server in the Primary DNS Server field.

Step 3: Optionally, set TSIG configuration.
  • Click Configure in the TSIG Configuration section.

  • Enter the Transaction Signature (TSIG) key name in the TSIG key name field.

  • Click on the TSIG Key algorithm field and select an algorithm from the drop-down. Ensure that the key value for the key specified is compatible with the algorithm being selected.

  • Click Configure in the TSIG key value in base 64 format section.

  • Encrypt your secret. Paste your secret in the Secret to Blindfold section. Click Apply.

  • Click Apply in the TSIG configuration form.

Step 4: Complete importing the zone.

Click Save and Exit in the import configuration form to import your zone.


DNS Overview

In the DNS Management service, the Overview section in the left navigation provides a couple of ways to observe your DNS status and operation.

  • Performance - provides a list of your DNS zones along with some basic information about each zone. Click on a zone name to see the performance dashboard.
  • DNS Load Balancers - provides a list of your DNS load balancers with some basic information for each load balancer. Click on a load balancer name to see the DNS load balancer dashboard.
Performance Dashboard
  • In the DNS Management service, click Overview > Performance to see a list of DNS zones.

  • Click the name of the zone you want to observe.

DNSZoneDashboard
Figure: DNS Zone Dashboard

Dashboard Time Period

The dashboard contents are dependent on the settings in the right-justified, top bar of options.

  • The time drop-down allows you to specify the time period for the data shown, including both quick-pick options like Last 24 hours and the ability to specify a custom time period. Custom time periods are limited to ranges within the last 30 days.
  • Click the Refresh button next to the time drop-down to update the contents of the dashboard manually.

Information Sections

  • The Traffic Distribution section shows the distribution of DNS traffic per country. Hover over a colored country to see a pop-up showing the amount of traffic for that country.

    TrafficByCountry
    Figure: DNS Zone Traffic by Country
  • The Top Requests section shows the number of requests for the most requested DNS records.

  • The Total Queries section shows the distribution of DNS queries over time in a histogram. Hover over a bar (time period) to see a pop-up showing the number of requests for that time period.

    QueriesByTime
    Figure: Queries by Time Period
  • The Query Type section shows the distribution of requests by query type.

  • The Response Type (by RCODE) section shows the response type quantities over time. Click an RCODE checkbox to show/hide that information in the graph. Hover over the graph to see the response count for that time.

    ResponseType
    Figure: Response Type Trend
  • The DNS Query Rate (by Query Type) section shows the query rate by query types over time. Click a query-type checkbox to show/hide that information in the graph. Hover over the graph to see the query type quantities for that time.

    DNSQueryRate
    Figure: DNS Query Rate
DNS Load Balancer Dashboard
  • In the DNS Management service, click Overview > DNS Load Balancer to see a list of DNS load balancers.

  • Click the name of the load balancer you want to observe.

DNSZoneDashboard
Figure: DNS Zone Dashboard
  • Click the Refresh button next in the upper right to update the contents of the dashboard.

  • The Health section shows the overall health of the load balancer.

  • The Pools Overview section provides overview health information for the pools in the load balancer.

  • The Pools list provides some details for each pool.

    • Enter a string into the Search field to only show pool names containing that string.
    • Click the gear icon ( ⚙ ) to change the columns shown in the pools table.
    • Click on a column name to sort the table by that column.
    • Hover over a column name to see the drag icon ( ⠿ ). Click and drag the icon to move the column.
    • Click on a pool name to get health information for individual members (IP endpoints) in that pool.
      PoolMemberHealth
      Figure: Pool Member Health

Concepts


API References