Check out the new F5 Distributed Cloud Technical Knowledge Hub

Manage DNS Zone

Objective
Prerequisites
Configuration
Create Primary Zone
Create Secondary Zone
Import Zone
Monitor DNS Zone Performance
Concepts
References

Objective

This guide provides instructions on how to set up primary and secondary Domain Name System (DNS) zones and associated DNS service for your applications using F5® Distributed Cloud Services. A DNS zone is a distinct division or subdivision of domain namespace that is managed by an entity such as an organization. A DNS zone allows you to exercise granular control on the components such as name servers which hold the DNS records for the domain namespace represented by the zone.

Using this service, you can set up zones for your primary and secondary DNS servers and configure encrypted connection between them for record synchronization.

Prerequisites

The following prerequisites apply:

A Distributed Cloud Services Account. If you do not have an account, see Create an Account.
A DNS domain for your web application. Obtain a domain from the Internet domain registrar.
Name servers for managing your DNS records.
To ensure that zone transfers are successful, add the following IP addresses to your firewall or ACL allow list:
- 52.14.213.208
- 3.140.118.214

Configuration

Creating and managing zones involve creating a primary DNS zone and a secondary zone, configuring settings such as records, encryption mechanism, etc.

Create Primary Zone

Log into Console and perform the following:

Step 1: Navigate to zone management and start adding a zone.

Click DNS Management service on the Console home page.

NavigateToDNS — Figure: Navigate to DNS Management

Select DNS Management option in the primary navigation menu located on the left side of the page.
Click Add Zone.

Enter domain or subdomain name in the Domain Name field in the metadata section.
Optionally, set labels and add a description for your zone.

Step 2: Start configuring primary zone.

Select Primary DNS Configuration for the Zone Type field in the DNS Zone Configuration section. Click Edit Configuration under the Primary DNS Configuration field. Do the following in the zone configuration form:

In the SOA Record Parameters section, the Use Default Parameters is populated by default. To customize this, select SOA Record Parameters option, click View Configuration, and set the SOA parameters such as refresh interval, retry interval, TTL, etc.

SOACustom — Figure: SOA Custom Configuration

Step 3: Configure resource record sets for the default group.

Go to Resource Record Sets section and click Add Item. The resource record sets configuration form opens.
Enter a value for the Time to live field.
Select a record type for the Record Set field, enter a name for your record name in the Record Name field, and set the fields as per your record type selection. Refer to the following table for the record type and field mapping:

Record Type	Fields	Notes
A	List of IPv4 Addresses	Enter IPv4 addresses.
AAAA	List of IPv6 Addresses	Enter IPv6 addresses.
ALIAS	Domain	Enter alias domain name.
CAA	Tags and Value	Enter a tag and its value.
CNAME	Domain	Enter domain name.
MX	Domain and Priority	Enter domain and priority in the `MX Record Value` section.
NS	List of Name servers	Enter the FQDN for the name servers.
PTR	List of Name servers	Enter the FQDN for the name servers.
SRV	Priority, Weight, Port, Target	Click `Add Item` in the `SRV Value` section and set the parameters.
TXT	List of Text	Add the TXT record.
DNS Load Balancer	DNS Load Balancer Records	Add the DNS Load Balancer record.
NAPTR	Naming Authority Pointer	Enter regex based domain names used in URIs.
DS	Delegation signer	Enter the signer to identify DNSSEC signing key of a delegated zone.
CDS	Child DS	Enter Child copy of DS record, for transfer to parent.
EUI48	MAC address (EUI-48)	Add uniquely identified MAC address as per the EUI-48 specification.
EUI64	MAC address (EUI-64)	Add uniquely identified MAC address as per the EUI-48 specification.
AFS	AFS record	Enter the AFS record.
DNSKEY	DNS Key	Enter the type, protocol, algorithm, and public key.
CDNSKEY	Child DNS Key	Enter the type, protocol, algorithm, and public key.
LOC	Location information	Enter geographical details such as latitude, longitude, hemispheres, etc.
SSHFP	SSH Key Fingerprint	Enter the fingerprint algorithm, type, and hexadecimal hash result of the ssh key.
TLSA	TLS Certificate Association	Enter the usage, selector, matching type, and association data.
CERT	Public Key Certificate	Enter the type, key tag, algorithm, and certificate.

Note: Use the Add item button available in each record type configuration to add more than one record for that record. See DNS Load Balancer for instructions on how to configure DNS load balancer for your zone.

Click Add Item to add the resource record set to the list of resource record sets. Use the Add Item button to add more than one resource record step.

Step 4: Configure specific resource record sets group.

This step configures specific groups for resource record sets. A resource record sets group allows grouping of DNS records to make it easier to manage them. For example, you can group DNS records that belong to the same application.

Enable Show Advanced Fields in the Resource Record Sets section.
Click Add Item in the appeared Additional Resource Record Sets section. This opens new resource record sets form.
Enter a Name in the metadata section.
Click Add Item in the Resource Record Sets section. This opens the resource record sets configuration form.
Configure the records in the same way as mentioned in previous step.
Click Add Item to add the resource record set to the group. Use the Add Item button to add more than one resource record set.
Click Add Item in the Resource Record Sets form to add the group to the Additional Resource Record Sets section. Use the Add Item button to add more than one group.

Step 5: Optionally, enable DNSSEC and load balancer management.

In the DNSSEC Mode section, select Enable for the DNSSEC Mode field if you want to use DNS security extensions (DNSSEC) to authenticate DNS response data.

Note: DNSSEC Mode is disabled by default.

Check the Allow HTTP Load Balancer Managed Records checkbox if you want your load balancer to manage your zone records.

Note: Allow HTTP Load Balancer Managed Records is unchecked by default. In the future, Distributed Cloud Services will remove the entry for Delegated Domain from the Console, which means that you will need to create a DNS zone corresponding to your HTTP Load Balancer (which is what you created in these steps), and you must check the Allow HTTP Load Balancer Managed Records checkbox for the HTTP Load Balancer to work properly. Also, the DNS delegation from the parent zone (registrar most of the times) must be done towards ns1.f5clouddns.com and ns2.f5clouddns.com.

Step 6: Complete creating the primary zone.

Click Apply in the primary zone configuration form.

PrimaryZoneConfig — Figure: Primary Zone Configuration

Click Save and Exit in the main zone configuration form to complete creating the primary zone.

Note: In case you enabled the DNSSEC, the system generates a DS record and displays it in the DNSSEC DS Record column. Click on the displayed value, click Copy DS Record on the displayed window, add the DS record to your parent zone. After primary zone is created, you can use the dig ds <domain name> command to verify that the DS record digest is displayed in the output. This indicates that DNSSEC is functional.

Create Secondary Zone

Prior to creating secondary zone, ensure that you allow queries from F5 Distributed Cloud IP ranges to your DNS servers.

Log into Console and perform the following:

Step 1: Navigate to zone management and start adding a zone.

Click DNS Management service on the Console home page.

Select DNS Management option in the primary navigation menu located on the left side of the page.
Click Add Zone.
Enter domain or subdomain name in the Domain Name field in the metadata section. Ensure that you enter the same domain name used in primary zone configuration.
Optionally, set labels and add a description.

Step 2: Start configuring secondary zone.

Select Secondary DNS Configuration for the Zone Type field in the DNS Zone Configuration section. Click Configure under the Secondary DNS Configuration field. Do the following in the zone configuration form:

Enter IP addresses for the list of primary zone servers in the List of zone primary servers field. Use the Add item button to add more than one primary server.
Enter the Transaction Signature (TSIG) key name in the TSIG key name as used in TSIG protocol extension field.
Click on the TSIG Key algorithm field and select an algorithm from the drop-down. Ensure that the key value for the key specified is compatible with the algorithm being selected.

Note: Configuring TSIG key and algorithm is optional. However, it is recommended that you use at least the HMAC-SHA256 algorithm in case you configure TSIG.

Click Configure in the TSIG key value in base 64 format section to encrypt your secret, and do one of the following:
- Paste your secret in the Secret to Blindfold field, and click Apply. The secret type Blindfolded Secret and action Blindfold New Secret are set by default and your secret is encrypted using Blindfold. You can optionally change the action to Use Existing Blindfolded Secret to add an existing encrypted secret, or use a custom policy instead of a built-in policy using the Policy Type field.
- In case you want to use a clear secret, select Clear Secret for the Secret Type field, and paste secret in the Secret field. The option text is populated by default, and you can apply Base64 encoding by changing the selection to Base64. Click Apply

Note: Ensure you obtain the base64 encoded secret if you choose Base64 option for clear secret. You can use echo -n <TSIG KEY> | base64 to convert your secret to Base64 encoded format.

Click Apply.

SecondaryZoneConfig — Figure: Secondary Zone Configuration

Step 3: Complete configuring secondary zone.

Click Save and Exit in the main zone configuration form to create secondary zone.

Step 4: Inspect the secondary zone file.

Select ... > View Zone File in the Actions column for your secondary zone object. This opens the secondary zone file records in a read-only window and displays the record name, TTL, record type, and record values.
Click on any record name to open detailed information of that record.

Import Zone

In case you have an existing zone outside of F5 Distributed Cloud, you can import the zone. Note that only primary zone can be imported using the import option.

Note: If you have DNSSEC records, those records are not imported. Also, importing ALIAS record (or any other type of DNSLB record) is not supported.

Do the following to import a zone:

Step 1: Start importing zone.

Click DNS Management service on the Console home page.
Select DNS Zone Management option in the primary navigation menu located on the left side of the page.
Click Import DNS Zone.

Step 2: Set domain name and DNS server.

Enter domain name in the Domain Name field.
Enter the IP address of your primary DNS server in the Primary DNS Server field.

Step 3: Optionally, set TSIG configuration.

Click Configure in the TSIG Configuration section.
Enter the Transaction Signature (TSIG) key name in the TSIG key name field.
Click on the TSIG Key algorithm field and select an algorithm from the drop-down. Ensure that the key value for the key specified is compatible with the algorithm being selected.
Click Configure in the TSIG key value in base 64 format section.
Encrypt your secret. Paste your secret in the Secret to Blindfold section. Click Apply.
Click Apply in the TSIG configuration form.

Step 4: Complete importing the zone.

Click Save and Exit in the import configuration form to import your zone.

Monitor DNS Zone Performance

In the DNS Management service, click Overview > Performance to see a list of DNS zones.
Click the name of the zone you want to observe.

Dashboard Tab

DNSZoneDashboard — Figure: DNS Zone Dashboard

The Dashboard tab provides an overview of the traffic through the load balancer over the time period shown in the right-justified, top bar of options.

Dashboard Time Period

The time drop-down allows you to specify the time period for the data shown, including both quick-pick options like Last 24 hours and the ability to specify a custom time period. Custom time periods are limited to ranges within the last 30 days.
Click the Refresh button next to the time drop-down to update the contents of the dashboard manually.

Information Sections

The Traffic Distribution section shows the distribution of DNS traffic per country. Hover over a colored country to see a pop-up showing the amount of traffic for that country.

Figure: DNS Zone Traffic by Country
The Top Requests section shows the number of requests for the most requested DNS records.
The Total Queries section shows the distribution of DNS queries over time in a histogram. Hover over a bar (time period) to see a pop-up showing the number of requests for that time period.

Figure: Queries by Time Period
The Query Type section shows the distribution of requests by query type.
The Response Type (by RCODE) section shows the response type quantities over time. Click an RCODE checkbox to show/hide that information in the graph. Hover over the graph to see the response count for that time.

Figure: Response Type Trend
The DNS Query Rate (by Query Type) section shows the query rate by query types over time. Click a query-type checkbox to show/hide that information in the graph. Hover over the graph to see the query type quantities for that time.

Figure: DNS Query Rate

Requests Tab

DNSZoneRequests — Figure: DNS Zone Requests

The Requests tab shows both request statistics (in the bar chart) and the specific requests received (in the table below). Use the Show/Hide Chart and Show/Hide Filter to customize the display.

Requests Time Period

The dashboard contents are dependent on the settings in the right-justified, top bar of options.

The time drop-down allows you to specify the time period for the data shown, including both quick-pick options like Last 24 hours and the ability to specify a custom time period. Custom time periods are limited to ranges within the last 30 days.
Click the Refresh button next to the time drop-down to update the contents of the dashboard manually.

Filter Options

Filtering options are above the graph and affect what's shown in the graph.

Use Add Filter to exclude or show only requests with specified characteristics. For example, select Gelocation, Not in, and US to show only requests that did not come from the United States. Note that if you do not have any requests from the US, then US will not be an option.
Check or uncheck the colored checkboxes to quickly filter by return code. The color of the checkboxes correspond to the column colors.

Request Chart Options

Hover over a bar in the chart to see specifics for that time period.
Click and drag within the chart to zoom into that time period. This will also create a time-period link above the graph (and below the checkboxes) for the previous time period. Click on a link to return to that time period.

Request Table Options

Use the Search field to only show entries containing that string.
Use the Download CSV (#) to download a comma separated values (CSV) file of all requests in the table. The number in parentheses shows the number of entries in the table, which may be more than the number of entries shown on the page.
Click the gear icon ( ⚙ ) to change the columns shown in the requests table.
Click > at the left of a request in the table to see details for that request in JSON format. Once the JSON is shown, you can switch it to YAML by using the JSON drop-down menu.
Click 10, 50, 100 below the table to change the number of table entries shown on the page.