F5 3-day Partner Boot Camp - BIG-IP DNS/GTM (v14.1) Lessons 1 and 2

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hi good morning I'm curious if in the last 24 hours ago you went to go visit HTTP 10 1890 5.2 20 I have no idea really yeah it's a very popular site I know I've gone to HTTPS sites but it's just really specific interesting well then let's just move on since you don't have the answer for that question because today what we're going to be talking about is our f5 big IP dns product now important to know this used to be known as GTM which did the global traffic manager sometimes you'll still see it mentioned in both formats in today's training I'm going to specifically refer to it as big IP DNS and throughout the day we're going to cover four different lessons I also want to note that I will be talking about two different DNS concepts we've got our standard DNS that's been around for years and years and years and years and years that's when you'll see it just listed as either DNS or standard DNS but then also be talking about F by product just the big IP DNS whenever I'm referring to that product it'll always be displayed as big IP DNS in the materials so the first thing we're going to talk about this morning we're going to go through have an overview a reminder a review if it's new for you of just what DNS is in general that would be standard DNS and also how different organizations typically deploy DNS out in their environments then lesson two will focus more on the f5 the IP DNS and what it can do and compared to what the big standard DNS does and talk about the different DNS services that are available or the different services that are available with big IP DNS now one of the core things that big IP DNS has always done is global load balancing or GS lb so we're going to really talk a lot about that since three and four and there are a lot of different objects that you're going to be walking with when you're setting up GS lb in lesson three we're going to talk about setting up data centers and server objects and then lesson 4 we're going to talk about DNS virtual servers that's different from the LTM virtual servers you've done using the past we're also going to talk about DNS pools that's different from the old TM pools that's or creating the pass and then finally we'll talk about white IVs so again we're going to start out just by talking about why DNS even exists DNS stands for domain name system been around for years and years and years and it's for names it's helping on the internet with naming as we go out to our resources so what we're used to when we use our computers is we're used to going to friendly names like Amazon and Twitter and Google that's how we communicate over the Internet or also what we're doing is we're contacting web servers but the web servers they only know their IP address whether their IP addresses in ipv4 version or ipv6 version it's irrelevant all the web servers know is the address I asked you earlier if you've gone to a certain address you didn't know that address because you're used to those what DNS does is it takes those friendly names then it turns it into the correct IP address so that we can communicate with those web servers and that's the purpose of DNS that's why it's been around for so many years let's talk about the process of how this happens if it's again new for you it's kind of fascinating on how this works so a user we're going to go to wwf/e comm again my computer in order can you get the web server it needs to know the IP address so it needs to figure out what that IP address is for that hostname now the first thing our computers are going to do is they're going to check the local DNS cache on their workstation because maybe we already went to this website earlier today but if we didn't there's nothing in the cache for that then we were going to do is we're going to contact our local DNS server now our local DNS server is going to be configured within our computer so for example at work your local DNS server is typically owned by your your company if it's your home computer your local DNS server is typically owned by your service provider and at service provider so you'll send a request to the L DNS and say hey do you have an entry for this wwf/e comm and again the local DNS will do the same thing it'll check to see if it has this name recently resolved already in its cache because maybe other people have been using this local DNS have already gone to that website but if it doesn't now begins this hierarchical a back and forth discussion in order for this server to find that IP address because there are literally millions of host names that are out there in the world and there's absolutely no way they could all be contained in one file so they are spread out on all these different kinds of DNS servers now interesting back when you see www.pevs.com in DNS language there's actually a dot at the end of that comm and that dot is what sends the local DNS server to one of the configured route DNS servers out there in the world there are a few core root DNS servers and all we're asking for now is to direct us to one of the mini dot-com servers that are out there so we have a variety of com servers with a variety of dot edu servers we have a variety of dot fi-in servers and so when you register your domain name for your company and it's a.com name it's going to get added to a.com daeun that's all we need to do is being seen to find a dot-com server and that's what that's going to do is it's going to tell us where to go do that so now the local DNS can now go to exact address a dot-com server and say hey do you just have an entry for f5 com so amazon.com twitter.com they all should have a hostname entry that has been added now typically all of these companies I just mentioned they all manage their own DNS server they're not all you know if they've got Tubb WM GOM and shop amazon.com and all these different host names for amazon.com they're not all this sitting here Gilligan's listen here is how you get to amazon.com or in this case f5 com so that's going to send us to the next step which is the f5 comm DNS server and the f5 com yes sir that should have all the host names for this domain one of which is probably WWE if that host name exists it's going to the DNS server is going to send the requests back the response back in the form of an a record which is known as an address record in the DNS world the address record is now mapped together with the host name and the IP address the local DNS server is now going to add oh and also excuse me also has a time to live the times of lives configured on the DNS server and that's a way to keep that entry fresh because a lot of times web server IP addresses do change dynamically we want to make sure we're not twenty people to an old address so that name will be valid for 24 hours so the local DNS server is now going to add that to its cache so that any future requests from any other clients it won't have to go through this process again and again it will now use that for the time of the time to live for the next 24 hours before it becomes stay and then it's going to send that then he will send at that post name entry with the IP address to the client that requested it that client will add it to its cache so that next time it goes to live calm it knows the IP address and now the client can immediately contact via IP address as it needs to the web server in question and get the web page in this entire process takes about a second and a half everything you just saw even though it took me five minutes to explain it so that's how DNS works now some very simple in truth but there are some different ways that we can deploy this there are some different ways that we can manage it that's what we're going to talk about so first of all let's talk about how we can manage our DNS infrastructure at our company we have a couple of options so first up we have our data center we have our web servers we have another data center with web servers this data center how however happens to be in a cloud where these web servers are is irrelevant Wow private cloud data center physical data center is irrelevant what matters is where is that DNS server and who is actually managing all those names for that company the WWF five the internal f5 comm who's managing all those entries what option we have is we can use a third-party provider to do all the DNS management for us so somebody else is managing the lorax com domain for our company another option is we can manage our own DNS infrastructure we can have our own DNS servers and we can manage our DNS infrastructure both of these have advantages and drawbacks when we use this hosted solution one of the advantages is that we don't really need any administrative staff to do all this DNS management that's kind of nice there's a lot less track coming into our data centers because none of these DNS name requests have to come to our data center the only heads coming to our data center or requests for our website because this is typically managed by a DNS expert these companies that are yes providers that's all they do they're going to be smarter they're going to have better reliability they're going to have tolerance so we're can we can rest assured that our DNS entries are always going to get to us which also helps keep them safer from Neos attacks I like to say that that's their job that's all they do and they're going to do everything they can to protect all their customers DNS injuries so they typically are going to have a good investment in security products to prevent and give to DDoS attacks now there's some disadvantage and oh I'm sorry one last thing this is typically a good option for a small to a medium-sized company that doesn't have as many resources whether it's capex or of X or of course bolts now there are some drawbacks reduce control we don't really have a whole lot of control of our DNS environment they you we can make the requests we can say hey I need this entry at it I need this things we changed but I have to ask for it every single time I need something done and it's also difficult to really customize our DNS environment or to add to an extent to it because quite often the way that it's managed is fairly straightforward and regimented that we have to adhere to their rules also depending upon how much da how many DNS queries were expecting so we're going to put out our new public website and we're hoping we're just going to get thousands and thousands of new users in the first hour well each one of those users is going to have to do with DNS query so these companies charge based on how many queries per second they're getting so we have to take that into account that as our as our traffic increases so is our cost in our DNS solution so maybe it's time to switch over to the in-house solution because an in-house solution we now have all the control we manage this that's a good thing we have full control which gives us the flexibility of modifying our DNA we can modify our DNS name of the wine we can completely change our old DNS name we can change sub names it's just a lot of flexibility more often than not all you really need is the server hardware and operating system with this on Linux the actual DNS software is usually very cheap or even free so it's not a big cost to this but drawbacks we now need to have dedicated staff to manage our DNS environment we now need to make sure that we keep these servers regularly patched so that they're not going to be vulnerable that's our job now to do that so there's some of the drawbacks and what you really advantageous for a lot of companies is actually use a little bit of both so for example for lorax they have their public presence the lorax comm so that's where that's where all of their public websites are at their shop floor XCOM and their wwx comm but they also have Lorex Netcom that's their internal only web website so only employees access that so they can do is they manage their DNS environment for just their internal host names and the DNS provider manages it for all of their public host names that when they get a best of both they get the protection and this the security and reliability here but the flexibility of being able to do it they be on the internal side also what's nice is we have all these internal users here that don't have them a picture and they can be using this DNS server as their local DNS server and so that local DNS server can now send requests it can't result that it doesn't know it can just send it here and then this will go out to the the root the comm and so forth do all the name resolution for all of our internal users so that's really nice as well alright the benefit central users can seamlessly access all of our external Vogel and external resources easier administration of the user access for all its internal stuff as we have total control of this so that's some of the benefits alright those are your two different deployment scenarios now remember beginning as I was talking about that we have our standard DNS regular old standard DNS and then we have our f5 big-ip DNS in order to explain all the great benefits we have with f5s big IP DNS it's important to identify some of the limitations that we have when we're using our standard DNS so in this example we have the and these limitations by the way are relevant regardless if we're using a hosted solution or an in-house solution same limitations apply but in this example we're using a hosted solution from or XCOM and we have two different main websites we have the www website and the shop Laura's comm website we have two data centers one in Seattle one in Richmond Virginia and you'll notice that the wwr comm is located on four different web servers we did that so that we have high availability tolerance and the shopping websites on two different servers one in each data center this has two in each data center so one of the limitations is that standard DNS does not look care at baby care in the world about whether any of these 4ww servers is even available it does not check for server availability which means that if the user goes to www and it picks the first IP address as the hostess send the idea that IP address to the client then that client is going to try to go to a server that's not even online that's a problem obviously also most DNS servers just use standard round robin of those four entries as innocent first requests here the second request they are the third request there the fourth request there to utilize all of those resources but what if I'm connecting it from Vancouver BC and my requests are being routed to Richland Virginia that doesn't make a whole lot of sentence that's great tunes again santur dns does not take into account if one server is overloaded or if one server is not available it just keeps round-robin into all of them also Center DNS has no concept of sustainable applications what is a sustainable application you have some online shopping and I'm guessing especially right before the holidays and when you're doing your online shopping you're building a shopping cart as you're going to start find something you want to buy one thing at a time one day at a time you want to pool up eight or nine items and buy them all together so what happens is the user they're going to go to shop at large calm we're going to select one of those servers and we get sent to a Seattle server and the user begins to build their shopping cart a shopping application is an example of a stateful application staple meaning I now I need to stay on that server because that's where my shopping cart exists problem is that user makes another request but now it gets routed to another DNS entry over here which does not have our shopping cart our application is dead we have other challenges as well all of the modifications all the management up there it's manual by administrators and we are the worst people to make mistakes layer 8 errors as we call them so this user administrator realized one of these servers is changing to another server so they got to change that entry up there from duck 72.4 you click enter up they got a typo it's supposed to be actually was socially 74 now we have a totally incorrect DNS injury that's not good also standard DNS watch what happens here during a DDoS attack any kind of a medium heat us fo fanna DNS is not as well adept at the end of a handle massive DNS DDoS attacks lots of limitations and if it's not quite obvious why I would be sharing this they got a DNS it's going to solve all of this for us but we're going to get to that just a few minutes before we get to that I'm going to talk about last two things here which is how we two different ways you deploy B and s out there in the world again this is whether you're using Saturday NS they got P DNS the verse delegation mode this enables one DNS server to use another DNS server for some of the teh records not all just some of them through transfers so the user they've gone to wwr s comm we've done said hey where's the comm hey calm where's the lorax calm okay hey Laura XCOM where's www our comm so in this case Lorex is doing an in-house DNS but again this could be hosts doesn't matter now because we're using delegation mode Lavar comp server actually uses another DNS server for its w WDS injuries and it sends a seeming which is known as a canonical name record it's an alias it basically says hey go over here for what you're looking for they can help you out I want to point out that well first up before I get to that started jumping ahead in this case the other DNS server that were pointing them to happens to be the big IP DNS server not just a regular DNS server and the thing IP DNS server is being used solely to give out host names for the WWF Legation we do have some other applications on the lar - comm we have a charge a large comm ITIL Morecambe and so forth those host names are all still being given out by this DNS server it's only giving out the cname alias when people rax sww and the benefit here since we're using big IP dns it's now had come here and say hey you have an entry we have now you know more than one server just like we did before with two servers for servers five servers but big IP DNS can do many things for example it can recognize if one of those servers is offline that's one of many things it can do so it's never going to give out that most name it's going to get out that hostname 13 up to 24 but if you win that 11 so that the client will in sure going to the correct web server to get their webpage so delegation mode again is where this is our regular companies DNS server and big-ip DNS is only being used for some the DNS work in our company when you're using this along with big IP DNS it's important to note you don't get to take advantage of all of the great things we're going to talk about today all the great DNS services that are available in order to do that you would need to use what's known as authoritative screening also known as inline mode that will let you use all the great big IP halflife DNS big IP DNS services we're going to see in short this is going to basically let an organization offload all of their DNS stuff to the big IP DNS so in this example we've already gone to duck duck calm and so forth and the dot-com has now told us where lorax calm is so now local DNS is accessing the large calm DNS server those are some of the things that we could take advantage of which we're going to talk about today global server load balancing Hyrule's IP geolocation DNS SEC which is security-related DNS Express we're going to have all that a little bit so now local DNS is going to contact lore axes DNS server and you'll notice that that graphic make sure that again now this DNS server it's not on the side of this DNS server it's actually in front of this DNS server and that's the key to in line load this is our front level D a server we can still use this DNS server we can still have our entries in here but this is the DNS server that L DNS is going to immediately contact and say hey you have a record for WWE large calm at that point our big IP DNS needs to send back an IP address for that host it needs to do a name query response and it can do that in a variety of ways there are several different options that we when we are configuring big-ip dns on how it can answer those queries for example we can set up wide IPS which we're going to talk about later today lessons 3 informal specifically a wide IP is used predominantly for their why he is used predominantly we're using global server load balancing GSLV that's just one of the features that we have we can use with big IP dns it's someone that's been around the longest but let's say we don't have a white IP and this basically doesn't look I have no white IP for wway um so it's going to move on to the next thing it will check the next thing is going to check is if we have any configured DNS Express zones we're going to talk about that in a few more minutes as well a DNS Express zone lets us offload all of the DNS queries on the big idea dead DNS for specific zone however we only have one DNS Express zone full rx Netcom which means there's no entry in there for that so the next thing can do is it can actually send the request to a downstream set of standard DNS servers if we have that configured in this case we do have that configured so it's now going to go to this DNS server and say maybe you have an entry for w w and isn't so sure i do and it sends it back then it's going to send it back to the local DNS and so on and so forth and then this will now be cached or could be it should say maybe this may be cached on the IP dns will explain why it would or wouldn't in a few more slides so those are the different options that we have we don't have to use all of those we might only be using one of those options for name query responses but the key here in order to utilize all these benefits the big IP dns must be in line or in front of our other DNS servers in the organization so that's less than one that is are a kind of overview of standard DNS we talked a little bit about big IP DNS we're talking about through these features the Annis Express we mentioned and so forth now we're actually getting a little bit more explanation of what some of those other features do for us but the benefit big IP DNS services this is where it gets exciting so what can we do with the big IP DNS we're going to talk about global server load balancing GSLV the concept of GS lb is to let us do a couple of things one is we can utilize multiple data centers and big IP DNS can route requests across multiple data centers we like to offer full availability one of the things we're known for at f5 we make applications available but if all we have is our Seattle data center I could have the biggest best big IEP in there I have two big IPS for fault tolerance and have a nice pool of web servers but what that whole data center goes down there goes our full availability because our five nines the only one who can achieve five nines is to have multiple data centers and that's what GSLV will do for us what's nice about using big IV DNS with the GSLV is we can utilize our IP geolocation so that remember earlier we talked about how silly would be for me connecting from Vancouver to be sent to the Richland Virginia data center that's what standard DNS can do with big IP DNS we have IP geolocation so we can recognize that this request is coming from Australia and they would make no sense to send that request to one of these two when we have a Singapore data center so it's always going to send to the nearest data center based on the incoming client and of course we can identify when an entire data center goes offline and then send it to the next smartest available data center that's our global server load balancing DNS SEC dns securities with Security extensions is what that stands for what we want to make sure that we do remember that we're going to be getting information from other DNS servers we're going to be getting results from other DNS servers and it's very possible with hackers with malicious users that they can put incorrect entries into our DNS server so that we're now pointing users to the wrong places malicious places it's known as DNS cache poisoning they're trying to get malicious entries into our DNS cache so DNS SEC is a feature that was enabled awhile back years ago to help DNS servers prevent that we have that available on big IP DNS we also have DNS Express I have a whole slide on this and a few more slides here but in short this enables big IP DNS to completely take over the job of our other DNS server completely or at least from one zone we also have a lot of security built in to big IP DNS it can act as our security we have a lot of security built into it and then we also have our dns64 also known as DNS 6to4 this is going to be very helpful for us when we have the challenge of some of our entries that are coming in to do name resolution queries that are ipv6 clients but all of our host names I'm sorry all of our webserver are still using ipv4 and ipv6 client has to speak with an ipv6 server so we can do the translation so that we can make sure that we send out the appropriate I name query result to different IP versions and we can do all of that on big IP dns in addition if you are familiar with our FBI rules we like to say that you can pretty much do anything with an i rule except maybe wash your dishes at night and so anything that's DNS related that may not exist in our configuration utility right now you can probably find a way to do it because we have the DNS eye rules so those are some of the things that are available with dns big IP DNS excuse me now we talked a little bit about attacks and security and that big IP DNS helps to protect one of the main things that's protecting against is big IP DDoS attacks very very popular second most popular attack type out there right now why I'll give you a quick example this happened a few years ago if I'm a hacker I can just target the facebook.com/ website and target that target that do everything I can to take down that Facebook website for an hour or two and that would be that would give me a lot of satisfaction but what happened a couple years ago is we saw a lot of web servers web applications not available Facebook Amazon Twitter they all became available because if I can take down the DNS system and we have no listening resolution no matter where the user is connecting from when they go to facebook.com if they can't get an IP address they're not going to capture the so taking down the DNS system has a more dramatic effect than just taking down taking down individual web servers here and there so it's a very popular attack type and we have lots of built-in features with DNS to protect against DDoS attacks and we also can combine it with our advanced firewall manager AFM which also has a bunch of additional attack vector types that are DNS DDoS specific put the two together you've got some amazing DNS protection that you're really not going to find on any standard DNS server so these are some of the things you'll see flooding requests to a given host just trying to flood it with you know names trying to do the cache poison we talked about that where I'm trying to put bad entries into a web server scabs are at DNS servers cache so if other users that access that same hostname are going to get pointed in the wrong place and so forth so there's some of the attack types that we're going to see with DNS DDoS attacks so we talked a little bit of a little bit ago about DNS Express this is I think is one of the most impressive features we have a big eyed pea DNS so right now we have all of our management of all of our host names on this local DNS server it's an old UNIX box now it's slowing down look at this big IP DNS fast amazing so we're going to do is we're going to make this via the authoritative DNS server for all of our host names that used to be done down here what we do is we use what's called a zone transfer a zone transfer will take an entire zone like lorax calm or Lorex internal calm or whatever we'll take that entire zone so here we have two different zones we could take entire one of those zones move the entire contents of that to the big IP goes in Rams anything as if Ram is going to be faster and now the notice by the way we can select we could be we could choose which chosen not to do a zone transfer for this zone we could only chosen not to and now when the local DNS server says hey you have an entry for that it can answer every single entry for Laurie XCOM without having to come here and talk to this DNS server it becomes the answer for all of our queries and not only is that nice but it's actually fantastic because it can handle tens of millions of DNS records and more importantly millions of DNS queries per second which you're going to have a hard time finding on this old UNIX box that we have here so it's going to be a much faster DNS solution for us and all we had to do was a zone transfer that can take seconds to move all that information over here that also is going to help us with DDoS attacks because now we are not relying on this vulnerable DNS server at all everything is going to be now happening here buck stops here on the big IP nothing comes inside anymore which is nice so for example if somebody's trying to mess with our DNS system and do some cache poisoning so this course DNS server that doesn't have a lot of security built into it and they send this request and get to the big IP DNS and says hey you have a record for XXXL or XCOM big-ip dns says do I know I don't so it's not configured to don't do any other query it's not going to go ask this server it just simply says sorry no injury and so we do not bother the back and web server with any of those bogus requests so that's the benefit of DNS Express now if we've chosen not to use DNS Express you have an alternative we can just do standard caching using DNS caching this does have huge drawback and limitation and explain why but essentially just like a local DNS or our client if it has the name in the cache it'll give that name if it doesn't have that even the cache it has to go south somebody else so this request comes in hey you have a crisper wwr scomp it's gonna look at its cache hit is nothing there so it's now going to go to a configured server like an figured pool of DNS servers it'll get the answer send the answer to the local DNS server oh sorry but now anytime another request comes in as long as this time-to-live has an expiry now it can go ahead and answer it from the cache just like a local DNS server would that sounds good but the problem is when we're only using caching the big idea DNS is really only going to have a few entries in its cache for the names that have been requested a lot it's never gonna have the whole zone in its cache that's one drawback but another drawback is this hey Yemen a drinker xxx nope let me go check here now we're sending those bogus requested the downstream server so caffeine makes these DNS servers more vulnerable to DDoS attacks because what's going to happen now ABC no got BEF no no what about G GHI it's just going to keep sending those through because it's not its cache and eventually the NS surrogates of offline so because of that you will notice in a few more slides that we actually disabled DNS caching by default let me force you to enable it if you actually really want to use it so we talked about a variety of different ways that big IP DNS can answer these named queries answer these these requests if we're using all of them let's say you could you could use all of them there is an order of precedence that big IP DNS takes to find the right answer to give you for your request so take a look at this the first thing that's important to note is in order to set this up we have to have what's called a DNS listener the DNS listener this is the DNS server that the duct comm server is sending us to when we go to lore - comm that's our DNS server address essentially so we're going to set this request to the DNS listener it's now going to check to see if it has an answer for us and the first thing is going to check is a white IP Batak briefly about the earlier we'll talk more about that later but as a reminder white IP is used for global server load balancing the next thing is to check if it didn't match the name as a white IP the nice gonna check is if there's a DNS Express zone that matches that injury that name entry if there's not then it's gonna check its cache if that's been enabled maybe it hasn't been enabled if that doesn't match then we will see if there's a configured yet a pool this is not a DNS pool by the way that should actually say LTM pool but it's a LTM pool of DNS servers so those are those DNS servers that we can for request to if we don't have the answer we might have that configured we might not if there's no matching entry there then we have what's called a cache resolver that we can set that's a big IP feature and then finally there's no matching request there the last thing we can have configured if we choose to is the big IP itself has its own configured DNS saying its own DNS server that it's configured to use we could use that DNS server as a final option all of these for every listener all of these are either going to be enabled or disabled features we get to choose and where we enable them or disable them is in one of two places one of the places they might be enabled is when we actually configure the listener itself so we have our DNS menu that's what we're going to do all of this stuff that we're going to do in the next several happy hours all the lessons we're going to cover everything's under the DNS menu under delivery listener this is where you can create a new listener and again just to iterate a listener is going to be a DNS server that's accepting DNS requests and trying to give an answer to somebody so I have a listener I'm just giving a very generic name here but this is again the IP address that the dot-com server is going to send requests to for their next hop if I take this to advanced you'll notice that shows you the port we always use 53 our DNS port I don't know why you would change that I don't think you should it would I don't like to point out this is just a kind of an FYI thing that once I create this listener once the sister is created if I were to go to my LTM virtual servers you'll notice that it actually has created a virtual server here as well it's one of the same the same object it just displays it here as well there's the IP address their support that's just an FYI I think what I told you that all of these all these are going to be either enabled or disabled in one of two places so a couple of them are enabled inside of the listener such as a pool I'm going to use a pool that I'm going to send request to I would add here this pool you would set up under the LTM pools menu it would just be a pool of one or more DNS servers but we don't have to have it that could be set to none the rest of all these entries that one that one that one that one that those are all can either be enabled or disabled in a DNS profile so I will create a DNS profile that has all those settings and then specify that DNS profile and listener so once I save this up now let's go take a look at the profile the DNS profile and each each misurkin has its own custom DNS profile of course so now I've got my profile on my delivery profiles page I've got this profile called custom DNS profile they just looked at that so first thing GSLV remember the white IPS are used for GSLV so this is how we either enable or disable the use of white IPS from that listener now that doesn't mean there's going to be a wide IP that matches it just means I can use white ip's it's not to go create a white IP that matches you'll do that later on your exercise we all have DNS Express that's either also going either be enabled for this listener or disabled by default we have it enabled but again doesn't do anything until we actually have a DNS Express zone that we've transferred over but this just enables us to do that to use that caching DNS caching I told you that this is disabled by default we recommend that Y again because caching can make us more vulnerable to DDoS attacks so we typically keep that disabled and then also if you're using a cap it's called the caps resolver you would go create that in another spot on the big-ip and then select it here we're not going to get into that very much it's not used very often and then finally a little bit further down you will see the used bind server on big-ip option again it's either enabled or disabled and if it's enabled that enables us to use the big IDs configured DNS setting so that's how we set up this order of precedence and which of these we could potentially use to answer queries once you've got this set up once I've got my my my listener it's important to do some testing to ensure that we're getting proper name resolution so let's say I have a wide IP configured I have a DNS Express zone and I have a back-end pool of DNS servers all of them configured for my listener what I want to be able to do is I want to be able to do a name resolution and I want to verify well which of those which of those entries actually answered the query was of the white IEP that answered it was of the DNS Express own that answered it or was it the backend pool number that answered it so we can get some information by a couple of tools one is the the deed command as a standard long used DNS tool we use the deep command you're going to specify which ever DNS server you want to go ask that's our listener that's our DNS listener we created and then just put in a host name one of the host names and then you're going to look sorry a narrow look and see what the response is this is the response that we got from somewhere the white IP the DNS Express zone now we have a lot of tools within tools and statistics and all that built into the configuration utility so you can actually see exactly what answer that query for us now the dick command is a one-time command I run this can I get an answer I could run the command again I could get under answer we keep on going we have another DNS tool that's used quite often called DNS lookup I'm sorry nslookup name server lookup nslookup this is slightly different from dig in that when I go to nslookup I actually kind of go into a nslookup mode I'm now inside of a DNS lookup mode here and I stay inside that mode for as long as I want to and I can just look up multiple host names over and over again I put in the server that again is the DNS server address I put in a host name and then I can look at the results this is the result that was sent back we got that result from somewhere could have been the white IP could have been that DNS Express so who knows and if finally if you're using a DNS Express zone if you're using that it's important to find out once you've done this zone transfer which is actually very easy to do you're gonna do your next exercise the zone transfer again is going to take all that information from the standard DNS server and it's going to transfer it over to big IP DNS once I've done that I want to know if it was successful I want to know if it's gonna work so two ways we can identify that the first is we can just look at our standard LTM log and what we're looking for is we're looking for an entry here that says hey look the transfer of the zone f5 demo comm succeeded so we know hey don't transfer actually took place that's good in addition we can use this command DNS X dump that's gonna show us as we scroll down the air is it's going to show us every single name entry and IP address that was received during the zone transfer these are all now host names that the big-ip DMS can answer as a result of this zone transfer any questions so that we'll all set they're going to play within your first exercise so in this exercise you've already have DNS provisioned on your in your environment so you're going to go in you're going to create a profile add es profile and it's important to note you're actually not going to changing the center and use all the default settings to the DNS profile then you're going to create a DNS listener and a DNS pool so the DNS pool is going to be our back end lamp server that we use that has you know our DNS records and then you're going to test them name resolution just using the DNS pool the pool of DNS servers but then you're going to do the DNS Express and test that out and when you test that out the idea is to see at that point we now have two different methods of like answering names the pool and the Express zone so now when I test name resolution I want to see hey which of those two actually answered the query and then you're going to add a very simple white IP address a wide IP now when you test now you've got three different ways to answer the name and you want to verify it hated that name get answered by the ype for the DNS Express zone or the pool and that's what I want you to see in this exercise which will take about 40 minutes to complete and we'll see when we're going to exercise [Music]
Info
Channel: F5 Networks WW Field Enablement - WWFE
Views: 8,752
Rating: 5 out of 5
Keywords: Chris Manly
Id: qqJZnXt7Z6U
Channel Id: undefined
Length: 54min 25sec (3265 seconds)
Published: Wed Jan 08 2020
Related Videos
F5 3-day Partner Boot Camp - BIG-IP DNS/GTM (v14.1) Lesson 3
F5 Networks WW Field Enablement - WWFE
3K
F5 3-day Partner Boot Camp - BIG-IP APM (v14.1) Lesson 1
F5 Networks WW Field Enablement - WWFE
2.5K
Unleash Your Super Brain To Learn Faster | Jim Kwik
Mindvalley Talks
11M
BIG-IP GTM: DNS Express and Zone Transfers
F5 DevCentral
26K
Inside the mind of a master procrastinator | Tim Urban
TED
44M
F5-BIGIP GTM/DNS Lab explained by Ravi SIngh
Ravi Singh
921
Big-IP F5- Deployment Scenarios
Rajneesh Gupta
65K
Subnet Mask - Explained
PowerCert Animated Videos
94K
CompTIA Network+ Certification Video Course
PowerCert Animated Videos
3.5M
F5 3-day Partner Boot Camp - BIG-IP DNS/GTM Lesson 1
F5 Networks WW Field Enablement - WWFE
12K
One of the Greatest Speeches Ever | Steve Jobs
Motivation Ark
10M
TCP/IP and Subnet Masking
Eli the Computer Guy
3.5M
Network Security 101: Full Workshop
SecureSet
1.6M
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.