F5 DNS resolver cache is a feature that enables BIG-IP system to resolve DNS queries itself using either an iterative or a recursive method. It caches DNS responses and answers subsequent queries for the same name from the cache. This improves DNS performance and reduces the load on external DNS servers.
Table of Contents
F5 DNS Resolver Cache Fundamental
Forward Zone in DNS Resolver Cache
In the previous section, we discussed various cache types supported by F5 DNS and demonstrated the F5 DNS transparent cache.
In this section, we demonstrate another type of F5 DNS cache, the “resolver cache,” where F5 itself attempts to resolve DNS queries and cache the response.
Depending on the “forward zone” configuration, F5 DNS resolver cache decides whether to use an iterative or recursive method to resolve DNS queries.
In the “forward zone”, we configure a list of DNS servers that the resolver cache will use to resolve DNS queries.
When you configure a “forward zone” for the resolver cache, the resolver cache uses the recursive method to resolve the DNS query. This means that the resolver cache sends the request to the servers configured in the forward zone and expects to get the final response.
If you do not configure a “forward zone” for the resolver cache, the resolver cache uses the iterative method to resolve the DNS query. This means that the resolver cache sends the query first to the root hints server, then to the TLD server, and then to the authoritative DNS server to get the final answer.
F5 DNS Resolver Cache Configuration
Create a Resolver Cache
To configure the F5 DNS resolver cache, we first create a new cache of type “Resolver”.
In the section “DNS > Cache > Cache List”, we create a new cache with the name “dns_resolver_cache” and the type “Resolver”.
At the bottom of the resolver cache configuration page we have the option to configure new “root hints”, root DNS servers. Usually we leave the field blank to use default root DNS servers.
Configure Forward Zone (Optional)
When you click the configured resolver cache, the “Forward Zone” tab allows you to configure a list of DNS servers to which the DNS resolver cache forwards the query for the resolution.
In other words, if you configure “Forward Zone”, the DNS resolver cache uses a recursive method to resolve the queries.
As an example, I will configure a list of DNS servers with IP addresses “1.1.1.1”, “4.2.2.4” and “8.8.8.8” and the name “forwarder”.
create a DNS Profile
We then create a new DNS profile to use the configured resolver cache.
In the “DNS > Delivery > Profiles > DNS” section, we create a new DNS profile based on the existing default “dns” profile.
I configure the name as “resolver_cache_dns_profile”. Enable the DNS cache of the resolver type and also disable the BIND service to improve performance.
create a DNS Listener
In the final step, we configure a new DNS listener to use the new DNS profile we just created that uses the DNS resolver cache.
In the “DNS > Delivery > Listeners > GTM Listeners > GTM Listeners List” section, we create a new listener with the name “resolve_cache_dns_listener” and the IP address “192.168.2.107” and the DNS profile “resolver_cache_dns_profile”.
Test DNS Resolver Cache Operation
To test the DNS resolver cache, we query the new listener with the IP address “192.168.2.107” via nslookup.
For example, we query the name “f5.com”. If you query the same name twice, you will notice that the second time you get the answer faster than the first time, this is due to the F5 DNS cache.
Notice that when you use nslookup to query a name, local client cache will not be used. If you get the DNS response faster the second time, it is due to the DNS server cache and not the client cache.
To view the contents of the F5 DNS cache, you can use the command “show ltm dns cache records rrset cache dns_resolver_cache” in “tmsh” environment, where “dns_resolver_cache” is the name of the resolver cache that we just created.
you can also delete the content of DNS cache using “delete ltm dns cache records rrset cache dns_resolver_cache”.
I would like to ask you whether the outside interface(listener) should been config to connect to internet.
In my lab , Only the management can connect to internet. so i fail on this lab.
could you please give me some suggestion?
outside interface does not need to connect to internet.
Hi Majid,
Thank you for your reply.
I have a further question regarding the configuration of the F5 DNS Cache (e.g., 8.8.8.8). Will the query be forwarded automatically via the management port, or how does it work if the outside connection to the internet is not available?
Thank you.
DNS traffic is not routed through management interface but data interface.
outside interface requires internet, I meant the outside interface does not need to be accessible via the internet
Dear Majid Asadpoor,
Thank you for your kind reply.
Regards,
Bruce Liu
I have another question – is it possible for VPN users for instance, to be using the resolver cache to serve both internal and external resolves ? I.e. forward a dns request for internal domains to the ANS and for external domains to say 8.8.8.8 – we have a use-case where we need to provide limited access to test servers to a 3rd party via SSLVPN – the profile for that 3rd party is ideally full tunnel (no split) to avoid uncontrolled traffic flows during the time that VPN is operational (which is only ad-hoc mostly). So idea is to point the DNS to the listener on F5 BigIP and let Resolver Cache sort out the requests so that we don’t expose our internal DNS servers to the 3rd party?