How to set up F5 DNS Cloud Services as Secondary for BIG-IP DNS / GTM

Description

This article discusses high-level steps on how to integrate BIG-IP DNS with F5 DNS Cloud Services, and it provides information on how to transfer the zone file using the ZoneRunner utility from the Primary BIG-IP device. 

The BIG-IP DNS ZoneRunner utility allows you to manage the local BIND server configuration. Enabling zone transfers on the BIG-IP device allows DNS Cloud Services to transfer existing zones from the remote BIG-IP DNS server. 

Environment

You should consider using these procedures under the following conditions:

• You want to transfer DNS zone files using the ZoneRunner utility in BIG-IP DNS.
• You want to use the F5 DNS Cloud Service as a Secondary DNS service to provide additional redundancy and resiliency to your DNS infrastructure.

Procedure

In BIG-IP DNS, ensure each of the following:

• Adjust named.conf file to Allow Transfer as follows:

allow-transfer {
     localhost;
     F5-Cloud;
};

• The <F5-Cloud> is an ACL for the following IP addresses:

acl "F5-Cloud" {
     3.93.134.165/32;
     3.94.223.31/32;
     18.209.182.68/32;
};

• If there is a zone label < . > - this should be removed:

zone "." {
     type master;
     file "db.external.example.com";
     allow-update {
     127.0.0.1;
     localhost;
};

• Verify the file named tsig.key in the /var/named/config directory exists, and the configuration syntax is correct: 

key "<key_name>" {
     algorithm <hash_alg>;
     secret "<secret>";
};

• Include <key_name>, and remember to use the same name as it is case sensitive: 

zone "example.com." {
        type master;
        file "db.external.example.";
        allow-update {
            localhost;
        };
        allow-transfer {
            key <key_name>;
            localhost;-
        };
    };

Then the steps to create and deploy secondary Cloud Service DNS are described here. 

Here are some additional troubleshooting steps to check whether zone transfer succeed or not:

1. Log into the BIG-DNS/ GTM and use dig against the GTM/DNS listener IP address to validate what the BIG-IP DNS resolving. Then, dig against the Cloud Services' name servers.
   

   $ dig @8.8.8.8 example.com
   $ dig @ns1.f5cloudservices.com example.com
   $ dig @ns2.f5cloudservices.com example.com

2. Check the /var/log/ltm for any zone transfer errors.

   $ tailf /var/log/ltm | grep -i "zone example.com"

Related Content

• Create and deploy a secondary DNS zone
• K95300192: err zrd[PID]: 01150b21:3: RCODE returned from query: 'REFUSED'
• Issue: F5 Cloud Services DNS fails to connect to DNS Primary Server IP once it is modified
• K14421: Achieving split DNS behavior through BIG-IP DNS wide IPs
• K6963: Managing the BIG-IP BIND configuration file
• K277: Delegating a subdomain to a BIG-IP DNS or BIG-IP Link Controller system from another DNS server
• K34150459: Delegating a subdomain to a remote DNS name server from the BIG-IP DNS system
• K7032: Freezing zone files to allow manual update to ZoneRunner-managed zone files