Transparent DNS proxy configuration examples

 

·     Introduction

·     Prerequisites

·     Restrictions and guidelines

·     Example: Configuring the transparent DNS proxy

 

The following information provides transparent DNS proxy configuration examples.

 

This document is not restricted to specific software or hardware versions. Procedures and information in the examples might be slightly different depending on the software or hardware version of the device.

The configuration examples were created and verified in a lab environment, and all the devices were started with the factory default configuration. When you are working on a live network, make sure you understand the potential impact of every command on your network.

The following information is provided based on the assumption that you have basic knowledge of the transparent DNS proxy feature.

To use this feature, do not deploy DNS servers in the internal network of the enterprise. If you deploy a DNS server in the internal network, DNS requests will be forwarded to the DNS server instead of being processed by this feature.

Network configuration

As shown in Figure 1, ISP 1 and ISP 2 provide two links with the same bandwidth to an enterprise: Link 1 and Link 2. The DNS server IP address of ISP 1 is 10.1.2.100. The DNS server IP address of ISP 2 is 20.1.2.100. Intranet users use domain name www.abc.com to access Web server A and Web server B.

Configure a transparent DNS proxy on the device to evenly distribute user traffic to Link 1 and Link 2.

Figure 1 Network diagram

 

Software versions used

This configuration example was created and verified on E8371 of the F5000-AI160 device and E9671 of the M9000-X06 device.

Procedures

1.     Assign IP addresses to interfaces and add the interfaces to security zones.

# On the top navigation bar, click the Network tab.

# From the navigation pane, select Interface Configuration > Interfaces.

# Click the Edit icon for GE 1/0/1.

# In the dialog box that opens, configure the interface:

¡     Select the Trust security zone.

¡     On the IPv4 Address tab, enter the IP address and mask length of the interface. In this example, enter 192.168.100.83/24.

¡     Use the default settings for other parameters.

¡     Click OK.

# Add GE 1/0/2 to the Untrust security zone and set its IP address to 10.1.1.1/24 in the same way you configure GE 1/0/1.

# Add GE 1/0/3 to the Untrust security zone and set its IP address to 20.1.1.1/24 in the same way you configure GE 1/0/1.

2.     Configure security policies.

# On the top navigation bar, click Policies.

# From the navigation pane, select Security Policies > Security Policies.

# Click Create.

# In the dialog box that opens, configure a security policy named Trust-to-Untrust:

¡     Enter policy name Trust-to-Untrust.

¡     Select type IPv4.

¡     Select source zone Trust.

¡     Enter source IPv4 address 192.168.100.0/24.

¡     Select destination zone Untrust.

¡     Select action Permit.

¡     Use the default settings for other parameters.

¡     Click OK.

# Configure a security policy named Local-to-Untrust:

¡     Enter policy name Local-to-Untrust.

¡     Select type IPv4.

¡     Select source zone Local.

¡     Select destination zone Untrust.

¡     Enter destination IPv4 addresses 10.1.1.0/24 and 20.1.1.0/24.

¡     Select action Permit.

¡     Use the default settings for other parameters.

¡     Click OK.

3.     Configure an ICMP probe template.

# On the top navigation bar, click Objects.

# From the navigation pane, click Health Monitoring.

# Click Create.

# In the dialog box that opens, configure an ICMP probe template:

¡     Enter template name t1.

¡     Select type ICMP.

¡     Enter 100 for the Length of data to pad field.

¡     Enter 5000 for the Probe interval field.

¡     Enter 3000 for the Probe timeout field.

¡     Use the default settings for other parameters.

¡     Click OK.

Figure 2 Creating an ICMP probe template

 

4.     Configure links.

# On the top navigation bar, click Objects.

# From the navigation pane, select Load Balancing > Links.

# Click Create.

# In the dialog box that opens, configure a link named link1:

¡     Enter link name link1.

¡     Select Manual for the Next hop config method field.

¡     Enter next hop IPv4 address 10.1.1.2.

¡     Set the link cost for proximity calculation to 0.

¡     Enable the link feature.

¡     Enable VRF inheritance.

¡     Click OK.

Figure 3 Creating link link1

 

# Configure link link2 in the same way you configure link link1.

Figure 4 Creating link link2

 

5.     Configure DNS servers.

# On the top navigation bar, click Polices.

# From the navigation pane, select Link Load Balancing > DNS Proxy.

# On the DNS Server tab, click Create.

# In the dialog box that opens, configure a DNS server named dns_a:

¡     Enter DNS server name dns_a.

¡     Select Manual for the IP address config method field.

¡     Enter IPv4 address 10.1.2.100.

¡     Enter port number 0.

¡     Enter weight 100.

¡     Enter priority 4.

¡     Select probe method t1.

¡     Set the success criteria to At least 1.

¡     Select link link1.

¡     Click OK.

Figure 5 Creating DNS server dns_a

 

# Configure DNS server dns_b in the same way you configure DNS server dns_a.

Figure 6 Creating DNS server dns_b

 

6.     Configure a DNS server pool.

# On the top navigation bar, click Polices.

# From the navigation pane, select Link Load Balancing > DNS Proxy.

# On the DNS Server Pool tab, click Create.

# In the dialog box that opens, configure a DNS server pool named dsp:

¡     Enter DNS server pool name dsp.

¡     Select scheduling algorithm Round robin.

¡     Set the success criteria to At least 1.

¡     Add DNS servers dns_a and dns_b to the DNS server pool.

¡     Click OK.

Figure 7 Creating DNS server pool dsp

 

7.     Configure IPv4 routing policies.

# On the top navigation bar, click Polices.

# From the navigation pane, select Link Load Balancing > DNS Proxy.

# In the Common configuration area on the IPv4 Routing Policy tab, select the Transparent DNS proxy option and click Apply.

Figure 8 Common configuration

 

# In the Policy area on the IPv4 Routing Policy tab, click the Edit icon for the default IPv4 routing policy named Default.

# In the dialog box that opens, configure the default IPv4 routing policy:

¡     Select forwarding mode Load balance.

¡     Select DNS server pool dsp.

¡     Click OK.

Figure 9 Editing the default IPv4 routing policy

 

Verifying the configuration

Access http://www.abc.com through the browser on the host, and verify that the device distributes the DNS requests to DNS servers dns_a and dns_b.

1.     View the DNS Server Statistics page.

# On the top navigation bar, click the Monitor tab.

# From the navigation pane, select Statistics > DNS Proxy Statistics > DNS Servers.

The DNS Server Statistics page is as follows:

Figure 10 DNS server statistics

 

2.     View the DNS Server Pool Statistics page.

# From the navigation pane, select Statistics > DNS Proxy Statistics > DNS Server Pools.

The DNS Server Pool Statistics page is as follows:

Figure 11 DNS server pool statistics