zone transfer and dns-express jing lin 2011.9.19 v1.0
TRANSCRIPT
![Page 1: Zone transfer and dns-express Jing Lin 2011.9.19 V1.0](https://reader035.vdocument.in/reader035/viewer/2022062320/56649cf75503460f949c7415/html5/thumbnails/1.jpg)
Zone transfer and dns-express
Jing Lin
2011.9.19
V1.0
![Page 2: Zone transfer and dns-express Jing Lin 2011.9.19 V1.0](https://reader035.vdocument.in/reader035/viewer/2022062320/56649cf75503460f949c7415/html5/thumbnails/2.jpg)
© F5 Networks, Inc.
2
“ Version Date Author Note
1.0 2011.9.19 Jing Lin
![Page 3: Zone transfer and dns-express Jing Lin 2011.9.19 V1.0](https://reader035.vdocument.in/reader035/viewer/2022062320/56649cf75503460f949c7415/html5/thumbnails/3.jpg)
© F5 Networks, Inc.
3
• Slave name server pull zone files from master name server
• There are two types of zone transfer, AXFR and IXFR
• AXFR means full zones transfer
• IXFR means incremental transfer
Zone transfer
![Page 4: Zone transfer and dns-express Jing Lin 2011.9.19 V1.0](https://reader035.vdocument.in/reader035/viewer/2022062320/56649cf75503460f949c7415/html5/thumbnails/4.jpg)
© F5 Networks, Inc.
4
• An initial slave name server starts up, it will request AXFR to master server.
• After the first transfer finished, slave server will check if there is update on master server by send IXFR, the checking interval is according the refresh value of SOA. It will change to AXFR if the master does not support IXFR.
• The default bind behavior supports AXFR and IXFR.
Zone transfer
![Page 5: Zone transfer and dns-express Jing Lin 2011.9.19 V1.0](https://reader035.vdocument.in/reader035/viewer/2022062320/56649cf75503460f949c7415/html5/thumbnails/5.jpg)
© F5 Networks, Inc.
5
• To make slave server knows update from master asap, master server will send out notify to all slave servers, default, master will only send notify message to all slave servers that are defined in zone file.
• “Also-notify {ip port}” statement will let master server aslo send notify to those servers in addition to slave server which in zone.
• If slave server get a notify, it will send a soa query to master server, and compare serial number to himself, if the master server’s serial number greater than self, slave server will starts IXFR, if IXFR is failed, will use AXFR.
notify
![Page 6: Zone transfer and dns-express Jing Lin 2011.9.19 V1.0](https://reader035.vdocument.in/reader035/viewer/2022062320/56649cf75503460f949c7415/html5/thumbnails/6.jpg)
© F5 Networks, Inc.
6
• Master server:
• zone "cnadn.net" {
• type master;
• allow-transfer {192.168.209.72;192.168.209.188;};
• //file "/etc/bind/db.cnadn.net.signed";
• file "/etc/bind/db.cnadn.net";
• };
• BIND default allow all host to run AXFR to him, need be careful on this.
Master
![Page 7: Zone transfer and dns-express Jing Lin 2011.9.19 V1.0](https://reader035.vdocument.in/reader035/viewer/2022062320/56649cf75503460f949c7415/html5/thumbnails/7.jpg)
© F5 Networks, Inc.
7
• zone "cnadn.net" {
• type slave;
• masters {192.168.209.71;};
• //file "/etc/bind/db.cnadn.net.signed";
• file "slave.db.cnadn.net";
• };
slave
![Page 8: Zone transfer and dns-express Jing Lin 2011.9.19 V1.0](https://reader035.vdocument.in/reader035/viewer/2022062320/56649cf75503460f949c7415/html5/thumbnails/8.jpg)
© F5 Networks, Inc.
8
DNS Express
![Page 9: Zone transfer and dns-express Jing Lin 2011.9.19 V1.0](https://reader035.vdocument.in/reader035/viewer/2022062320/56649cf75503460f949c7415/html5/thumbnails/9.jpg)
© F5 Networks, Inc.
9
• Pull dns into memory. Respond answer from RAM directly, this will improve performance significantly.
• It is a LTM function, not only for GTM module.
• Support all kinds of RR type but AXFR and IXFR, which means you cant run AXFR/IXFR to dns express
• Support TSIG, and support to be notified.
• DO NOT support view.
• Support ipv6 and tcp/udp/
• Support dnssec??? (Should be, will verify it in another ppt)
GTM DNS express
![Page 10: Zone transfer and dns-express Jing Lin 2011.9.19 V1.0](https://reader035.vdocument.in/reader035/viewer/2022062320/56649cf75503460f949c7415/html5/thumbnails/10.jpg)
© F5 Networks, Inc.
10
• It lives in TMM actually
• Zxfrd which a new process in v11 control zxfrd.bin file.
• TMM reads a binary db file from /var/db/tmmdns.bin
• When update happens, zxrfd.bin will be updated first, then some times later tmmdns.bin will be wrote by zxfrd.
• At last these 2 files should be same
How dns express works
![Page 11: Zone transfer and dns-express Jing Lin 2011.9.19 V1.0](https://reader035.vdocument.in/reader035/viewer/2022062320/56649cf75503460f949c7415/html5/thumbnails/11.jpg)
© F5 Networks, Inc.
11
How dns express works
![Page 12: Zone transfer and dns-express Jing Lin 2011.9.19 V1.0](https://reader035.vdocument.in/reader035/viewer/2022062320/56649cf75503460f949c7415/html5/thumbnails/12.jpg)
© F5 Networks, Inc.
12
Zxfrd state transitions
![Page 13: Zone transfer and dns-express Jing Lin 2011.9.19 V1.0](https://reader035.vdocument.in/reader035/viewer/2022062320/56649cf75503460f949c7415/html5/thumbnails/13.jpg)
© F5 Networks, Inc.
13
• When bigip receives a dns request:
• 1. If it matches a wideip (gtm module), if yes, follow wideip configuration to answer the request. If no, go to step 2
• 2.Check if matches dns express zone, if yes, tmm respond answer from dns express zone directly. If no, go to step 3.
• 3. Check the listener vs, decide if the request need to be sent to backend dns server (pool member)
Dns request match rule
![Page 14: Zone transfer and dns-express Jing Lin 2011.9.19 V1.0](https://reader035.vdocument.in/reader035/viewer/2022062320/56649cf75503460f949c7415/html5/thumbnails/14.jpg)
© F5 Networks, Inc.
14
• Check /var/log/ltm, grep logs of zxfrd
• Check zxfrd process status with bigstart status zxfrd
• Zxfrd listen on ::1:5353
• Zone transfer uses tcp:53
DNS express troubleshooting
![Page 15: Zone transfer and dns-express Jing Lin 2011.9.19 V1.0](https://reader035.vdocument.in/reader035/viewer/2022062320/56649cf75503460f949c7415/html5/thumbnails/15.jpg)
© F5 Networks, Inc.
15
• When master refuse bigip’s axfr/ixfr:
• Sep 18 10:46:31 ltm6900-1 err zxfrd[6393]: 01531010:3: Transfer of zone cnadn.net failed b/c there are no records.
• Sep 18 10:46:31 ltm6900-1 err zxfrd[6393]: 01531015:3: Failed to retrieve next RR in XFR for zone cnadn.net.
• Sep 18 10:46:31 ltm6900-1 err zxfrd[6393]: 01531018:3: Failed to transfer zone cnadn.net from 192.168.209.71, will attempt AXFR.
• Sep 18 10:46:31 ltm6900-1 notice zxfrd[6393]: 01531023:5: Scheduling zone transfer in 5s for cnadn.net from 192.168.209.71.
• Sep 18 10:46:36 ltm6900-1 err zxfrd[6393]: 01531010:3: Transfer of zone cnadn.net failed b/c there are no records.
• Sep 18 10:46:36 ltm6900-1 err zxfrd[6393]: 01531015:3: Failed to retrieve next RR in XFR for zone cnadn.net.
• Sep 18 10:46:36 ltm6900-1 err zxfrd[6393]: 01531018:3: Failed to transfer zone cnadn.net from 192.168.209.71, will attempt AXFR.
• Sep 18 10:46:36 ltm6900-1 notice zxfrd[6393]: 01531023:5: Scheduling zone transfer in 5s for cnadn.net from 192.168.209.71.
Sample logs
![Page 16: Zone transfer and dns-express Jing Lin 2011.9.19 V1.0](https://reader035.vdocument.in/reader035/viewer/2022062320/56649cf75503460f949c7415/html5/thumbnails/16.jpg)
© F5 Networks, Inc.
16
• After the master allow bigip transfer:
• Sep 18 10:47:06 ltm6900-1 notice zxfrd[6393]: 0153101f:5: AXFR Transfer of zone cnadn.net from 192.168.209.71 succeeded.
• Sep 18 10:47:06 ltm6900-1 notice zxfrd[6393]: 01531023:5: Scheduling zone transfer in 180s for cnadn.net from 192.168.209.71.
• Regular checking with soa-refresh time interval:
• Sep 18 10:56:06 ltm6900-1 notice zxfrd[6393]: 01531025:5: Serials equal (2011091901); transfer for zone cnadn.net complete.
• Sep 18 10:56:06 ltm6900-1 debug zxfrd[6393]: 01531008:7: Resetting transfer state for zone cnadn.net.
• Sep 18 10:56:06 ltm6900-1 notice zxfrd[6393]: 01531023:5: Scheduling zone transfer in 180s for cnadn.net from 192.168.209.71.
Sample logs-continue
![Page 17: Zone transfer and dns-express Jing Lin 2011.9.19 V1.0](https://reader035.vdocument.in/reader035/viewer/2022062320/56649cf75503460f949c7415/html5/thumbnails/17.jpg)
© F5 Networks, Inc.
17
• When bigip finds the master’s serial number is greater:
• Sep 18 11:05:06 ltm6900-1 debug zxfrd[6393]: 01531206:7: Cleared zone cnadn.net from db.
• Sep 18 11:05:06 ltm6900-1 notice zxfrd[6393]: 0153101f:5: AXFR Transfer of zone cnadn.net from 192.168.209.71 succeeded.
• Sep 18 11:05:06 ltm6900-1 debug zxfrd[6393]: 01531203:7: Scheduling DB dump with zone cnadn.net.
• Sep 18 11:05:06 ltm6900-1 debug zxfrd[6393]: 01531008:7: Resetting transfer state for zone cnadn.net.
• Sep 18 11:05:06 ltm6900-1 notice zxfrd[6393]: 01531023:5: Scheduling zone transfer in 180s for cnadn.net from 192.168.209.71.
Sample logs-continue
![Page 18: Zone transfer and dns-express Jing Lin 2011.9.19 V1.0](https://reader035.vdocument.in/reader035/viewer/2022062320/56649cf75503460f949c7415/html5/thumbnails/18.jpg)
© F5 Networks, Inc.
18
• When receive notify message:
• Sep 18 11:21:23 ltm6900-1 notice zxfrd[6393]: 0153101c:5: Handling NOTIFY for zone cnadn.net.
• Sep 18 11:21:23 ltm6900-1 debug zxfrd[6393]: 01531008:7: Resetting transfer state for zone cnadn.net.
• Sep 18 11:21:23 ltm6900-1 notice zxfrd[6393]: 01531023:5: Scheduling zone transfer in 5s for cnadn.net from 192.168.209.71.
• Sep 18 11:21:28 ltm6900-1 debug zxfrd[6393]: 01531206:7: Cleared zone cnadn.net from db.
• Sep 18 11:21:28 ltm6900-1 notice zxfrd[6393]: 0153101f:5: AXFR Transfer of zone cnadn.net from 192.168.209.71 succeeded.
• Sep 18 11:21:28 ltm6900-1 debug zxfrd[6393]: 01531203:7: Scheduling DB dump with zone cnadn.net.
• Sep 18 11:21:28 ltm6900-1 debug zxfrd[6393]: 01531008:7: Resetting transfer state for zone cnadn.net.
• Sep 18 11:21:28 ltm6900-1 notice zxfrd[6393]: 01531023:5: Scheduling zone transfer in 60s for cnadn.net from 192.168.209.71.
Sample logs-continue
![Page 19: Zone transfer and dns-express Jing Lin 2011.9.19 V1.0](https://reader035.vdocument.in/reader035/viewer/2022062320/56649cf75503460f949c7415/html5/thumbnails/19.jpg)
© F5 Networks, Inc.
19
• Check statistics of the dns-express zone from GUI, set data format as unformatted.
• Check dns-express zone color, it should be green.
• Tmsh show ltm dns dns-express
Verify dns-express status
![Page 20: Zone transfer and dns-express Jing Lin 2011.9.19 V1.0](https://reader035.vdocument.in/reader035/viewer/2022062320/56649cf75503460f949c7415/html5/thumbnails/20.jpg)
© F5 Networks, Inc.
20
• Run below command, will show result on terminal.
• dnsxdump
Dump dns-express to a file
![Page 21: Zone transfer and dns-express Jing Lin 2011.9.19 V1.0](https://reader035.vdocument.in/reader035/viewer/2022062320/56649cf75503460f949c7415/html5/thumbnails/21.jpg)
© F5 Networks, Inc.
21
• Trun on zxfrd debug
• tmsh modify sys db log.zxfrd.level value debug
• (defautl is notice)
• Output will be in /var/tmp/zxfrd.out
Debug zxfrd
![Page 22: Zone transfer and dns-express Jing Lin 2011.9.19 V1.0](https://reader035.vdocument.in/reader035/viewer/2022062320/56649cf75503460f949c7415/html5/thumbnails/22.jpg)
© F5 Networks, Inc.
22
• Create a dns profile and enable dns-express from LTM menu.
• Create a gtm listener or dns-vs and associate it with the dns profile
• Create a dns-express zone:
• Target ip is the master server, if using TSIG, select a TSIG KEY for the zone.
• Notify , keep as consume.
How to config dns-express
![Page 23: Zone transfer and dns-express Jing Lin 2011.9.19 V1.0](https://reader035.vdocument.in/reader035/viewer/2022062320/56649cf75503460f949c7415/html5/thumbnails/23.jpg)
© 2011 F5 Networks, Inc. All rights reserved. F5, F5 Networks, the F5 logo, BIG-IP, ARX, FirePass, iControl, iRules, TMOS, and VIPRION are registered trademarks of F5 Networks, Inc. in the U.S. and in certain other countries