K34150459: Delegating a Subdomain to a Remote DNS Name Server from the BIG-IP DNS System

K34150459: Delegating a subdomain to a remote DNS name server from the BIG-IP DNS system

Non-Diagnostic

Original Publication Date: Sep 7, 2017

Update Date: Sep 27, 2017

Topic

You should consider using this procedure under the following condition:

You want to delegate a subdomain from the BIG-IP DNS system (formerly known as BIG-IP GTM) to a remote DNS nameserver. You want to use the BIG-IP DNS ZoneRunner utility to perform the subdomain delegation.

Description

Most medium to large-sized organizations have multiple departments, each assigned a specific Domain Name Service (DNS) subdomain. Management of a specific DNS subdomain, also known as a zone, may be delegated to the department, allowing each department to make DNS changes when they need them. To delegate, the organization creates a delegation nameserver record and a glue (A) record on the central DNS nameserver for the delegated subdomain. The delegation and glue records point to another DNS nameserver that will be responsible for the subdomain or zone. For example, in the zone file for the domain example.com, the delegation nameserver and A records for the delegated subdomain test.example.com appear similar to the following example: ns1.test.example.com A 192.168.10.100 test.example.com NS ns1.test.example.com

All DNS resource records under the subdomain test.example.com are now managed by the separate department on the ns1.test.example.com DNS nameserver using IP address 192.168.10.100.

You can delegate a subdomain from the BIG-IP DNS system to a remote DNS nameserver using the ZoneRunner utility. This article assumes that you have already configured BIG-IP DNS to answer queries for a DNS domain using a wide IP and you would like to delegate a subdomain to a remote DNS nameserver. To do so, perform the following procedures:

Prerequisites

You must meet the following prerequisites to use this procedure:

You have an existing ZoneRunner entry for the DNS domain name or subdomain name. You have a remote DNS nameserver configured to answer queries for the delegated subdomain. You have access to the BIG-IP DNS Configuration utility. Procedures

Creating the delegation and glue records Viewing the delegation and glue records Testing the subdomain delegation

Creating the delegation and glue records

To delegate the subdomain to a remote DNS name server, you must first add a DNS delegation nameserver and glue record to the domain zone. To do so perform the following procedure:

Important: When adding domain names to ZoneRunner, ensure the domain name ends with a period character ( . ) to avoid replicating the domain name. For example, entering example.com will create example.com.example.com.

Impact of procedure: Performing the following procedure should not have a negative impact on your system.

1. Log in to the BIG-IP DNS configuration utility. 2. Navigate to DNS > Zones > ZoneRunner > Zone List. 3. Select the domain name under Zone Name. For example, example.com. 4. Click Add Resource Record. 5. Under Record Configuration, in the Name field, enter the remote DNS name server fully qualified domain name (FQDN). For example, ns1.test.example.com. 6. In the TTL field, enter the TTL value typical for your organization. 7. Ensure Type is set to A. 8. In the IP Address field, enter the IP address of the remote DNS name server. For example, 192.168.10.100. 9. If you require a Reverse Record, leave the option selected. 10. Click Repeat. 11. In the Name field, type the subdomain that you want to delegate. For example, test.example.com. 12. In the TTL field, enter the TTL value typical for your organization. 13. Ensure Type is set to NS. 14. In the Nameserver field, enter the same DNS name server used in step 5. For example, ns1.test. example.com. 15. Click Finished. 16. You can enable recursion to have the local BIND server perform the necessary DNS queries on behalf of remote clients. Recursion is disabled by default and the local BIND will only return DNS referrals. For more information, refer to K7055: Enabling DNS recursion in the named configuration on a BIG-IP DNS system.

Viewing the delegation and glue records

To view and ensure the delegation and glue records are created properly, perform the following procedure:

Impact of procedure: Performing the following procedure should not have a negative impact on your system.

1. Log in to the BIG-IP DNS Configuration utility. 2. Navigate to DNS > Zones > ZoneRunner > Zone List.

3. 3. Select the domain name under Zone Name. For example, example.com. 4. In the tab list at the top of the page, click Resource Records. 5. Ensure the Zone Name shows the appropriate domain name and Type is set to All. 6. Select Search. 7. The list of resource records should contain at least the following entries. In the following example, the BIG-IP DNS system is named dns1.example.com and has an IP address of 192.168.10.1. The remote DNS name server is named ns1.test.example.com and has an IP address of 192.168.10.100:

Note: The delegation (NS) and glue records are the two bottom resource records:

example.com. external example.com. 11 NS dns1.example.com. example.com. external example.com. 11 SOA dns1.example.com. dns1.example.com. external example.com. 11 A 192.168.10.1 ns1.test.example.com. external example.com. 11 A 192.168.10.100 test.example.com. external example.com. 11 NS ns1.test.example.com.

8. Continue to the Testing the subdomain delegation procedure.

Testing the subdomain delegation

To test the successful delegation of the subdomain, you need a workstation with command line access to the dig utility. The DNS query will point to the listener address of the BIG-IP DNS system. To test the subdomain delegation, perform the following procedure:

Note: BIG-IP systems have the dig utility installed.

Impact of procedure: Performing the following procedure should not have a negative impact on your system.

1. Log in to the BIG-IP system DNS Configuration utility. 2. To determine the listener address to query, navigate to DNS > Delivery > Listeners > Listener List. 3. Under Destination, determine which IP Address is reachable from your workstation. 4. Log in to the workstation and access the command line. 5. Perform a DNS lookup using the following dig command syntax:

dig @

For example, to test the test1.test.example.com subdomain using listener address 192.168.10.1, type the following command:

dig @192.168.10.1 test1.test.example.com

6. If recursion is disabled, the BIG-IP DNS system will only return a reference to the appropriate DNS name server. For example:

Note: In the response, there is no ANSWER SECTION, and you can verify delegation in the AUTHORITY SECTION. The absence of the recursion allowed (ra) bit in the flags section indicates recursion is not enabled on the BIG-IP DNS system. 6.

;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15751 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 2 ;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;test1.test.example.com. IN A

;; AUTHORITY SECTION: test.example.com. 11 IN NS ns1.test.example.com.

;; ADDITIONAL SECTION: ns1.test.example.com. 11 IN A 192.168.10.100

If recursion is enabled, the BIG-IP DNS system will obtain the appropriate A record on behalf of the client:

Note: In the response, there is an ANSWER SECTION with an A record, and the presence of a recursion allowed (ra) bit in the flags section indicates recursion is enabled on the BIG-IP DNS system.

;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38943 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2

;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;test1.test.example.com. IN A

;; ANSWER SECTION: test1.test.example.com. 30967 IN A 192.168.10.5

;; AUTHORITY SECTION: test.example.com. 11 IN NS ns1.test.example.com.

;; ADDITIONAL SECTION: ns1.test.example.com. 30962 IN A 192.168.10.100

7. If you receive an unexpected response, query the remote DNS server directly to ensure the DNS is configured correctly and responding as expected.

Supplemental Information K277: Delegating a subdomain to a BIG-IP DNS or BIG-IP Link Controller system from another DNS server K14913: Setting the recursion bit for the gtmd process replies on the BIG-IP GTM system (10.x - 13.x) K17329: BIG-IP GTM name has changed to BIG-IP DNS

Applies to:

Product: BIG-IP, BIG-IP DNS, BIG-IP GTM, BIG-IP Link Controller 13.0.X, 12.1.X, 12.0.X, 11.6.X, 11.5.X, 11.4.X