Mar
13

image001

Imagine if your productivity skyrocketed.

Imagine if you resolved network issues faster.

Imagine if your daily tasks were automated.

All of those things come closer into reality when you implement these 11 F5 DNS tips. With over 10 years of experience with F5 DNS, I’m here to help you become more productive and empowered as an Engineer.

  1) Utilize F5 Analytics iApp

I know you want more data. Analytics are everything, right? With this free, no-license required iApp, you will be able to collect F5 data and bundle it all up as a JSON object. You can send this JSON content currently in one of five supported destination formats; Splunk, Sumo Logic, F5 Analytics (additional software required), F5 Risk Engine, or BIG-IQ.

11F5 Pic 1 

2) HSL logging

F5 HSL logging provides fast recognition of DNS functions and logs. You can choose to log either DNS queries or DNS responses, or both. In addition, you can configure the system to perform logging on DNS traffic differently for specific resources. For example, you can configure logging for a specific resource (WideIP), and then disable and re-enable logging for the resource (WideIP) based on your network administration needs.

Why not just use syslog? Well, I am glad you asked. Syslog will use the MGMT plane which could be a potential bottleneck. HSL, will use TMM, which works off the Data Plane. The Data Plane, as you know, has greater possibilities for resiliency and throughput increases. You could really start to log a bunch of F5 data and not be worried. I guess you could say you are setting yourself up for success.

You can verify you are using HSL logging by going to the following location in the F5 DNS GUI: System > Logs > Configuration > Log Destinations > Name > Verify “Type” is Remote High-Speed Log

 

3) Automated F5 Backups

There is no better way to boost productivity than to have a backup of your F5 DNS system in the event of a disaster. There is currently a free opensource F5 iApp that automates the backup for you and adds automatic pruning options. So you won’t have to worry about filling up your backup servers disk space. The link to access the F5 iApp is located at bottom of the article.

11 F5 Pic3 

Picture from Pixabay.com

 

4) tmsh AVR list commands

The F5 AVR module is free no matter which license you pick. (GOOD, BETTER, BEST). You can simply enable AVR in “Resource Provisioning” and utilize the graph data in the GUI. After provisioning AVR, set a sampling rate in the respective DNS profile and try out some of these tmsh commands below.

show analytics dns report view-by query-name limit 3

show analytics dns report view-by query-type limit 3

show analytics dns report view-by client-ip limit 3

show analytics dns report view-by query-name drilldown { { entity query-type values {A}}} limit 3

show analytics dns report view-by query-type drilldown { { entity query-name values {www.f5.com}}} limit 3

show analytics dns report view-by client-ip drilldown { { entity query-type values {A}}} limit 3

 

5) Export PDF AVR DNS reports

You can send schedule DNS reports to your email address as an attachment. I would suggest creating an email filter to mark these emails as read and send them to a specific folder. You will then have the added benefit of using this to collect baseline reports to identify anomalies faster. When creating the report, I would suggest picking a few top key websites in your company that you tend to troubleshoot often.

 11 F5 Pic4

 

6) Configure DNS SNMP Polling/ SNMP Traps

Are you looking for the perfect CLI command to verify stats on your F5 DNS? Well look no further than the snmpwalk command. You can point the snmpwalk to the F5 vendor OID and grep for whatever you want. Check out the example below:

[root@F51_v12:Eval:Active:Standalone] config # snmpwalk -c public -v 2c 127.0.0.1 .1.3.6.1.4.1.3375 | grep StatPktsPerSec

F5-BIGIP-GLOBAL-MIB::gtmDcStatPktsPerSecIn."/Common/DataCenter1" = Counter64: 55

F5-BIGIP-GLOBAL-MIB::gtmDcStatPktsPerSecIn."/Common/DataCenter2" = Counter64: 53

F5-BIGIP-GLOBAL-MIB::gtmDcStatPktsPerSecOut."/Common/DataCenter1" = Counter64: 55

F5-BIGIP-GLOBAL-MIB::gtmDcStatPktsPerSecOut."/Common/DataCenter2" = Counter64: 53

F5-BIGIP-GLOBAL-MIB::gtmVsStatPktsPerSecIn."/Common/Generic_Host_DataCenter2"."Public_IP_of_host" = Counter64: 0

F5-BIGIP-GLOBAL-MIB::gtmVsStatPktsPerSecIn."/Common/Generic_Host_DataCenter1"."DataCenter1_Generic_host1" = Counter64: 0

F5-BIGIP-GLOBAL-MIB::gtmVsStatPktsPerSecOut."/Common/Generic_Host_DataCenter2"."Public_IP_of_host" = Counter64: 0

F5-BIGIP-GLOBAL-MIB::gtmVsStatPktsPerSecOut."/Common/Generic_Host_DataCenter1"."DataCenter1_Generic_host1" = Counter64: 0

 

7) Use the New F5 DNS Dashboard in v14

Not a CLI junkie? Well, you can now use the new and improved F5 JavaScript Dashboard available natively in the F5 GUI in v14 and above. It is preloaded with a DNS “View” Dashboard. You can find this tool in the F5 GUI > Statistics > Dashboard section. This will allow you to quickly see an overview of your DNS environment and dynamically click through F5 DNS objects.

 

null

 

8) Import the F5 DNS MIB in your SNMP NMS

Get a quicker view of stat collection and advanced graphing capabilities for your GTM objects; such as wide IP’s, pools, links, servers, and data centers by importing the F5-BIGIP-GLOBAL-MIB.txt. This file is in the F5 GUI “about” section or in /usr/local/www/docs/mibs/.

 

9) Utilize DNS Express instead of Traditional Bind

DNS Express will allow the F5 to be an Authoritative DNS Server that serves DNS requests of RAM which gives you 500x the performance of traditional BIND servers. If you have several Windows or Linux machines using DNS zones, consolidate those DNS zones into your F5 DNS. In v14, there is now support for hundreds of millions of records to be hosted. That alone hits the mark for several customer environments to start decommissioning DNS servers and move to a single F5 DNS. (One F5 DNS at each data center of course).

 

10) F5 Automation:

Automation is all the rage right now, and it is obviously a way to boost your productivity (in the long run). Of course, there are many flavors and tools to automate. If you or your company is knee deep in automating your network processes, and If you have a large F5 environment, F5 BIG-IQ would probably be the best way to go. F5 BIG-IQ also provides centralized management using its native REST API model.

If you have a small to mid-size F5 environment, or you are F5 Consultant, you could start dabbling into iControl REST for a handle of repeatable use-cases. F5 DNS has full iControl support in v14.

Yet another option is to use Ansible playbooks. You can setup automation playbooks to be run from ansible and use iControl REST directly to each F5. Or you can run the ansible playbooks directly to the BIG-IQ and have BIG-IQ push the configs to all F5 devices. If using BIG-IQ and Ansible together, you will get the added benefit of viewing BIG-IQ Dashboards but also tie in F5 automation into your existing Ansible environment.

Ansible also helps organizations manage BIG-IP DNS configurations and route user traffic. For example, for an application running across multiple data centers, an administrator can use Ansible to automate the BIG-IP DNS configuration that controls data center availability, and re-route all user traffic to a different data center. By automating every stage of the deployment process, from licensing through application deployment, Ansible and F5 enable organizations to save time, reduce the burden of management, and reap the business benefits of true network automation.

 

11) Choose a Better DNS LB method:

So, chances are you are using basic “Round Robin” for your DNS load balancing method. You may want to think about using a more robust LB Dynamic method. Round Robin may be working fine, but say you switched from RR to a Dynamic LB method like “Virtual Server Score.” Using a Dynamic LB method gives you higher predictability of where your traffic is going and why. Why is that important? Well, you will begin to become familiar with the behavior of your network, and you will be one step closer to troubleshooting an application issue when one occurs.

Or, let’s say you have Active/Active data centers. You may want to use the DNS load balancing method of “Least Connections” so you can utilize both DC’s at one time. The best part here is, you won’t have to worry about configuring complex BGP or iWAN configurations.

Static Routes are to Dynamic Routes what Static LB methods are to Dynamic LB methods. Static routes will not allow for much visibility when there is a problem. A Dynamic protocol like BGP will provide additional insight on how long a peer has been down, hints in the logs or by viewing BGP looking glass tables to look at upstream problems.

The point I’m trying to convey is it’s good practice, in my mind, to run complex monitoring or carefully chosen algorithms/LB methods so you have a better idea of why something is failing when it happens.

Most engineers want to be productive and operate with the best tools out there, but here’s the problem; they’re inundated with projects, multiple clients, and not enough time. So instead of excelling, they are running on the hamster wheel trying to catch up. I’ve been there so I know these 11 tips will help increase your productivity.

If you’re ready to learn more about F5 DNS, check out my video series on F5 302 DNS course at INE.

Watch TJ's Course 

 
Further Reading/Resources:

Configuring Remote High-Speed DNS Logging: https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/big-ip-dns-services-implementations-14-1-0/12.html#guid-e9148aee-acc5-4341-a7dc-1ab1cb7ad25f

F5 Analytics iApp: https://github.com/tabernarious/f5-automated-backup-iapp

Scheduling Reports: https://support.f5.com/kb/en-us/products/big-ip_analytics/manuals/product/analytics-implementations-13-0-0/3.html

Common iControl REST API command examples: https://support.f5.com/csp/article/K13225405

BIG-IP DNS iControl REST API and tmsh commands: https://support.f5.com/csp/article/K86953011

 

 

TJ Vreugdenhil
About TJ Vreugdenhil

TJ Vreugdenhil is a Network Consultant that helps customers design, scale, implement, and secure their network in a way that makes the most sense to their business. He is an F5 Certified Solution Expert in Security and a CCIE in Routing and Switching. His current focus areas include Network Security, starting with CheckPoint Firewalls in R65, Palo Alto Networks, Ansible automation, F5 Cloud and Automation, and Cisco Firepower. TJ grew up in Northwest Iowa and later moved to the Kansas City area where he lived for 9 years. He later decided to get back to his roots and now lives in Northwest Iowa with his wife and two boys. Outside of work, TJ enjoy's racquetball, guitar, BBQ, and living with purpose. " I love what I do, and I am blessed with the many opportunities I have to work with many different clients and networks." *The Postings on this site are my own and don't necessarily represent Sirius's positions, strategies, or opinions

Subscribe to INE Blog Updates

New Blog Posts!