Unbreaking the Internet and Converting Protocols
Published Apr 09, 2018
Version 1.0Was this article helpful?
After reading this very good article, I wanted to implement DNS over TLS using the BIG-IP in my lab environment. I decided to write this comment in case anyone is having the same trouble that I had and to make sure that I got everything correct.
So, The idea is the following:
please find below my configuration. Feel free to ask question or to give me suggestions.
ltm dns cache resolver /Common/kabe_cache_resolver {
forward-zones {
. {
nameservers {
10.10.1.51:53 { }
}
}
}
route-domain /Common/0
use-udp no
}
ltm profile dns /Common/kabe_dns_profile {
app-service none
cache /Common/kabe_cache_resolver
defaults-from /Common/dns
enable-cache yes
}
ltm virtual /Common/dns_listener {
creation-time 2019-11-25:21:06:30
destination /Common/10.10.1.50:53
ip-protocol udp
last-modified-time 2019-11-25:22:42:12
mask 255.255.255.255
profiles {
/Common/kabe_dns_profile { }
/Common/udp_gtm_dns { } /* this is a standard UDP layer 4 profile */
}
source 0.0.0.0/0
translate-address disabled
translate-port disabled
}
ltm pool /Common/kabe_DNSoTLS {
members {
/Common/1.1.1.1:853 {
address 1.1.1.1
}
}
monitor /Common/gateway_icmp
}
ltm virtual /Common/kabe_vs_DNSoTLS {
creation-time 2019-11-25:21:14:12
destination /Common/10.10.1.51:53
ip-protocol tcp
last-modified-time 2019-11-25:23:44:16
mask 255.255.255.255
pool /Common/kabe_DNSoTLS
profiles {
/Common/f5-tcp-lan {
context clientside
}
/Common/f5-tcp-wan {
context serverside
}
/Common/serverssl { /*I used the default Server SSL profile */
context serverside
}
}
source 0.0.0.0/0
source-address-translation {
type automap
}
translate-address enabled
translate-port enabled
}
hope it helps,
Many thanks