F5 DNS Cloud Service Frequently Asked Questions¶
Q: How does F5 DNS Cloud Services differ from Cisco Umbrella?¶
Actually, the two services are complementary to each other.
Cisco Umbrella is a recursive cloud DNS solution—meaning clients on your network use it to resolve various domains on the internet. It protects users by inspecting their DNS queries. If it receives a query for a known bad FQDN/domain, it resolves the query to a server which hosts a blocking response page.
Alternatively, F5 DNS Cloud Service is an authoritative cloud DNS Solution—meaning clients on the internet use it to resolve your company’s domains. DNS Cloud Service provides inherent DNS redundancy, built-in DNS-targeted DDoS protection, automatic failover, and more, and it’s all built on a global anycast network to provide highly available and responsive DNS in any location.
Q: How would I perform DNS queries for the zone I am configuring in F5 Cloud Services? Are the name servers documented publicly?¶
Yes. You can query against the anycast addresses that are returned when you create a new zone, and you can find them in the details of a zone as shown below in the portal:
If you are using the API, the name servers are returned upon creation a new zone. You can see an example of this in the API Guidelines
Q: Are there any size limits for DNS Cloud Service?¶
DNS Cloud Service has a standard limit of 10,000 resource record sets per hosted zone; however, users can contact Support to request the limit be increased to 20,000. F5 Cloud Services Support page.
Q: Does DNS Cloud Service support DNSSEC?¶
Yes, DNS Cloud Service supports Domain Name System Security Extensions (DNSSEC) as a secondary DNS. The zone transfer includes all of the DNSSEC related records and allows DNS Cloud Service to respond for them as the primary would.
Q: Does the DNS Cloud Service stop responding after the SOA record Expire time passes?¶
No, the DNS Cloud Service will continue to respond to the zone indefinitely until it is explicitly removed from the service. The SOA record contains a number of parameters for a zone. Secondary authoritative DNS servers use the parameters in this record to determine how often to refresh the zone file, how often to retry in the event of failure, and the Expire field which specifies the upper limit on the time interval that can elapse before the zone is no longer authoritative. Some secondary services stop responding once the expire limit passes, and others like DNS Cloud Service respond with the last known good answer. For more information, the SOA and its parameters are defined in RFC 1035.
Q: Why don’t I see my updated DNS records in DNS Cloud Service immediately after I make a change on my Primary DNS server?¶
As a secondary DNS server, our service performs a Zone Transfer (AXFR) based on the refresh value contained in the SOA record. If the SOA refresh value is set to 10800 seconds (3 hours), our service will only refresh its zone data every 3 hours. Lowering this value can reduce the amount of time where a secondary DNS server will have data different from the primary.
Q: How to I load balance the record for the apex of the zone?¶
You can specify an empty subdomain which represents the apex of your zone. See the following configuration and note the blank box.
This results in the following response:
prompt$ dig @ns1.f5cloudservices.com f5csdemo2.com +short 188.8.131.52
Any zone delegated to the F5 Cloud Services nameservers can have Load Balanced Records configured at any level within the delegation using this methodology.
Q: What happens when I suspend/delete/retire DNS Cloud Service for a zone?¶
When you suspend or delete/retire DNS Cloud Service for a zone, DNS Cloud Services will stop providing DNS request responses for that zone. Therefore it is very important to update your DNS records prior to taking any of these actions. Failure to update your DNS records can cause the primary DNS server to become overloaded, or if it is a hidden primary, then the zone has no DNS service and it stops working.