BIG-IP / Virtual Server for UDP & TCP DNS Loadbalancing / extracting client IPs

Hi guys,

I have several VS that do loadbalancing to DNS servers. All of VS have AutoMap configured. The real DNS servers only see the SNATed client IP of the BIG-IP because of AutoMap. Currently there is no way to change that configuration.

I need to extract the client IP address that is querying DNS RRs. I tried different ways, found one solution that is not recommended (local logging) and I am currently stuck with HSL.

Because of AutoMap I tried to figure out the client IPs with iRules. I found one for UDP here: https://community.f5.com/t5/technical-forum/log-dns-queries-with-irule/td-p/212655

when CLIENT_ACCEPTED {
    binary scan [UDP::payload] H4@12A*@12H* id dname question
    set dname [string tolower [getfield $dname \x00 1 ] ]
  log local0. "dns_src_ip=[IP::client_addr] requested dns_query=$dname"
}

For TCP here: https://my.f5.com/manage/s/article/K33126241

when CLIENT_ACCEPTED {
  log local0. "[virtual] - client ip=[IP::client_addr]:[TCP::client_port]"
    }

Both iRules work gread. The logs were written locally and to the remote syslog server; I configured the the server previously in the "Remote Logging" settings. But unfortunatley there are so many log entries for UDP that I was afraid the hard disk will be blown away some time. So I turned off logging. 

I then tried to send the logs to my remote syslog server and changed the log command in the iRule to something like this:

log <MySyslogIPaddress> "dns_src_ip=[IP::client_addr] requested dns_query=$dname"

Unfortunately I can see no logs. I found out that the command log <IPaddress> needs this:

"<remote_ip> must be a TMM-routed address. If you must route specific messages to a remote address via the management interface, you must log locally. syslog-ng is able to route messages via both TMM and management interfaces using the standard syntax. You can define an appropriate filter and remote log destination in LTM’s syslog-ng service."

• Source: https://clouddocs.f5.com/api/irules/log.html

In my environment the default route points to "mgmt". I have no special route for the syslog servers so the traffic is being routed through "mgmt". I couldn't find a way to route the traffic over a tmm-routed interface.

My next try was to solve the problem via HSL. I followed this guide: https://techdocs.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/bigip-external-monitoring-implementations-12-0-0/4.html

I tried to trigger the HSL publisher like this:

when CLIENT_ACCEPTED {
    binary scan [UDP::payload] H4@12A*@12H* id dname question
    set dname [string tolower [getfield $dname \x00 1 ] ]
    # logs locally only
    #log local0. "dns_src_ip=[IP::client_addr] requested dns_query=$dname"

    # high speed logging
    set hsl [HSL::open -publisher /<Partition>/<Publisher>]
    HSL::send $hsl "dns_src_ip=[IP::client_addr] requested dns_query=$dname"
}

• Source: https://clouddocs.f5.com/api/irules/HSL__send.html

Unfortunately it did'nt work. There are no logs on my remote syslog server visible.

My last try was to bind the HSL publisher to a Virtual Server. But it seems that I still don't understand the whole concept of HSL. I am sort of mixed up for the moment. I hope the community can help me sorting this out.