Forum Discussion

David_Gill's avatar
Apr 28, 2020

Bypassing DNS Cache for specific DNS queries

I have a VPN configuration where Edge Client users point to a virtual server that load balances DNS requests to three back end servers. I also have DNS transparent cache setup and everything works great. I have a new requirement which is to forward requests for three specific domains to a different pool of back end servers but ONLY if the user making the request is a member of a specific AD group.

The logic is simple:

   if { [class match [string tolower [DNS::question name]] ends_with special-dnsentries_data-group] } {
       if { [ACCESS::session data get] contains "CN=special-AD-group" } {
           pool dns_special_pool

So, if a DNS request comes in for (which is in the data group) AND the user is a member of the “special-AD-group” Active Directory group, then I forward the DNS request to the “dns_special_pool” instead of the default pool assigned to the virtual. I believe the problem I am having is that the next person who requests the same FQDN ( in this example) will receive the IP from the dns_special_pool even if they are not a member of the AD group simply because the FQDN is cached. Assuming this is what is happening, I want to disable the caching of the domains in this data group so that the DNS request always gets forwarded to a physical DNS server for resolution. What’s the best way to do this? If I just add an "else" with the default pool will the irule ignore the cache and always forward the request?

Thanks for the help.

APM 14.1.2

No RepliesBe the first to reply