DNS Caches and iRules

Question

I've got a VIP handling DNS requests with a transparent cache profile on it, and I'm trying to stop queries certain zones by sending an NXDOMAIN automatically. Is it correct to assume that this'll somehow be bypassed by the cache? It seems to be the case.
My iRule is as follows (it also points some internal domains to other nameservers):
when DNS_REQUEST {
    set query [string tolower [DNS::question name]]
    set dns_pool [class match -value -- $query ends_with dg_dns_steering]
    if [ $dns_pool eq "pool_dns_NXDOMAIN" ] {
        log local0. "nxdomain $query"
        DNS::answer clear
        DNS::header rcode NXDOMAIN
        DNS::return
    } else {
        pool $dns_pool
    }
}

And the datagroup has "example.com" : "pool_dns_NXDOMAIN" for example.
I can see it's working, because I get log events, but I can still see queries going out with tcpdump.

iaine · Answer

Hi
Apart from a bracket issue on you if line - should be { rather than [
if { $dns_pool eq "pool_dns_NXDOMAIN" } {
which i'm guessing is a copy and paste issue as the code wouldn't work otherwise then your code works for me. When querying the VIP I can see requests for all of me DNS suffixes hitting the DNS servers but the call for the specific host in the Data Group gets served by the iRule.
Changing your code tocontains dg_dns_steering&nbsp;tidied this up for me.

Forum Discussion

DNS Caches and iRules

Recent Discussions

How to export a list of paired external service providers from APM?

Service discovery is not happening in AS3

Statistics ›› Analytics : HTTP : Overview

VS FORWARDING & ROUTE

Can F5 be in Bridge Mode or a L2 DDOS to protect from L3-L4 DDOS attack

Related Content

DNS Caching

GSLB Split DNS by iRule

Dynamic FQDN Node DNS Resolution based on URI with Route Domains and Caching iRule

SSL Orchestrator Advanced Use Cases: Local DNS Proxy Cache

Distributed caching of authentication requests with NGINX Ingress Controller

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS