For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

SachinB_207389's avatar
SachinB_207389
Icon for Nimbostratus rankNimbostratus
Jan 12, 2017

DNS iRule

Hi guys, I am a beginner writing iRules. I have to write an iRule on LTM to match DNS request. Requirement is if it matches fqdn and source is private IP it should resolve to a private VIP else it should resolve to Public IP. Below is my iRule. However i am getting error for DNS Answer. Can someone please guide me in the right direction and point out the error ?

 

when RULE_INIT { set static::whitelist_ttl "300" }

 

when DNS_REQUEST {

 

debugging statement see all questions and request details log -noname local0. "Client: [IP::client_addr] Question:[DNS::question name] Type:[DNS::question type] Class:[DNS::question class] Origin:[DNS::origin]"

 

if{[class match $fqdn equals x.x.x.x]} { DNS::return } } when DNS_RESPONSE {

 

debugging statement to see all questions and request details log -noname local0. "Request: $fqdn_name Answer: [DNS::answer] Origin:[DNS::origin] Status: [DNS::header rcode] Flags: RD [DNS::header rd] RA [DNS::header ra]"

 

if { [class match [IP::client_addr] equals private_net] } { DNS::answer clear DNS::answer insert $fqdn.$static::whitelist_ttl [DNS::question class] [DNS::question type] 10.10.10.10 DNS::return } else { DNS::answer insert $fqdn.$static::whitelist_ttl [DNS::question class] [DNS::question type] 193.11.11.1 DNS::return } }

 

application delivery
iRules
LTM

1 Reply

  • Kai_Wilke's avatar
    Kai_Wilke
    Icon for MVP rankMVP
    Jan 12, 2017

    Hi Sachin,

    you can pretty much streamline your iRule by generating the 

    DNS::answer
    directly within the 
    DNS_REQUEST
    event. This will make the syntax much simpler and also save a roundtrip between your F5 and your DNS Servers (which is wasted computing power since the 
    DNS::answer
    gets always replaced).

    when RULE_INIT { 
    set static::whitelist_ttl "300" 
}
when DNS_REQUEST {
    if { ( [string tolower [DNS::question name]] starts_with "www.domain.tld" ) 
     and ( [DNS::question type] equals "A" ) } then {

        log local0.debug "DNS Request match..."

        if { [class match [IP::client_addr] equals private_net] } then {

            log local0.debug "Client is private..."
            DNS::answer insert "[DNS::question name]. $static::whitelist_ttl [DNS::question class] [DNS::question type] 10.10.10.10"

        } else {

            log local0.debug "Client is public..."
            DNS::answer insert "[DNS::question name]. $static::whitelist_ttl [DNS::question class] [DNS::question type] 193.11.11.1"

        }

        DNS::return

    }

}

    Cheers, Kai