For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

David_22984's avatar
David_22984
Icon for Nimbostratus rankNimbostratus
Oct 26, 2010

DNS notify loadbalancing

  I'm trying to handle the case of a loadbalanced authoritative DNS server pool. This pool has two members, however DNS notifies need to go to only one of them (the one with the master SQL databa...
application delivery
dev
devops
iRules
Nat_Thirasuttakorn's avatar
Nat_Thirasuttakorn
Icon for Employee rankEmployee
Nov 09, 2010
2 things

1) when dealing with TCP, in client_accepted, you may collect data first...do what you need in client_data, then release the data...

your irule may look like this...

when CLIENT_ACCEPTED {

TCP::collect

}

when CLIENT_DATA {

do what you what here...

TCP::release

}

2)

according to rfc 1035

4.2.2. TCP usage

Messages sent over TCP connections use server port 53 (decimal). The

message is prefixed with a two byte length field which gives the message

length, excluding the two byte length field. This length field allows

the low-level processing to assemble a complete message before beginning

to parse it.

so your binary scan command has to change to

binary scan [TCP::payload] SSS length id flags

combine both together it probably look like this... (not test) 


when CLIENT_ACCEPTED {
        TCP::collect
}
when CLIENT_DATA {
        binary scan [TCP::payload] SSS length id flags   
        set opcode [expr ($flags >> 11) & 0xf]
         Send NOTIFYs (opcode 4) to the master SQL database node.
        if { $opcode == 4 } {
                log local0. "DEBUG: NOTIFY TCP, sending to MASTER"
                node  MASTER_SERVER_IP 53
        }
        else {
                log local0. "DEBUG TCP: NOT A NOTIFY"
        }
        TCP::release
}

Nat