For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

mtanfin_90263's avatar
mtanfin_90263
Icon for Nimbostratus rankNimbostratus
May 16, 2011

DNS_REQUEST

Hi everybody,

 

 

I have some trouble with the behavior of the GTM when a DNS_REQUEST occurs.

 

 

I would like to manage the request according to the type of the DNS_REQUEST.

 

I want to get the GTM to process if the type is "A" or "CNAME", forward to a DNS server if "MX", "NS" or "SOA", and reject the request if the type is another one.

 

 

Normally, the DNS::rrtype give us the opportunity to manage all the types of DNS but the GTM enters in the irules only if the rrtype is "A". Is it normal?

 

 

Here is my irule :

 

 

when DNS_REQUEST {

 

log "RRType : [DNS::rrtype]"

 

if { ([DNS::rrtype] != "A") or

 

([DNS::rrtype] == "CNAME")

 

} {

 

if { ([DNS::rrtype] == "MX") or

 

([DNS::rrtype] == "NS") or

 

([DNS::rrtype] == "SOA")

 

} {

 

forward

 

}

 

else {

 

reject

 

}

 

}

 

}

 

 

 

When the DNS_REQUEST is a "A" one, the GTM enters the irule otherwise it doesn't enter the irule.

 

How can i do to get the GTM have that behavior?

 

 

Thanks,

 

 

Marylène

 

application delivery
dev
devops
iRules

6 Replies

  • The_Bhattman's avatar
    The_Bhattman
    Icon for Nimbostratus rankNimbostratus
    May 16, 2011
    Hi Marylène,

     

    I have you tried the following

     

     

    
when DNS_REQUEST {
   Log local.0 "RRtype : [DNS::rrtype]"
   if { !([DNS::rrtype] eq "A") or ([DNS::rrtype] eq "CNAME") } {
     switch -glob [DNS::rrtype] {
       "MX" -
       "NS" - 
       "SOA" { 
               forward 
                  }
        default {
               reject 
                     }  
    }
  }
}

     

     

    NOTE: This is untested code

     

     

    I hope this helps

     

     

    Bhattman

     

     

  • mtanfin_90263's avatar
    mtanfin_90263
    Icon for Nimbostratus rankNimbostratus
    May 16, 2011
    Same thing, the irule is not activated when a DNS request occurs.

     

    There is nothing with "RRtype" in the log file..

     

  • The_Bhattman's avatar
    The_Bhattman
    Icon for Nimbostratus rankNimbostratus
    May 16, 2011
    Hi Marylène

     

    So there is the value of [DNS::rrtype] is completely empty in the GTM or LTM log file?

     

     

    Bhattman
  • mtanfin_90263's avatar
    mtanfin_90263
    Icon for Nimbostratus rankNimbostratus
    May 16, 2011
    When the type of the request is A, I can see the log DNS:RRType in the log.

     

    When the request is another type, i can't see anything with RRType in the log...

     

    I think the irule is not activated in that case..
  • mtanfin_90263's avatar
    mtanfin_90263
    Icon for Nimbostratus rankNimbostratus
    May 17, 2011
    I found the reason. The TMOS first check the request, and if the rrtype is A,AAAA,A6 or CNAME, it sends the request to the gtm otherwise it forwards the request to the DNS server. So we can just use these rrtype in a GTM irule.

     

     

    Thanks Bhattman