Forum Discussion
James_Yang_9981
Altostratus
AltostratusDNS return packet rewrite, usage and permormance
Hi:
I write a rules that can modify the DNS server response. the usage of this rules is when server return wrong result like NX-DOMAIN, BIGIP will response and give client a "good" results that point to a special server or address.
Thanks good refrence from a1l0s2k9's DNS rules, at last I finishid.
the rule is like below:
when RULE_INIT {
set ::header_without_id [binary format S5 {0x8180 0x0001 0x0001 0x0000 0x0000}]
predefined fixed header
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
| ID |
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
|QR| Opcode |AA|TC|RD|RA| Z | RCODE |
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
| QDCOUNT |
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
| ANCOUNT |
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
| NSCOUNT |
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
| ARCOUNT |
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
opcode = QUERY, rcode = NOERROR
header flags: response, auth. answer, want recursion, recursion avail.
questions = 1, answers = 1, authority records = 0, additional = 0
set ::answerpart [binary format S6c4 {0xC00C 0x0001 0x0001 0x0000 0x0D1B 0x0004} {200 100 4 10}]
predefined Fixed Answer section
Name: same as qestion
Type: Host address
Class: INET
Time to live: 55 minutes, 55seconds
Data length: 4
Addr: 200.100.4.10, you can modify your own IP address here
Data Structure
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
| Name |
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
| Answer Type |
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
| Class |
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
| Time to live part 1 |
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
| Time to live part 2 |
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
| IP Address part 1 |
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
| IP Address part 2 |
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
}
when SERVER_DATA {
check rcode
binary scan [ string range [UDP::payload] 2 3 ] S sflags
set rcode [expr $sflags & 0x000f]
if {$rcode == 3 }{
skip the DNS header, jump to the QNAME part of first QUESTION
byte contains the first part length
binary scan [string range [UDP::payload] 12 13 ] c foo
make the byte an unsigned integer
set byte [expr $foo & 0xff]
initialize our posisition in the QNAME parsing and the text QNAME
set offset 12
$i is a sanity check so this logic won't spin on invalid QNAMEs
set i 0
/extract QNAME from QUESTION header
while {$byte > 0 && $i < 10} {
grab a part and put it in our text QNAME section
set offset [expr $offset + $byte + 1]
grab the length of the next part, and make it an unsigned integer
set byte [string range [UDP::payload] $offset [expr $offset + 1]]
binary scan $byte c foo
set byte [expr $foo & 0xff]
incr i
}
increment offset past the final part so it points at the QTYPE field
incr offset
extract QTYPE from QUESTION header
grab the next 2 bytes that represent the QTYPE
binary scan [string range [UDP::payload] $offset [expr $offset + 2]] S qtype
see if the QTYPE is 0x0001 (TYPE_AAAA), if it's a A query, then replace the content
if {$qtype == 0x0001} {
Pack the respond packet
first a2 is id
second a* is predefined header without id
third a* is question part extract from return packet
fourth a* is predefined answer section
UDP::payload replace 0 0 [binary format a2a*a*a* [string range [UDP::payload] 0 1] $::header_without_id [string range [UDP::payload] 12 [expr $offset+3]] $::answerpart]
}
}
}the rule is work fine. but there are some qestions remain:
1, at last line, I want use UDP::response, but seems it only work in event CLIENT-ACCEPTED, not Server-Data. is it a designed feature? Since UDP::payload replace will only replace the require part of server response, always, server NX-DOMAIN response(100byte) will larger than the normal A response(50Byte). So I found the client will remain recive 100byte response but only the first 50byte will be useful. is there any way to cut the rest of UDP response?
2,though I have try my best to tune the performance, but seems it's not good as expect. I have tested the rule on a BIGIP 3400, it can handle 14000 request/second with no error request at 30% CPU utilization, and 6000 request/second with all error request at about 80% CPU utilization. since I use same client and server, so it's rules cause the number of request/second drop down? Can I get better performance?
Thanks
James_Yang_9981HI, No one can help me with the performance issue? there a large of bussiness optunities behind this rules. If ISP using BIGIP doing DNS loadbalancing, they can "redirect" all the incorrect type of name resolve request to "correct" one and to there Advertisment server. So ISP can get profit from ther DNS systems!
that is what MSN search bar, google search bar or yahoo search bar does with the browser. if people type incorrect domain name like "wwww.f5.com", from normal DNS, they will get a response of "None-Exist Domain". then the bars working to lead them to the search engin. But, if BIGIP can do this, the "incorrect" one will be "corrected" by BIGIP and then to the Advertisment Server.