Forum Discussion
NimbostratusFunctionality questions regarding commands that we're using in a DNS_REQUEST related iRule
EmployeeHi OATI_Network_S1,
Each virtual server connection starts with the settings as they are defined on the virtual server / listener. An iRule may modify the characteristics of the connection (ex. enabling SNAT, disabling dns-express, etc.) and when that is done, those changes remain for the rest of the connection or until the iRule modifies the characteristics again.
In the context of DNS, you're usually looking at one DNS request / connection over UDP. So, the iRule you have would work for UDP-based DNS requests as each request is a new connection and will start with your default configuration.
Where your iRule logic may not be sufficient is for DNS over TCP, as you may see a single TCP connection handle multiple DNS requests. In this case, if a TCP connection is opened to your DNS listener, and the first request matches your TXT condition, the virtual server characteristics for that connection would be modified as per your logic. If a second DNS request came in over that same TCP connection, say an A record request, it would not match the logic in your condition but the virtual server connection would still be operating under the modified state from the first request and that modified state would apply to this request too.
To handle this scenario, all you need to do is add an else condition that sets the virtual server back to its defaults if the request doesn't match the ACME condition. It would look something like this:
when DNS_REQUEST {
# Check if the query is for a TXT record and matches a specific FQDN
if { ([DNS::question type] equals "TXT") and ([string tolower [DNS::question name]] contains "_acme-challenge") } {
# Forward to a specific pool of DNS servers
DNS::disable dns-express
snat automap
translate address enable
pool /Common/dns_pool
} else {
# Not ACME request, reset connection parameters
DNS::enable dns-express
translate address disable
snat none
}
}
