Forum Discussion
JRahm
Admin
AdminGTM Intercept bypass?
Our DNS servers are sitting in a bridged vlan behind the GTM so I can intercept the DNS queries heading to the DNS server. Is it possible to disable this functionality based on source IP address on a DNS_REQUEST/DNS_RESPONSE event? I'd like to pass all queries from internal resources back to the name server so it can hand out the internal addresses. The wideip is configured to hand out the external addresses. Or perhaps the wideip can hand out the nat address for internal requests and the public address for external requests. Thanks for any advice.
6 Replies
- Rather than an iRule, you can use GTM's "Topology" LB method to hand out different answers based on sourceIP:
https://tech.f5.com/home/bigipgtm/manuals/bigipgtm9_2_2/BIG-IP_9_2_2GTM_Guide-10-1.htmlwp999882 (Click here)
HTH
/deb - JRahmMost likely it's my ignorance, but I fail to see how a topology record will change the IP address of the virtual server address it is handing out. My pool members for wideip www.myurl.com are:
vs {
name "poc2_myurl-http"
address 10.10.1.150:80 // http
monitor "custom_bigip"
translates to 10.10.2.150:0
}
vs {
name "poc2_myurl-http"
address 10.20.1.150:80 // http
monitor "custom_bigip"
translates to 10.20.2.150:0
}
Creating a topology record will select one of these two records, which I will need to make sure the local server is returned, but either selection will return the address, not the translated address. The address is unknown to the internal servers, it must get a resolution for the translated address. The *real* dns server sitting behind the GTM has views configured that hands out the correct address based on source IP. GTM can also do this, but I don't want to manage internal dns functions, I want to pass them to the name server. Most will because I am only listening for our GSLB URL's, but there is an internal need to request that URL as well, and the public address is not useful to the requesting devices. I am hopeful that I can do something like:
when DNS_REQUEST {
if { [IP::client_addr] equals "x.x.x.x" } {
release_request_to_nameserver
}
}
I have never used topology, so I'm sure I am missing something there. TIA.
Jason - You could just try
when DNS_REQUEST {
if { [IP::client_addr] equals "x.x.x.x" } {
forward
}
} - Sorry Jason, I misinterpreted your question -- I didn't realize your VS were defined w/public+private addresses, & assumed internal + external VS were in play here.
I think you are right -- when you define a "private" address in GTM, its only intended use is to allow internal communication with LTM/BIG-IP where both devices are in a private network behind a firewall, and the virtuals are NAT'd elsewhere.
(Seems like the iRule suggestion would work, but I've never used "forward" with a GTM iRule...)
/deb - JRahmWow, amazingly simple, yet very effective... kick me now.
The forward worked perfectly:when DNS_REQUEST { if { [IP::client_addr] equals "10.x.x.x" } { log "Internal request, forwarding to name server" forward } } - This seems a bit of a waste of GTM's LB capabilities. You should really be able to specify that the translated addresses should be used instead of the public ones for particular source IP addressesin a rule. You could try (apologies my TCL fu is weak so the syntax might not be correct).
when LB_SELECTED {
if { [IP::client_addr] equals "10.x.x.x" } {
set addr [LB::server addr]
log "Internal request"
if { $addr equals "1.2.3.4" } {
node 10.2.3.4
}
elseif { $addr equals "1.2.3.5 } {
node 10.2.3.5
}
}
}
if the pool members global addresses were 1.2.3.4 and 1.2.3.5 with translation addresses 10.2.3.4 and 10.2.3.5 respectively.
