Forum Discussion
AltostratusGTM iRule to forward dns request to a pool of DNS servers
Hi,
On the GTM, is it possible to use an iRule to disable wideIP and forward a dns request to a pool of DNS servers instead?
I have a situation where LTM pool members attempt to resolve each other's IPs using the GTM and break because they get the Virtual Server IP instead of their real IPs.
The GTM is configured with a pool of DNS servers and I know that under normal conditions it will use the pool to resolve what it doesn't have a WIP for. But because it does have a WIP in this case, I need the GTM to bypass the WIP step whenever it receives dns requests from certain LDNSs.
I've looked at the iRule wiki but can't see the commands to do this. dns::disable looks like it may do what I need but I'm not sure.
Thanks.
4 Replies
StephanMantheyNacreous
Hi KingMeow,
assuming your pool of nameservers associated with your listener is already used to handle incoming queries which cannot be resolved by GTM, right? An iRule will now disable local GTM processing if a client request is received from a local network:when DNS_REQUEST { if {[IP::addr [IP::client_addr] equals 10.131.131.0/24]} { log local0. "dns query from local network: <[IP::client_addr]>" DNS::disable gtm } }Make sure to create this iRule as an LTM iRule and associate it with the lister (actually a virtual server in the LTM context as well).
So your assumption is right as I just verified in my lab. Instead of verifying versus a single network you may want to use the class command in combination with a datagroup to exclude multiple client networks. Thanks, Stephan
KingMeow_3883Hi Stephan,
I just tried your suggestion and it seems to do exactly what I wanted. I also added the extra condition that the DNS question must match a certain string.
Thanks a lot for your help 🙂
This is the current iRule I've tested successfully (thanks to Stephan Manthey) for anyone looking at this in future:
when DNS_REQUEST { if {[IP::addr [IP::client_addr] equals 10.10.10.10/32]} { log local0. "dns query from local network: <[IP::client_addr]>" set dnsq [DNS::question name] log local0. "DNS Question: [DNS::question name]" switch -glob $dnsq { "blah???blah???.a.b.c.com" { log local0. "question matches disabling criteria" DNS::disable gtm } } }Regards,
-KingMeow
- StephanMantheyHi KingMeow, thanks for the feedback! :) Cheers, Stephan
- StephanManthey
Hi KingMeow,
to simplify the iRule above the conditions can be combined, i.e. as follows:when DNS_REQUEST { if {[IP::addr [IP::client_addr] equals 10.10.10.10/32] and ([string tolower [DNS::question name]] ends_with "xyz.domain.com")} { log local0. "dns query <[DNS::question name]> from local network: <[IP::client_addr]>" DNS::disable gtm } }(To verify the query name a comparison can be done by "ends_with", "equals", "starts_with" or "contains".)
Btw, there are two alternative methods for GTM to achieve a similar behavior as settings scopes on a DNS server.
The topology based method allows definition of regions and map them to available resources. A way to configure them is described in this post "Topology LB - Not allow Wide IP to resolve to Internet". The second method would be a similar rule as above in the context of the WideIP to pick a GTM-pool containing the internal resource records. In both cases it would be necessary to monitor the internal real servers by the GTM controller. Thanks, Stephan
