Forum Discussion

Mario_Franco's avatar
Mario_Franco
Icon for Altocumulus rankAltocumulus
Sep 20, 2023

Implementing F5 DNS and Creating Custom CNAME Redirects

We are currently implementing a solution in Azure and have encountered some DNS-related issues. I think it's a good idea to implement F5 DNS. However, I wonder if we can create an iRule to set up a CNAME for a specific domain. In other words, if a domain like "example.com" is received, the iRule would inspect this request and respond to the user with a CNAME from "example.com" to "example.2.com".

I have created the following irule:

when DNS_REQUEST {
set original_name [DNS::question name]
if { [string tolower $original_name] ends_with "example.com" } {
set modified_name [string map {"example.com" "example.2.com"} [string tolower $original_name]]
DNS::question name $modified_name
set cname_record "${original_name} IN CNAME ${modified_name}."
log local0. "$cname_record"
set new_rr [DNS::rr $cname_record]
log local0. "$new_rr"
DNS::answer clear
DNS::answer insert $new_rr
DNS::header aa 1
DNS::return
}
}

If I see the logs it looks good:
 <DNS_REQUEST>: test.example.com. IN CNAME test.example.2.com.
 <DNS_REQUEST>:  test.example.com. 3600 IN CNAME test.example.2.com

However, when I perform an nslookup, dig, or access the domain directly from the browser, it doesn't work.

nslookup:

nslookup test.example.com
Server: UnKnown
Address: x.x.x.x

Name: test.example.com

dig:

dig @x.x.x.x test.example.com
;; Question section mismatch: got test.example.2.com/A/IN

Browser:
DNS_PROBE_FINISHED_NXDOMAIN

Any idea if this is possible?

  • f51's avatar
    f51
    Icon for Cirrostratus rankCirrostratus

    Your approach to use an iRule on F5 DNS to manipulate DNS requests and responses is correct. However, the issue you're facing might be due to how DNS resolution works and the context in which iRules operate. The iRule you provided is designed to modify the DNS request for "example.com" to "example.2.com", and then create a CNAME record in the DNS response. When you perform a DNS lookup for "example.com", the lookup is redirected to "example.2.com". However, this does not necessarily mean that "example.2.com" will resolve correctly.

    • Mario_Franco's avatar
      Mario_Franco
      Icon for Altocumulus rankAltocumulus

      If I try to consume test.example.2.com it works, however, when I verify the nslookup output for test.example.com it doesn't show the cname or even an answer, it's just empty, however verifying the logs the irule is creating the cname record but looks like it's not returning the answer to the client

  • xuwen's avatar
    xuwen
    Icon for Cumulonimbus rankCumulonimbus
    when DNS_REQUEST priority 500 {
        set original_name [DNS::question name]
        if { [string tolower $original_name] ends_with "example.com" } {
            set modified_name [string map {"example.com" "example.2.com"} [string tolower $original_name]]
            # DNS::question name $modified_name
            set cname_record "${original_name}. 300 IN CNAME ${modified_name}."
            log local0. "cname_record is ${cname_record}"
            set new_rr [DNS::rr ${cname_record}]
            # log local0. "$new_rr"
            DNS::answer clear
            DNS::answer insert $new_rr
            DNS::header aa 1
            DNS::header rd 0
            DNS::header ra 0
            DNS::header ad 0
            DNS::return
        }
    }

     

     

    [root@NF42GTT1-A3:Active:Standalone] config # dig @172.16.53.53 www22.example.com

    ; <<>> DiG 9.11.31 <<>> @172.16.53.53 www22.example.com
    ; (1 server found)
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60738
    ;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 4096
    ;; QUESTION SECTION:
    ;www22.example.com. IN A

    ;; ANSWER SECTION:
    www22.example.com. 300 IN CNAME www22.example.2.com.

    ;; Query time: 4 msec
    ;; SERVER: 172.16.53.53#53(172.16.53.53)
    ;; WHEN: Fri Sep 22 15:44:52 CST 2023
    ;; MSG SIZE rcvd: 76

     

  • https://techdocs.f5.com/en-us/bigip-16-0-0/big-ip-dns-implementations/redirecting-dns-queries-using-a-cname-pool.html

     

    where are you using or applying this irule in f5 , I guess a WIDEIP must be required to get the desired results.

    DNS_REQUEST

    Dns name to IP address is handled by system. Http request is handled by browser!

    Browser is not aware if there is a DNS CNAME.

    To make it simple, when you enter "a.example.com" in your browser, the DNS resolution is done by the system. but in no case a redirection is done by dns or browser.So CNAME can't redirect URL which we input to another URL...

    If your service is hosted by F5, you can set a rule to allow you to redirect your request to another host.

    but if this is not the case you have to find you have to find other solutions. I do not think that's the best solution, but you can for example hosted a service in F5 for host "a.example.com" and juste implement a redirection on host "b.login.aws.com". the other solutions is to see the side of your host so that he can make the configuration necessary to accpter the host "a.example.com".

    But I'm not sure that in this case, GTM can help you because all it will do is return an IP and never redirect you...

    Without involving a WIDEIP I dont think it will work.

    for me on GTM-only iRules, but I think this will work for you:

    when DNS_REQUEST {
      if { [wideip name] eq "www.easy.com" } {
         cname "www.verylongname.com"
     }
    }

     

    Configuration:

    1). Configure WIP www.easy.com with A record and CNAME

    2). Irules

    1. when DNS_REQUEST {
    2. if { [wideip name] eq "www.easy.com" } {
    3. cname "www.verylongname.com"
    4. }
    5. }

    https://techdocs.f5.com/en-us/bigip-16-0-0/big-ip-dns-implementations/redirecting-dns-queries-using-a-cname-pool.html

     

     

    • Mario_Franco's avatar
      Mario_Franco
      Icon for Altocumulus rankAltocumulus

      Looks like the CNAMEs in F5 are not functioning. I've attempted various methods to implement a CNAME record, but it's not working. Specifically, the iRule doesn't seem to have any effect. I also attempted to create a CNAME wideIP-pool following the F5 documentation https://techdocs.f5.com/en-us/bigip-16-0-0/big-ip-dns-implementations/redirecting-dns-queries-using-a-cname-pool.html, but that didn't work either. Additionally, I tried creating a CNAME record from the ZoneRunner, but it seems impossible to create. I filled out all the fields and clicked on 'create', but upon verifying the Resource Record List, the CNAME record doesn't appear. I'm using version 16.1.3.3. Could this be a bug?

  • I believe that what you want to do is use a single DNAME record that will effect the multi-CNAME behavior you want to implement.

    Specifically, in your DNS zone EXAMPLE.COM, you can create a DNAME record:

    example.com. <ttl> IN DNAME example.2.com

    Then, for instance, using your "test" hostname, a DNS query for resolution of the IP address of FQDN test.example.com should result in the dig utility returning:

    ;; ANSWER SECTION:
    example.com. IN DNAME example.2.com.
    test.example.com. IN CNAME test.example.2.com.
    test.example.2.com. IN A 1.2.3.4

    assuming that that the hostname "test" is defined to resolve to IP address 1.2.3.4 in the EXAMPLE.2.COM domain.