Forum Discussion
Implementing F5 DNS and Creating Custom CNAME Redirects
We are currently implementing a solution in Azure and have encountered some DNS-related issues. I think it's a good idea to implement F5 DNS. However, I wonder if we can create an iRule to set up a CNAME for a specific domain. In other words, if a domain like "example.com" is received, the iRule would inspect this request and respond to the user with a CNAME from "example.com" to "example.2.com".
I have created the following irule:
when DNS_REQUEST {
set original_name [DNS::question name]
if { [string tolower $original_name] ends_with "example.com" } {
set modified_name [string map {"example.com" "example.2.com"} [string tolower $original_name]]
DNS::question name $modified_name
set cname_record "${original_name} IN CNAME ${modified_name}."
log local0. "$cname_record"
set new_rr [DNS::rr $cname_record]
log local0. "$new_rr"
DNS::answer clear
DNS::answer insert $new_rr
DNS::header aa 1
DNS::return
}
}
If I see the logs it looks good:
<DNS_REQUEST>: test.example.com. IN CNAME test.example.2.com.
<DNS_REQUEST>: test.example.com. 3600 IN CNAME test.example.2.com
However, when I perform an nslookup, dig, or access the domain directly from the browser, it doesn't work.
nslookup:
nslookup test.example.com
Server: UnKnown
Address: x.x.x.x
Name: test.example.com
dig:
dig @x.x.x.x test.example.com
;; Question section mismatch: got test.example.2.com/A/IN
Browser:
DNS_PROBE_FINISHED_NXDOMAIN
Any idea if this is possible?
- f51Cirrostratus
Your approach to use an iRule on F5 DNS to manipulate DNS requests and responses is correct. However, the issue you're facing might be due to how DNS resolution works and the context in which iRules operate. The iRule you provided is designed to modify the DNS request for "example.com" to "example.2.com", and then create a CNAME record in the DNS response. When you perform a DNS lookup for "example.com", the lookup is redirected to "example.2.com". However, this does not necessarily mean that "example.2.com" will resolve correctly.
- Mario_FrancoAltocumulus
If I try to consume test.example.2.com it works, however, when I verify the nslookup output for test.example.com it doesn't show the cname or even an answer, it's just empty, however verifying the logs the irule is creating the cname record but looks like it's not returning the answer to the client
- xuwenCumulonimbus
when DNS_REQUEST priority 500 { set original_name [DNS::question name] if { [string tolower $original_name] ends_with "example.com" } { set modified_name [string map {"example.com" "example.2.com"} [string tolower $original_name]] # DNS::question name $modified_name set cname_record "${original_name}. 300 IN CNAME ${modified_name}." log local0. "cname_record is ${cname_record}" set new_rr [DNS::rr ${cname_record}] # log local0. "$new_rr" DNS::answer clear DNS::answer insert $new_rr DNS::header aa 1 DNS::header rd 0 DNS::header ra 0 DNS::header ad 0 DNS::return } }
[root@NF42GTT1-A3:Active:Standalone] config # dig @172.16.53.53 www22.example.com
; <<>> DiG 9.11.31 <<>> @172.16.53.53 www22.example.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60738
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www22.example.com. IN A;; ANSWER SECTION:
www22.example.com. 300 IN CNAME www22.example.2.com.;; Query time: 4 msec
;; SERVER: 172.16.53.53#53(172.16.53.53)
;; WHEN: Fri Sep 22 15:44:52 CST 2023
;; MSG SIZE rcvd: 76 where are you using or applying this irule in f5 , I guess a WIDEIP must be required to get the desired results.
DNS_REQUEST
Dns name to IP address is handled by system. Http request is handled by browser!
Browser is not aware if there is a DNS CNAME.
To make it simple, when you enter "a.example.com" in your browser, the DNS resolution is done by the system. but in no case a redirection is done by dns or browser.So CNAME can't redirect URL which we input to another URL...
If your service is hosted by F5, you can set a rule to allow you to redirect your request to another host.
but if this is not the case you have to find you have to find other solutions. I do not think that's the best solution, but you can for example hosted a service in F5 for host "a.example.com" and juste implement a redirection on host "b.login.aws.com". the other solutions is to see the side of your host so that he can make the configuration necessary to accpter the host "a.example.com".
But I'm not sure that in this case, GTM can help you because all it will do is return an IP and never redirect you...
Without involving a WIDEIP I dont think it will work.
for me on GTM-only iRules, but I think this will work for you:
when DNS_REQUEST { if { [wideip name] eq "www.easy.com" } { cname "www.verylongname.com" } }
Configuration:
1). Configure WIP www.easy.com with A record and CNAME
2). Irules
- when DNS_REQUEST {
- if { [wideip name] eq "www.easy.com" } {
- cname "www.verylongname.com"
- }
- }
- Mario_FrancoAltocumulus
Looks like the CNAMEs in F5 are not functioning. I've attempted various methods to implement a CNAME record, but it's not working. Specifically, the iRule doesn't seem to have any effect. I also attempted to create a CNAME wideIP-pool following the F5 documentation https://techdocs.f5.com/en-us/bigip-16-0-0/big-ip-dns-implementations/redirecting-dns-queries-using-a-cname-pool.html, but that didn't work either. Additionally, I tried creating a CNAME record from the ZoneRunner, but it seems impossible to create. I filled out all the fields and clicked on 'create', but upon verifying the Resource Record List, the CNAME record doesn't appear. I'm using version 16.1.3.3. Could this be a bug?
- Frabotta9500Cirrus
I believe that what you want to do is use a single DNAME record that will effect the multi-CNAME behavior you want to implement.
Specifically, in your DNS zone EXAMPLE.COM, you can create a DNAME record:
example.com. <ttl> IN DNAME example.2.com
Then, for instance, using your "test" hostname, a DNS query for resolution of the IP address of FQDN test.example.com should result in the dig utility returning:
;; ANSWER SECTION:
example.com. IN DNAME example.2.com.
test.example.com. IN CNAME test.example.2.com.
test.example.2.com. IN A 1.2.3.4assuming that that the hostname "test" is defined to resolve to IP address 1.2.3.4 in the EXAMPLE.2.COM domain.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com