For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

philfagan's avatar
philfagan
Icon for Nimbostratus rankNimbostratus
Nov 04, 2020

iRule DNS response code

I have several DNS nodes that I am sending traffic to.

 

I would like to write a rule that selects either a new pool or node if in the event one of my servers responds with a serv fail rcode in the DNS header in the DNS response.

 

Is this possible?

cloud
devops
iRules

1 Reply

  • PeteWhite's avatar
    PeteWhite
    Icon for Employee rankEmployee
    Nov 09, 2020

    Hi Phil,

    I assume that you want to send the CURRENT request to the other node ie not subsequent requests ( as that is simple, just do an LB::reselect )

    On the basis that you can do anything on the BIG-IP, yes it is possible. How it is possible is a bit more complex. 😀

    Essentially, to do this you have to store the request data for all DNS requests and in the case of failure then you send them to a different node. The first point is that this means you will be storing a lot of extra data which will cause higher memory utilisation and is probably not a good idea - do not store client data on intermediate devices.

    If you still want to do it, you can grab the payload and store it, if you get a serv fail then send the payload via sideband to the other node and respond to the client with the response ( i'll leave you to ponder what to do if you receive a second serv fail ).

    If you want to do this in a nice, systemic and scalable way you can use the Message Routing Framework (MRF) function but that needs a bit more thought on your part.

    Pseudocode:

    when DNS_REQUEST {
  UDP::collect
}
when CLIENT_DATA {
  set payload [UDP::payload]
}
when DNS_RESPONSE {
  if response == servfail
    set sb [connect -proto UDP <destination>]
    send $sb $payload
    recv $sb response
    UDP::respond $response
  }
}