Forum Discussion

duckhead_25081's avatar
duckhead_25081
Icon for Nimbostratus rankNimbostratus
Oct 21, 2010

iRule for logging purposes

Hello all,

 

 

I tried searching the forums but I was not able to find a relevant post. I am in the process of troubleshooting a DNS issue on our BigIP 8900's and I need to create a logging iRule. The syntax "should" be fairly straightforward but I am unable to get it to work. Below is what I think it should look like.

 

 

when DNS_REQUEST {

 

log local0.info "Got a request, [DNS::rrname]"

 

}

 

 

 

Thanks in advance for the help!

 

->Mark
  • Hi Mark,

     

     

    That rule looks valid. What are you trying to accomplish? What's not working?

     

     

    Aaron
  • A couple of comments:

     

     

    1. It would be good to create a separate VS for the port 53 traffic. You can then set a much lower idle timeout to clear out the connections quicker. We discussed a number of methods here:

     

     

    http://devcentral.f5.com/Forums/tabid/1082223/asg/52/showtab/groupforums/aff/31/aft/1168069/afv/topic/Default.aspx

     

     

    I think there is also an AskF5 solution on this, but I wasn't able to find it immediately. I'll post back if I do see it.

     

     

    2. The DNS_* events are specific to GTM. There isn't an event that's triggered within LTM which directly corresponds to this. I'd try optimizing the virtual server configuration before worrying too much about which clients are generating the connections.

     

     

    Aaron
  • Hi Mark,

     

     

    I think setting an immediate timeout for the UDP traffic might eliminate the high connection count problem. I'd suggest testing it on a non-production virtual server first though.

     

     

    I could see DNS parsing being a useful feature for LTM. It can't hurt to open an RFE case with F5 Support.

     

     

    You could log the DNS requests, but it would be binary data. You could use binary scan to parse it. Nat Thirasuttakorn added a great codeshare example for this:

     

    http://devcentral.f5.com/wiki/default.aspx/iRules/DNS_decoding.html

     

     

    The act of parsing and logging locally so many events itself could potentially take the box down or affect production traffic handling. You could try using the HSL:: commands to do this.

     

     

    http://devcentral.f5.com/wiki/default.aspx/iRules/hsl

     

     

    If it were me, I'd probably just capture a tcpdump and analyze it off the LTM. Not very sexy, but it would have the least impact.

     

     

    Aaron