Is it possible to perform DNS SRV query at node level so that traffic will directed on same.

As you appear to have discovered, FQDNs will resolve A, AAAA and CNAME chains only. In fact, not only will it not try to perform an SRV lookup, it won't even accept underscores (_) in names.

If your objective is to use an SRV target for the node name, things do become very tricky. There are a few ways to solve this: 1. inline; 2. via the control plane; 3. both.

For 1, you'd need an iRule. That iRule would need to make a sideband connection in order look up the SRV record. Things get really tricky here for at least four reasons: 1. you may get more than one target back; 2. although the target name is not supposed to be an alias, it may be anyway; 3. one or more targets may be down; and 4. you'd have to build the DNS query and response manually (you cannot use

RESOLV::lookup

, for example, since it only returns A records). You have to figure out how to handle those various issues. The more robust you wish to be, the more complex (and time expensive) the iRule;

For 2, you could periodically (via iCall) perform the SRV lookup, then test reachability, then modify the node address based on the results. This causes a config change, however, which can be a drawback, and does not account for reachability failure after the change but before the next lookup. On the other hand, there is no iRule;

For 3, you could do the periodic call from 2, then populate the information somewhere that is accessible to an iRule (e.g., a data group). This moves the complexity out of the iRule and into the control plane (where the cost becomes more-or-less irrelevant), makes a smaller config change, and could potentially allow for a work-around if the server-side connect fails. However, it still entails a config change. On system that is part of a DSC (e.g., in an active/standby pair), this can be a big issue because it will constantly move the units of the DSC out-of-sync.

The best way is to scrap the use of the SRV for this case, and leverage GTM in order to provide a reachable A record. Then you can use FQDNs as above. This, however, requires adding and configuring GTM somewhere (it could be on the same system as the LTM, of course).

Hi Vernon,

 

Appreciate your quick response. I am bit puzzled here with Irule as when I tried to write i rule I have to select DNS profile in VS but it disable my SSL profile by default(which is not desirable). I have few queries in my mind.

 

1) As I am planning to use one local windows DNS server which supposed to take care of all SRV records then how can I build a configuration wherein my node fetch IP address+port from windows SRV records. It add manual efforts i guess.

 

2)If I try to create separate VS by using DNS profile and Irule for SRV quires then how can use that VS with my outbound VS(with SSL profile).

 

3) Not sure how to use Icall, it would be appreciated if you can give me hint how to use it.

 

/Regards Amit Grover

 

A traffic type profile indicates to BIG-IP how to handle traffic in the forwarding path. Since your VS will not be receiving DNS traffic for forwarding, it is not necessary to add the dns profile to it. You would need to use a sideband connection from an iRule attached to the existing VS. However, as I say, if you do this, you won't have DNS iRule commands available, so you'll have to manually construct your request (e.g., using

binary format

) and your response (e.g., using

binary scan

).

I strongly recommend that you consider engaging F5 Professional Services, a consulting arm of F5. No matter how you approach this, it's going to require a fair amount of work and will be somewhat complex.

Having said that, iCall allows you to execute a Tcl script periodically. It is also documented on DevCentral.