LTM with DNS - logging query answers DNS_RESPONSE clientside
Hi All
We have our DNS services behind LTM VIPs. We have the DNS license and are using DNS_QUERY and DNS_RESPONSE events for logging queries and answers. We are not using Express, BIGIP Bind, nor GTM configurations - straight LB work. Last week I was investigating some optimizations and wanted to add Answer header information, specifically the truncate flag. This will allow us to gather some stats on the amount of UDP to TCP based queries occuring. I added [DNS::header tc] to the log message on DNS_RESPONSE and proceeded to test from a client system using DIG for a test SRV record that exceeded 512bytes using UDP. DIG did the expected things and sent a UDP query, got a response with truncate on, and re-queried with TCP. All good. However, when I looked at the logs, [DNS::header tc] was always returning 0. From network trace, I see client to VIP, SNAT to service, service to SNAT, VIP to client. The client side traffic is as expected - no EDNS0, buffer set to 512bytes, etc. As well the answer in UDP shows the truncate flag set to 1. Further examination showed that while the client had specified no EDNS0, buffer 512bytes, etc., the SNAT to DNS service traffic showed EDNS0 on and buffer of 4096bytes. I asked our F5 account rep if he had any insights and he agreed that DNS_RESPONSE seems to be pulling from server-side. I tried using [clientside {DNS::header tc}] in the logging statement, but got the same results - truncate still shows 0.
Questions:
1. Is there a way to tell LTM to respect the client settings for the server side communications?
2. Can I get the client-side info in the DNS_RESPONSE event?
Thanks