For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Andy_Shaw_55687's avatar
Andy_Shaw_55687
Icon for Nimbostratus rankNimbostratus
Feb 23, 2009

NAME_RESOLVED not firing

Dear Forum,   I'm trying to get DNS resolution working from within an iRule in v9.4.6.   I've based the rule on the example in https://devcentral.f5.com/Default.aspx?tabid=53&forumid=5&post...
application delivery
dev
devops
iRules
AZ_101139's avatar
AZ_101139
Icon for Nimbostratus rankNimbostratus
Jun 01, 2009
Hi,

 

 

The above iRule works all right on my lab system. However on the customer site I see a difference when it comes to DNS name resolving:

 

 

1. When trying to ping something directly from customer's 1600 (2.4.21-9.4.5.1049.0smp 2 SMP) it resolves the query without problem:

 

[root@f5-1:Active] config ping www.cnn.com

 

PING www.cnn.com (157.166.226.25) 56(84) bytes of data.

 

 

2. However when the query comes from request generated by incoming connection and NAME:resolve (in fact by telnet from 1600 itself as well) then it ignores its defined nameservers but rather starts to traverse everything to the top-level (in fact I am not sure how it gets all these names below):

 

 

12:33:29.060935 10.159.1.11.32925 > 128.8.10.90.domain: 57452 [1au] A? www.cnn.com. (40) (DF)

 

12:33:31.465794 10.159.1.11.32925 > 128.63.2.53.domain: 18473 [1au] A? www.cnn.com. (40) (DF)

 

12:33:33.875554 10.159.1.11.32925 > 192.36.148.17.domain: 25538 [1au] A? www.cnn.com. (40) (DF)

 

12:33:36.285542 10.159.1.11.32925 > 193.0.14.129.domain: 55243 [1au] A? www.cnn.com. (40) (DF)

 

12:33:38.695527 10.159.1.11.32925 > 199.7.83.42.domain: 54524 [1au] A? www.cnn.com. (40) (DF)

 

12:33:41.105769 10.159.1.11.32925 > 202.12.27.33.domain: 24915 [1au] A? www.cnn.com. (40) (DF)

 

12:33:43.515514 10.159.1.11.32925 > 192.228.79.201.domain: 26852 A? www.cnn.com. (29) (DF)

 

12:33:45.925754 10.159.1.11.32925 > 192.112.36.4.domain: 40513 A? www.cnn.com. (29) (DF)

 

12:33:48.335747 10.159.1.11.32925 > 198.41.0.4.domain: 2810 A? www.cnn.com. (29) (DF)

 

12:33:50.745737 10.159.1.11.32925 > 192.203.230.10.domain: 56159 A? www.cnn.com. (29) (DF)

 

12:33:53.155732 10.159.1.11.32925 > 192.5.5.241.domain: 16256 A? www.cnn.com. (29) (DF)

 

12:33:55.565718 10.159.1.11.32925 > 192.58.128.30.domain: 55341 A? www.cnn.com. (29) (DF)

 

12:33:57.975715 10.159.1.11.32925 > 192.33.4.12.domain: 16374 A? www.cnn.com. (29) (DF)

 

 

Why the difference?

 

Resolv.conf contains just two nameserver lines. Named.conf seems fine to me as well, recursive queries are on and everything is treated in this same way:

 

 

[root@f5-1:Active] config cat /var/named/config/named.conf

 

restrict rndc access to local machines

 

use the key in the default place: /config/rndc.key

 

controls { inet 127.0.0.1 port 953 allow { 127.0.0.1 ;}; };

 

logging {

 

channel logfile {

 

syslog daemon;

 

severity error;

 

print-category yes;

 

print-severity yes;

 

print-time yes;

 

};

 

category default {

 

logfile;

 

};

 

category config {

 

logfile;

 

};

 

category notify {

 

logfile;

 

};

 

};

 

options {

 

listen-on port 53 { 127.0.0.1; };

 

listen-on-v6 port 53 { ::1; };

 

set this to yes when you want to resolve off

 

box. setting it to yes when you dont actuallly

 

have a bind server configured will result in

 

bind timeouts for many commmands

 

recursion no;

 

recursion yes;

 

forward only;

 

directory "/config/namedb";

 

allow-transfer {

 

localhost;

 

};

 

check-names master warn;

 

change to "no" if you want to be able to add

 

MX records that do not reference a record that has an A record

 

check-integrity yes;

 

};

 

acl "zrd-acl-000-000" {

 

127.10.0.0;

 

localnets;

 

};

 

view "external" {

 

match-clients { "zrd-acl-000-000"; any; };

 

};

 

 

Regards

 

Andrzej