For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

rravens_165977's avatar
rravens_165977
Icon for Nimbostratus rankNimbostratus
Jun 04, 2015

need an irule to forward DNS requests based on FQDN

We have the need to forward DNS that comes from a particular subnet (i.e. source = 10.10.10.0/24) to our internal DNS for all queries EXCEPT a list of 20 domain names that need to hit the external to be resolved to their public IP's.

 

--->F5--- are you from 10.10.10.0/24, if yes, and you are resolving host.host.com... use DNS external, rest use DNS internal.

 

Any recommendations would be great.

 

thanks

 

application delivery
BIG-IP DNS
design
devops
iRules
LTM

8 Replies

  • cdougall_14195's avatar
    cdougall_14195
    Icon for Cirrus rankCirrus
    Jun 04, 2015

    https://devcentral.f5.com/wiki/iRules.DNS__rrname.ashx

    Something like this might work if you've got a GTM. 

    when DNS_REQUEST {
  if { ([IP::addr [IP::client_addr] equals 10.10.10.0/24]) } {
    switch -glob [string tolower [DNS::rrname]] {
        "www.domain1.com" -
        "www.domain2.com" -
        "www.domain3.com" -
        "www.domain4.com" -
        "www.domain5.com" {
            pool external_dns_pool
        }
        default {
            pool internal_dns_pool
        }
    }
  }
}

    If you're wanting to do something like this on an LTM, you're going to have some troubles. Is there a reason to not have the internal DNS do a recursive lookup for those requests?

    • rravens_165977's avatar
      rravens_165977
      Icon for Nimbostratus rankNimbostratus
      Jun 04, 2015
      Sorry, I just saw your question on the recursive lookups. This is a unique setup in that we have a remote access VPN that terminates in a DMZ. We are using full tunnel exclude ( public sites at our company such as Lync) are not going over the tunnel and require the public IP address. If we use our internal DNS, that replies with the private IP address for the servers that Lync uses when on the LAN. We need clients to use internal for all except a few sites that we want to exclude from the VPN tunnel and hit on public IP addresses. thanks
    • Brandon_12607's avatar
      Brandon_12607
      Icon for Nimbostratus rankNimbostratus
      Apr 07, 2016
      i was trying to add this IRULE on the GTM in DNS -> Delivery -> iRules -> iRule List -> create… gives me an error with the DNS::rrname. I have tried to use DNS::name but gives me an error also. Any thoughts?
  • JG's avatar
    JG
    Icon for Cumulonimbus rankCumulonimbus
    Apr 07, 2016

    Try something like this instead:

    when DNS_REQUEST {
  if { ([IP::addr [IP::client_addr] equals 10.10.10.0/24]) } {
    switch -glob [string tolower [DNS::question name]] {
        " www.domain1.com" -
        " www.domain2.com" -
        " www.domain3.com" -
        " www.domain4.com" -
        " www.domain5.com" {
            pool external_dns_pool
        }
        default {
            pool internal_dns_pool
        }
    }
  }
}