For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

rravens_165977's avatar
rravens_165977
Icon for Nimbostratus rankNimbostratus
Jun 04, 2015

need an irule to forward DNS requests based on FQDN

We have the need to forward DNS that comes from a particular subnet (i.e. source = 10.10.10.0/24) to our internal DNS for all queries EXCEPT a list of 20 domain names that need to hit the external to...
application delivery
BIG-IP DNS
design
devops
iRules
LTM
cdougall_14195's avatar
cdougall_14195
Icon for Cirrus rankCirrus
Jun 04, 2015

https://devcentral.f5.com/wiki/iRules.DNS__rrname.ashx

Something like this might work if you've got a GTM. 

when DNS_REQUEST {
  if { ([IP::addr [IP::client_addr] equals 10.10.10.0/24]) } {
    switch -glob [string tolower [DNS::rrname]] {
        "www.domain1.com" -
        "www.domain2.com" -
        "www.domain3.com" -
        "www.domain4.com" -
        "www.domain5.com" {
            pool external_dns_pool
        }
        default {
            pool internal_dns_pool
        }
    }
  }
}

If you're wanting to do something like this on an LTM, you're going to have some troubles. Is there a reason to not have the internal DNS do a recursive lookup for those requests?

rravens_165977's avatar
rravens_165977
Icon for Nimbostratus rankNimbostratus
Jun 04, 2015
Sorry, I just saw your question on the recursive lookups. This is a unique setup in that we have a remote access VPN that terminates in a DMZ. We are using full tunnel exclude ( public sites at our company such as Lync) are not going over the tunnel and require the public IP address. If we use our internal DNS, that replies with the private IP address for the servers that Lync uses when on the LAN. We need clients to use internal for all except a few sites that we want to exclude from the VPN tunnel and hit on public IP addresses. thanks