For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

mr_evil_116524's avatar
mr_evil_116524
Icon for Nimbostratus rankNimbostratus
Feb 23, 2014

Need help with DNS iRULE

Hello All, I have been asked to create an iRULE which will redirect traffic from specific internal VM to external specific IP/DNS. This is only for outbound. So I had a rule as follows: when ...
Kevin_Stewart's avatar
Kevin_Stewart
Icon for Employee rankEmployee
Feb 26, 2014

You think you will be give me direction how to create this monitoring pool?

Thought you'd never ask. 😉

The idea here is that you'd create a Bash script, tie that to an External monitor, and then bind the monitor to a "dummy" pool (a pool with some bogus IP addresses). This does two things: 1) it creates a "cron-like" mechanism for the script, and 2) it can get backed up in normal config archiving. The monitor script will periodically query an external DNS for a defined service name, create a hash of the result, compare that hash to an existing hash (stored in a separate local file), and if the hash is the same it'll do nothing, otherwise it'll update the datagroup with the new IPs and rewrite the hash value file. You need to modify the variables at the top (DNS_SERVER, DNS_NAME, DNS_HASH, and DATAGROUP) to reflect your local environment. You also need to pre-create the address-based data group.

!/bin/bash

 DNSMONITOR

 Purpose: to periodically query a remote DNS server for a given name to keep
          a local internal data group populated with current IP information.



 define DNS server
DNS_SERVER=10.80.0.200

 define server name
DNS_NAME=tester.mydomain.com

 define dns hash file
DNS_HASH=dns.hash

 define internal data group
DATAGROUP=my_dns_datagroup


 perform the DNS query
lookup=( $(dig @$DNS_SERVER $DNS_NAME +short +time=3|sort) )

 verify that the DNS query returned a response
if [ $lookup == ";" ]
then
    logger -p local0.info -t DNSMONITOR "DNS monitor is unable to query the DNS server $DNS_SERVER for the name '$DNS_NAME'"
    exit
fi

 create a flat list of IPs
iplist=`printf -- '%s ' "${lookup[@]}"`

 create a hash of the results
hash=`echo $iplist | md5sum |sed 's/ //' |sed 's/-//'`


 if the hash file doesn't exist or hash file value is different - update the datagroup
if [ ! -f $DNS_HASH ] || [ "$(cat $DNS_HASH)" != $hash ]
then
     overwrite the datagroup
    tmsh modify ltm data-group internal $DATAGROUP records replace-all-with { $iplist }

     log that the datagroup changed
    logger -p local0.info -t DNSMONITOR "DNS datagroup was updated with the following values: { $iplist }"

     create/overwrite hash file
    echo $hash > $DNS_HASH
fi