Forum Discussion
NimbostratusNeed to allow only a few networks/IP blocks for DNS request
Hi,
We are trying to refine how our DNS LB is configured in F5. We are currently load balancing both TCP and UDP DNS requests between two DNS servers. Which is working fine except for- in our DNS servers, we used to have ACLs to allow only requests from our own customers and discard all other. We want to achieve the same through F5 to prevent itself being an open relay.
I tried to do it with iRules, allowing all the desired IP blocks, and the problems I faced is as below.
The SNAT happens before iRule is applied and the virtual server sees the traffic coming from two of the self IP (from two core routers) rather than end users IP. So, it's of no use because we want to restrict by our customer IP only.
Another problem related to this is that we saw a log saying " Inet port exhaustion on %Self IP% to %Virtual Server%:53 (proto 6)".
As far as I know, that it can be done with packet filtering but packet filtering works globally. We also do not want that.
My question is: What's the best way to deal with it? If we do not do SNAT, the clients will receive the DNS responses directly from the DNS servers rather than the virtual server, and may discard. And this is also not the desired scenario.
Thanks in advance.
4 Replies
Mike_61663Cirrus
Not sure of your network topology, but remember that BIG-IP is a full proxy. So it has a client side of the connection and a server side of the connection. If you have SNAT enabled on the Virtual Server, that should only affect the server side of the proxy - you should still see the original client source IP on the client side of the connection and so iRules have access to this information meaning that you should be easily able to filter based on source IP.
For the port exhaustion issue I suspect you're using a single SNAT address in your Virtual Server definition. To overcome port exhaustion, simply use a snatpool instead, containing multiple IP addresses. This will give you significantly more ports to use which should avoid the port exhaustion problem.
Having said all of this, keep in mind that if you have the DNS services or GTM licenses then you'll actually be able to use the BIG-IP itself for DNS resolution, rather than having to load balance your DNS servers. BIG-IP has phenomenal DNS performance too, probably better than you're getting now load-balancing separate DNS servers.
Cory_50405Noctilucent
Were you attempting this with a GTM iRule? If so, try using an LTM iRule (system processes LTM iRules very early in the process) and apply to your listener virtual server. This will be processed far before SNAT. Your trigger should be 'when DNS_REQUEST'
Ispone_netadminHi
We are using an LTM iRule and is applied to the Virtual Server. I have not found whether or how SNAT can be done on client side.
I have also tried with the trigger "when DNS_REQUEST" and found no hit on that iRule and traffic is processed as is. This iRule is applied on the Virtual Server, the IP which clients are using as their DNS.
when DNS_REQUEST { Previously it was CLIENT_ACCEPTED if { [matchclass [IP::client_addr] equals TrustedAddresses] }{ Uncomment the line below to turn on logging. log local0. "Valid client IP: [IP::client_addr] - forwarding traffic" forward } else { Uncomment the line below to turn on logging. log local0. "Invalid client IP: [IP::client_addr] - discarding" discard } }I am logging whether its allowed or discarded. When I was using CLIENT_ACCEPTED, I could see in logs as.
"Valid client IP: (one of the self IP) - forwarding traffic"
Our expectation is to see "Valid client IP: (one of the client IP) - forwarding traffic"
Thanks
- Ispone_netadminHi Mike, Thanks for your answer. I could not find any way to remove doing SNAT from client side as there is nothing regarding SNAT on the self IP configuration. In our case, from the log its evident that SNAT is happening before the iRule is hit as we can see the NATed IP in the logs. Thanks
