Forum Discussion

Torijori_Yamamada's avatar
Jul 17, 2023

Overlapped Networks Question

I have two networks which overlaps.

  • 10.140.10.0/28 and 10.240.20.0/28  in  "DC_Networks"
  • 10.140.10.0/23 and 10.240.20.0/23  in  "DRC_Networks"

An iRule is using to determine which DNS response should be returned and it looks source IP address while deciding. The answer is different for small and big network blocks.

 

 

when DNS_REQUEST {
    set qname [string tolower [DNS::question name]]
    log local0. "DNS Query: $qname"
    if { [class match $qname equals /Common/backend_services_dg] && [DNS::question type] == "A" } {
        DNS::answer clear
        if { [class match [IP::client_addr] equals "/Common/DC_Networks"] } {
            DNS::answer insert "${qname}. 111 [DNS::question class] [DNS::question type] [getfield [class match -value $qname equals /Common/backend_services_dg] ":" 1]"
            log local0. "DEBUG1:  Query: $qname,  Src IP: [IP::client_addr]"
        } elseif { [class match [IP::client_addr] equals "/Common/DRC_Networks"] } {
            DNS::answer insert "${qname}. 112 [DNS::question class] [DNS::question type] [getfield [class match -value $qname equals /Common/backend_services_dg] ":" 2]"
            log local0. "DEBUG2:  Query: $qname,  Src IP: [IP::client_addr]"
        } else {
            DNS::answer insert "${qname}. 113 [DNS::question class] [DNS::question type] [getfield [class match -value $qname equals /Common/backend_services_dg] ":" 1]"
            log local0. "DEBUG3:  Query: $qname,  Src IP: [IP::client_addr]"
        }
        DNS::return
    }
}

 

 

 Small network blocks listed in "DC_Networks" and bigger networks are listed in "DRC_Networks".  Before making some tests, i was certain i will see two log lines which starts with "DEBUG" key word because, "if" and "elseif" compares each time for same condition, right?

While testing with "atmoptimizer.spc.com" i saw that the "elseif" never triggered for overlapped networks. I was expecting to see two DEBUG lines in logs for each query.

 

 

 

ltm data-group internal backend_services_dg {
    records {
        atmoptimizer.spc.com {
            data 192.168.1.100:10.10.12.100
        }
    }
}

 

 

 

  • I suggest you implement this traffic steering based on topology records/LB.  It will scale much better and is made for just this use case.

    K75177455: Forcing DNS traffic to different data center when using Topology Load Balancing method

    https://my.f5.com/manage/s/article/K75177455

    https://www.youtube.com/watch?v=PyqHmmMcmm0

    https://blog.garraux.net/2012/08/f5-gtm-topology-records-lessons-learned/

     

    But to answer your original question, once an "if" or "elseif" condition is matched, it is executed and the that whole logic tree is done.

    As I think about your scenario more, you may have bigger issues with either the clients being on overlapping network space or the dns response being on overlapping networks spaces.  If either one of those is true, L3 routing will break for one or both.  Overlapping address spaces are first isolated through route domains.  From there, DNS services can/should be further isolated to control responses as needed (seperate DNS).  You don't want DNS records accidentially bleeding into other domains.

  • I suggest you implement this traffic steering based on topology records/LB.  It will scale much better and is made for just this use case.

    K75177455: Forcing DNS traffic to different data center when using Topology Load Balancing method

    https://my.f5.com/manage/s/article/K75177455

    https://www.youtube.com/watch?v=PyqHmmMcmm0

    https://blog.garraux.net/2012/08/f5-gtm-topology-records-lessons-learned/

     

    But to answer your original question, once an "if" or "elseif" condition is matched, it is executed and the that whole logic tree is done.

    As I think about your scenario more, you may have bigger issues with either the clients being on overlapping network space or the dns response being on overlapping networks spaces.  If either one of those is true, L3 routing will break for one or both.  Overlapping address spaces are first isolated through route domains.  From there, DNS services can/should be further isolated to control responses as needed (seperate DNS).  You don't want DNS records accidentially bleeding into other domains.