For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

VernonWells's avatar
VernonWells
Icon for Employee rankEmployee
Jul 29, 2015

If you are running 11.6.0, you can use FQDNs as pool members. This is described in detail here:

You would also need to SNAT the connection:

If you are using a version prior to that, and the target must be an FQDN, you'll have to use an iRule. You should read the information regarding the 

RESOLV::lookup
command:

then use something like this (untested!):

when RULE_INIT {
    set static::rf_target_fqdn "www.example.com"
}

when CLIENT_ACCEPTED {
    set alist [RESOLV::lookup -a $static::rf_target_fqdn]
    
    if { [llength $alist] > 0 } {    
        node [lindex $alist 0]
    } else {
        log local0.warn "Failed to resolve hostname ($static::rf_target_fqdn)"
        reject
    }
}

There are (at least) three drawbacks here: 1. 

RESOLV::lookup
does not follow CNAME records; 2. if the result returns more than one A record, it'll always use the first (though typically local resolvers rotarize the results on each query); and 3. each connection incurs the lookup cost and consequent latency.

Vishal_Bhugra_1's avatar
Vishal_Bhugra_1
Icon for Nimbostratus rankNimbostratus
Jul 29, 2015
Thanks a lot vernon I am using 11.6 and my FQDN is getting resolved. Following is my configuration, please correct me if I am wrong ltm virtual AWS_TEST { destination 172.16.254.51%254:http ip-protocol tcp mask 255.255.255.255 partition AWS profiles { /Common/http { } /Common/mptcp-mobile-optimized { } My_REWRITE_PROFILE { } } source 0.0.0.0/0 source-address-translation { pool /Common/AWS_TEST_POOL type snat } source-port preserve-strict translate-port disabled vlans { VLAN_SERVER_AWS } vlans-enabled vs-index 89 } ltm pool AWS_TEST { members { www.gogoair.com:http { fqdn { autopopulate enabled name www.gogoair.com } state fqdn-up } www.gogoair.com-12.130.115.24:http { address 12.130.115.24%0 ephemeral true state up fqdn { name www.gogoair.com } } } monitor /Common/http partition AWS } ltm snatpool AWS_TEST_POOL { members { 172.16.254.50 } } ltm profile rewrite My_REWRITE_PROFILE { app-service none bypass-list none client-caching-type cache-css-js defaults-from /Common/rewrite java-ca-file /Common/ca-bundle.crt java-crl none java-sign-key /Common/default.key java-sign-key-passphrase-encrypted none java-signer /Common/default.crt location-specific false request { insert-xforwarded-for enabled insert-xforwarded-host disabled insert-xforwarded-proto disabled rewrite-headers enabled } response { rewrite-content enabled rewrite-headers enabled } rewrite-list none rewrite-mode uri-translation split-tunneling false uri-rules { uri_1438135745006 { client { host 172.16.254.51 path /r/n/ scheme http } server { host www.gogoair.com path / scheme http } } } } The thing I am seeing is my request is not hitting the public address