Forum Discussion

rahvee's avatar
rahvee
Icon for Altocumulus rankAltocumulus
Nov 01, 2024

Resolving DNS, and dynamically selecting pool

The problem: Some LAN hosts are not permitted outbound access to the internet through the firewall, and yet, they need access to github.com. Unfortunately, github's published CIDR ranges are enormous (hundreds of CIDR ranges), and dynamic, so we can't just modify firewall to allow outbound access to a simple set of CIDR ranges. Also, github.com is extremely dynamic. If you resolve over and over, it comes back with a new set of IP addresses every few seconds. So our firewall, which supports DNS-based rules, is not able to support DNS-based rules for github.com. It's just simply too volatile.

The proposed workaround: Host a virtual server as a reverse proxy on a private IP address on the F5, which will use an iRule to query github.com, and TCP pass-thru traffic to whatever external IP address is returned. Local clients would have the F5 IP address hard-coded into /etc/hosts so all traffic for github.com will go to this local F5 IP address, and the F5 should pass-thru to an appropriate external IP for github.com.

The DNS query is easy enough in an iRule. The problem is pool selection. I assume I can't have an iRule dynamically create or modify a pool, right? I should be able to create a pool with a hard-coded set of IP addresses in it, but then it won't be dynamic at all, and we'll be prone to failure whenever github decides to change their IP addresses.

Any good ideas for possible solutions?

Thanks

  • you can simple create pool member using hostname instead of ip address

     

  • Create a NODE using the FQDN github.com and adjust the TTL to the desired time.

    Associate this NODE with a POOL named github_pool.

    Create a reverse-proxy virtual server "vs_github_proxy"  of type Performance (Layer 4), associate the POOL in the resources section. Additional settings, such as defining the VLAN for incoming traffic or even a SNAT Pool, can be configured as needed.

    If necessary, add an iRule to restrict access to specific URLs within the GitHub domain.

    If you do not want to filter the ports, you can create a port list in Shared Objects and associate it with the virtual server.