Forum Discussion
meena_60183
Nimbostratus
Nimbostratusreverse DNS lookup on iRule
Hi All,
I have the following requirement. The apache web server currently has the logic.
. port 80 and DNS match
When users come in on port 80 and the reverse DNS lookup on the client IP contains xxx.com, it sends the traffic to port 8080 on the web server.
. port 443 and DNS match
when users come in on port 443 and the reverse DNS lookup on the client IP contains xxx.com, it sends the traffic to port 8443 on the web server.
. port 80 and DNS mismatch
When users come in on port 80 and the reverse DNS lookup on the client ip is not xxx.com, redirect to port 8443 on the server.
.port 443 and DNS mismatch
When users come in on port 443 and the reverse DNS lookup on the client ip is not xxx.com, send it to port 8443 on the server.
Can this be done using iRules? Only piece that I do not know is how to do the reverse lookup using the DNS server.
Meena
10 Replies
- The_BhattmanYes I believe it can be done.
Here is a link to a command that may work for you nicely
http://devcentral.f5.com/wiki/default.aspx/iRules/NAME__lookup.html
Hope this help,
CB 
meena_60183Thank you for the response. I tried the irule and I did not get the resolved name. I logged the client IP
when HTTP_REQUEST {
Hold HTTP data until hostname is resolved
HTTP::collect
log local0. "client ip = [IP::client_addr]"
Start a name resolution on the hostname
NAME::lookup [IP::client_addr]
}
when NAME_RESOLVED {
log local0. "client name = >[NAME::response]<"
Release HTTP data once hostname is resolved
HTTP::release
}
and the log shows
Jun 11 15:32:39 tmm tmm[1788]: Rule dns-name-lookup : client ip = 10.124.242.84
Jun 11 15:32:39 tmm tmm[1788]: Rule dns-name-lookup : client name = ><
I have the correct DNS configured on the bigIP. When I do a manual nslookup using that DNS server, it gets resolved.
Any ideas?
Meena
Wintrode_61162I am seeing the same behavior. I never see the DNS query leave the F5. I must be missing something. It takes a full 20 seconds, so it looks like it is timing out trying to do the lookup. I also do not see any traffic leaving the F5 on 53 when running tcpdump. When I just do a lookup from the CLI, I see everything fine.
May 19 14:47:17 local/tmm2 info tmm2[5006]: Rule DNS_PTR_Domain_Lookup : 10.34.18.213:55386: New connection to 10.26.16.5:80
May 19 14:47:17 local/tmm2 info tmm2[5006]: Rule DNS_PTR_Domain_Lookup : 10.34.18.213:55386: Collecting HTTP for new lookup
May 19 14:47:37 local/tmm2 info tmm2[5006]: Rule DNS_PTR_Domain_Lookup : 10.34.18.213:55386: Lookup result:
My code is as follows (I stripped it down trying to troubleshoot):
when CLIENT_ACCEPTED {
Trigger a name lookup for new connections
set do_lookup 1
log local0. "[IP::client_addr]:[TCP::client_port]: New connection to [IP::local_addr]:[TCP::local_port]"
}
when HTTP_REQUEST {
Check if we haven't done a lookup already on this connection
if { $do_lookup }{
log local0. "[IP::client_addr]:[TCP::client_port]: Collecting HTTP for new lookup"
Hold HTTP data until client IP address is resolved
HTTP::collect
Start a name resolution on the client IP address
NAME::lookup -ptr [IP::client_addr]
}
}
when NAME_RESOLVED {
FQDN of client IP address
log local0. "[IP::client_addr]:[TCP::client_port]: Lookup result: [NAME::response]"
set do_lookup 0
HTTP::release
}
hoolioCirrostratus
Do you have a TMM route for the DNS server? TMM won't be able to use a DNS server on the management interface.
Also, if you're on 10.1 or higher, you should use RESOLV::lookup instead as it is simpler and more efficient:
http://devcentral.f5.com/wiki/default.aspx/iRules/resolv__lookup
Aaron- Wintrode_61162There is no specific route to the DNS server, but the default route should get it there ( I can ping the DNS server from the self IP).
Let me try RESOLV and see what happens. - hoolioIs there a TMM default route which allows you to reach the DNS server? Pinging from the command line can use mgmt routes. RESOLV::lookup will show the same issue as TMM tries to do the DNS query.
For details on TMM versus management routing, see
sol3669: Overview of management interface routing
http://support.f5.com/kb/en-us/solutions/public/3000/600/sol3669.html
Aaron - Wintrode_61162There is a default route defined in TMM. The issue looks to be that when executing RESOLV or NAME without specifying a DNS server, it goes nowhere. I thought it would have used the DNS servers defined on the TMM. Was this a false assumption?
When I specify a DNS, it resolves correctly: [RESOLV::lookup @xxx.xxx.xxx.xxx -ptr [IP::client_addr]], which brings up a whole other issue. I'm going to have to define a pool of DNS servers to do the lookups against to provide the redundancy I need (not a big deal really). - hoolioI didn't think you'd have to specify a DNS server in either command. But if it works with a virtual server or explicit IP, I say go for it :) If you want to use a pool of DNS servers, you can define a virtual server pointing to that pool and then use the virtual server name in the RESOLV::lookup command.
Aaron - Wintrode_61162Exactly Aaron. Thanks for the help.
It is a little disconcerting that I need to specify the server....I need to dig into that a bit more, but with a workable solution, it doesn't really bother me much.
I guess the RESOLV ptr lookup issue was fixed in 10.x.x? That was the reason I started off with NAME in the first place. - hoolioThe -ptr issue with RESOLV::lookup was fixed in 10.2.1HF1. You can download the latest 10.2.1 hotfix from downloads.f5.com.
Aaron
