Forum Discussion

cccu_werner's avatar
cccu_werner
Icon for Altostratus rankAltostratus
Apr 22, 2021

Using RESOLVER::name_lookup to return an IP address for a FQDN

Hi.

 

We are running 15.1 and we have a Virtual Server (webservice app) with an irule that only allows certain IP addresses making requests to it.

 

One of our external service providers have a service in AWS which needs to make requests to this VS, but their IP address is dynamic and thus it changes every 24 hours.

 

Obviously we have got the FQDN of the external service, but in our irule we need to use RESOLVER::name_lookup to lookup the FQDN based on the [IP::client_addr] and then compare before we can either allow the traffic or drop it.

 

So far we have managed to return a 94 character string using RESOLVER::name_lookup, but I can not get RESOLVER::summarize to return anything.

 

So far we have tried examples on https://devcentral.f5.com/s/feed/0D51T00007szTWjSAM and https://clouddocs.f5.com/api/irules/RESOLVER__summarize.html but with no results.

 

Maybe there is another way which we are not aware of yet.

 

 

application delivery
BIG-IP
iRules
  • JRahm's avatar
    JRahm
    Icon for Admin rankAdmin
    Apr 22, 2021

    a couple quick questions

    • Is it IPv4 or IPv6?
    • Is the net resolver destination you've configured the same as one you use for command line validiation, so they get the same response?
    • Have you read through my article (don't remember if we touched on that in the stream)?

     

    Can you post a sanitized version of your rule, and feel free to shoot me the string you're receiving via email and I can debug that in my lab.

  • cccu_werner's avatar
    cccu_werner
    Icon for Altostratus rankAltostratus
    Apr 23, 2021

    Hi Jason

     

    Here is a section of the irule

     

    when HTTP_REQUEST { 

     

    #work in progress section

      set fqdn testing.test-url.com

      set ips [RESOLVER::name_lookup "/Common/f5-aws-dns" $fqdn a]

       

      log local0. "$fqdn IP address resolved to $ips"

       

      set rs [RESOLVER::summarize $ips]

      log local0. "which resolves to $rs"

     

    }

     

    Yes we have read through your article.

     

    Many thanks

    • JRahm's avatar
      JRahm
      Icon for Admin rankAdmin
      Apr 27, 2021

      Hi there. Sorry for the delay. Since you are using the /Common/f5-aws-dns resolver, did you modify it to include the zone for which your fqdn resides? For example, if I'm going to look up espn.com on my local test box, my aws resolver would need to look like this:

      net dns-resolver f5-aws-dns {
    forward-zones {
        amazonaws.com {
            nameservers {
                8.8.8.8:domain { }
            }
        }
        espn.com {
            nameservers {
                8.8.8.8:domain { }
            }
        }
        idservice.net {
            nameservers {
                8.8.8.8:domain { }
            }
        }
        shpapi.com {
            nameservers {
                8.8.8.8:domain { }
            }
        }
    }
    route-domain 0
}

      And if I change my iRule to do more logging like this:

      when CLIENT_ACCEPTED {
  set fqdn espn.com
  set lookup_result [RESOLVER::name_lookup "/Common/f5-aws-dns" $fqdn a]
  log local0.debug "Lookup: $lookup_result"
  set lookup_summary [RESOLVER::summarize $lookup_result]
  log local0.debug "Summary: $lookup_summary"
  foreach rr $lookup_summary {
    log local0.debug $rr
    log local0.debug [lindex $rr 4]
  }
}

      Then my results are:

      Apr 27 17:38:39 ltm15a debug tmm1[87967]: Rule /Common/resolver_test <CLIENT_ACCEPTED>: Lookup: 000081800001000400000000046573706E03636F6D0000010001C00C000100010000003B00046354A008C00C000100010000003B00046354A00AC00C000100010000003B00046354A037C00C000100010000003B00046354A044
Apr 27 17:38:39 ltm15a debug tmm1[87967]: Rule /Common/resolver_test <CLIENT_ACCEPTED>: Summary: {espn.com.	59	IN	A	99.84.160.8} {espn.com.	59	IN	A	99.84.160.10} {espn.com.	59	IN	A	99.84.160.55} {espn.com.	59	IN	A	99.84.160.68}
Apr 27 17:38:39 ltm15a debug tmm1[87967]: Rule /Common/resolver_test <CLIENT_ACCEPTED>: espn.com.	59	IN	A	99.84.160.8V
Apr 27 17:38:39 ltm15a debug tmm1[87967]: Rule /Common/resolver_test <CLIENT_ACCEPTED>: 99.84.160.8
Apr 27 17:38:39 ltm15a debug tmm1[87967]: Rule /Common/resolver_test <CLIENT_ACCEPTED>: espn.com.	59	IN	A	99.84.160.10
Apr 27 17:38:39 ltm15a debug tmm1[87967]: Rule /Common/resolver_test <CLIENT_ACCEPTED>: 99.84.160.10
Apr 27 17:38:39 ltm15a debug tmm1[87967]: Rule /Common/resolver_test <CLIENT_ACCEPTED>: espn.com.	59	IN	A	99.84.160.55
Apr 27 17:38:39 ltm15a debug tmm1[87967]: Rule /Common/resolver_test <CLIENT_ACCEPTED>: 99.84.160.55
Apr 27 17:38:39 ltm15a debug tmm1[87967]: Rule /Common/resolver_test <CLIENT_ACCEPTED>: espn.com.	59	IN	A	99.84.160.68
Apr 27 17:38:39 ltm15a debug tmm1[87967]: Rule /Common/resolver_test <CLIENT_ACCEPTED>: 99.84.160.68

      I added espn.com to the aws resolver since you're using it, but in a real scenario, I'd create a standalone resolver specifically for the iRule instead of modifying the aws one.

  • cccu_werner's avatar
    cccu_werner
    Icon for Altostratus rankAltostratus
    May 07, 2021

    Hi Jason

     

    Thank you for this. The vendor has actually now added the http.referer to their app so we are now able to use that value in our check.

     

    I can definitely see us using your DNS Resolver method in the future though.

     

    Regards