For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Maxim_Taskov_90's avatar
Maxim_Taskov_90
Icon for Nimbostratus rankNimbostratus
Apr 05, 2006

Wildcard DNS Server and iRules

Hi - I am running BIG-IP 9.1 on 5100 and 1000 units.     My objective is to assign SNAT and limit bandwidth utilization for DNS (UDP/53) traffic for specific clients and leave all other servers ...
application delivery
dev
devops
iRules
Maxim_Taskov_90's avatar
Maxim_Taskov_90
Icon for Nimbostratus rankNimbostratus
Apr 09, 2006
Thanks Colin. I thought as much but wanted to be sure.

 

 

I had to completely change my strategy as I got to a point where I was runnng 3 rules to accomplish a relatively simple objective. On top of everything I was confusing the [IP::local_addr] with the [IP::remote_addr] variables and lost a lot of sleep until I found the error but now things are OK. I almost started loosing faith in BIG-IP's abilities but I somehow knew that that can't be true and I must be doing something wrong. Anyway, this is the final state of my rule to manage DNS traffic:

 

 

when CLIENT_ACCEPTED {

 

if {[matchclass [IP::client_addr] eq $::dns_clients]

 

and ! [matchclass [IP::local_addr] eq $::five_vlans]} {

 

snat 10.10.10.10

 

rateclass one_mb}

 

}

 

 

The above is assigned to a 0.0.0.0:53 Forwarding (IP) type VS with UDP profile and without SNAT, Rate Class, or Port translation settings.

 

 

Thank you and the whole iRule support team for your help. This is the second time I turn to you for help and in both cases I have received fast and professional help.

 

 

Regards, Maxim