DNS::question name - Modifying a DNS Suffix When Your Windows Client Appends It During Recursive Lookups

Quite some time ago I was asked about a 2-second delay when performing recursive lookups against the BIG-IP. My first thought was that there was an issue with transport. I then decided to deploy it i...
Updated Jun 06, 2023
Version 2.0
application delivery
BIG-IP DNS
iRules
Kai_Wilke's avatar
Kai_Wilke
Icon for MVP rankMVP
Jan 15, 2019

Hi Steve,

your iRule does actually not rewrite the DNS request before sending it to your upstream DNS resolvers.

Your iRule is more or less just DNS reponding on behalt of the DNS Server with an empty DNS response (a DNS response without any RRs) for every DNS request ending with "domain.lab". This will cause nslookup to skip slightly faster through your systems DNS-Suffix list resulting in a faster total response time...

The provided rewrite part...

set queryName [string trimright {".demo.lab"} [DNS::question name] ] 
log local0. "My new question name: $queryName"
DNS::return

... basically just extracts the 

[DNS::question name]
, performs a 
[string trimright]
and stores the new value it into the variable 
$queryName
. The 
$queryName
is then only be used for logging but not to overwrite the DNS query in progress. The empty DNS response is send by calling the 
DNS::return
command (aka. you didn't defined any [DNS::answer] so the response will be empty) ...

Additional Note: The command 

[string trimright]
is not able to slice a given 
string
from the right side of the provided 
input
. The command will instead slice each single character specified in the 
char-map
from the rigth side of the 
input
as often as needed until a character appears in the 
input
which is not defined in the 
char-map
. Beside of this, your example has flipped the order of the 
char-map
and 
input
causing 
[string trimright]
to remove the individual characters found in the 
char-map
= 
[DNS::question name]
from the hard coded 
input
= "demo.lab".

The shortcut of your iRule is basically this one:

when DNS_REQUEST {
    if { [DNS::question name] ends_with ".demo.lab" } then {
         Send an empty DNS response
        DNS::return
    }
}

To rewrite DNS requests as proposed in your article you will need an iRule like this one...

when DNS_REQUEST {
    if { [DNS::question name] ends_with ".demo.lab" } then {
         Remove ".demo.lab" DNS-Suffix from the DNS query name and forward the request
        set queryName [string range [DNS::question name] 0 end-9]
        DNS::question name $queryName
    }
}

Note: You may want to enable the debugging mode (aka. 

set d2
) within an interactive nslookup session, to see the differences of the individual iRules.

Cheers, Kai