Unbreaking the Internet and Converting Protocols

When CloudFlare took over 1.1.1.1 for their DNS service; this got me thinking about a couple of issues: A. What do you do if you’ve been using 1.1.1.1 on your network, how do you unbreak the ...
Published Apr 09, 2018
Version 1.0
application delivery
BIG-IP DNS
iRulesLX
security
Eric_Chen's avatar
Eric_Chen
Icon for Employee rankEmployee
Apr 12, 2018

One more VS that I didn't mention, here's the complete list (separated for clarity):

      1.1.1.1:53 UDP -> To 1.0.0.1
      1.1.1.1:80 HTTP -> To server
192.168.1.113:53 UDP -> DNS Cache (DNS over TLS)
192.168.1.114:53 UDP -> DNS Cache (DNS over HTTPS)
192.168.1.254:53 TCP -> DNS over TLS (just performing TLS upgrade)
192.168.1.254:53 UDP -> DNS over HTTPS (performing conversion from UDP to HTTPS requests)
192.168.1.253:80 TCP -> HTTP to HTTPS (validate HTTPS server certificate, upgrade from HTTP to HTTPS)

In the article I only reference a single DNS cache, but the above example assumes that you use two separate caches (one configured for only clientside UDP and the other only for clientside TCP)

In my article the corresponding pools

      1.1.1.1:53 UDP -> pool: 1.0.0.1
      1.1.1.1:80 HTTP -> pool: 192.168.1.66
192.168.1.113:53 UDP -> DNS cache forward . -> 192.168.1.254:53 TCP
192.168.1.114:53 UDP -> DNS cache forward . -> 192.168.1.254:53 UDP
192.168.1.254:53 TCP -> 1.0.0.1:853 (w/ serverssl profile)
192.168.1.254:53 UDP -> iRule + iRuleLX that calls 192.168.1.253:80
192.168.1.253:80 TCP -> FQDN pool to cloudflare-dns.com