If you are using GTM to act both a authoritative slave with DNS Express and as a recursive cache, recursion will not work if a request is made for a delegated sub-domain if the parent domain exists in DNS Express. i.e. domain.com exists in DNS Express but has delegated the dev.domain.com sub-domain to a different set of name server. Any request to dev.domain.com will just get a referral rather than being recursed. This is because of the order of operations in GTM, https://support.f5.com/kb/en-us/solutions/public/14000/500/sol14510.html. Recursion is the very last process that could happen and since DNS Express makes an authoritative referral response no recursion will occur.
How to use this snippet:
To use this your listener and corresponding DNS profile need to have DNS Express configured and recursion enabled(cache). Then the iRule just needs to be attached to the listener.
Code :
when DNS_REQUEST {
#query DNS Express to look for a sub-domain delegation
set rrr [DNS::query dnsx [DNS::question name] [DNS::question type]]
#evaluate if the queried zone is defined in DNS Express
#empty response indicates DNS Express does not have the requested domain
#so we should exit and continue to recursion
if {$rrr equals "{} {} {}"}{return}
#check if DNS Express response is a delegated sub-domain referral
if { [lindex $rrr 0] equals "" && [DNS::type [lindex [lindex $rrr 1] 0]] equals "NS"} {
#no ANSWER was returned AND AUTHORITY is an NS record(not a SOA)
#this is a referral so we should disble DNS Express to allow for the subdomain to be recursed
DNS::disable dnsx
}
}
Hi Brad,
I have this exact issue. :)
I am testing using version 12.1.0. It doesn't appear that the irule is working. I set my logs to debug, but nothing helpful. I have you tested the irule on this version?
I got it to work, but need to add additional functionality.
Is it possible to add additional conditions to forward queries based on client ip to a specific dns pool after we have performed the recursive query for NS records of our DNS Express Zones?
I can split this Irule into two parts (DNS Express Recursive Query Fix) and (Route based on source IP) independently. When I combine the irules it breaks. I have a feeling it has to do with the order in which the F5 processes the traffic. (CLIENT_ACCEPT before DNS_REQUEST)
`when DNS_REQUEST {
query DNS Express to look for a sub-domain delegation
set rrr [DNS::query dnsx [DNS::question name] [DNS::question type]]
evaluate if the queried zone is defined in DNS Express
empty response indicates DNS Express does not have the requested domain
check if DNS Express response is a delegated sub-domain referral
if { [lindex $rrr 0] equals "" && [DNS::type [lindex [lindex $rrr 1] 0]] equals "NS"} {
log local0.debug "ns record detected"
no ANSWER was returned AND AUTHORITY is an NS record(not a SOA)
this is a referral so we should disble DNS Express to allow for the subdomain to be recursed
DNS::disable dnsx
log local0.debug "Subdomain"
} elseif { [IP::addr [IP::client_addr] equals 192.168.0.0/24] } {
pool /Common/ServerResolver
log local0.debug "ServerResolver"
return
} else {
pool /Common/UserResolver
log local0.debug "UserResolver"
return
}
}`
Glad I found this thread, I have the same issue. I have a zone that is created via BIND and I configured a DNS Express for that zone (test.com for example). And within that BIND config I have a delegation for security.test.com going to amazon DNS servers. I tried this irule but it looks like it's not working. my version is 14.1.4
Thanks you! Hope you guys can help me. Ive been dealing for this issue for 6 months now 😄
