Logging of DNS Requests and Responses without a DNS license

Code is community submitted, community supported, and recognized as ‘Use At Your Own Risk’.

Short Description

This iRules logs DNS requests and responses in detail. It can parse all the headers, metadata and payloads and works for udp and tcp protocols. It supports multiple queries/answers in one TCP connection and DNS pipelining.

Example logs:

 

# Request
1.1.1.1 -> /Common/vs_dns_udp Query (32004): {name axians.de type MX class IN}

# Response
2.2.2.2 -> /Common/vs_dns_udp -> 1.1.1.1 Query (32004): {name axians.de type MX class IN}, flags: QR QUERY RD RA, query: 1, answer: 1, authority: 0, additional: 3, status ok
2.2.2.2 -> /Common/vs_dns_udp -> 1.1.1.1 Answer (32004): {name axians.de type MX class IN ttl 3600 rdata {10 axians-de.mail.protection.outlook.com}}
2.2.2.2 -> /Common/vs_dns_udp -> 1.1.1.1 Additional (32004): {name axians-de.mail.protection.outlook.com type A class IN ttl 2 rdata 104.47.0.36} {name axians-de.mail.protection.outlook.com type A class IN ttl 2 rdata 104.47.2.36} {name {} type OPT class 4000 ttl 0 rdata {}}

 

Problem solved by this Code Snippet

Logging of DNS Requests and Responses without a DNS license, a LTM license is sufficient.

How to use this Code Snippet

The README.md in the further down linked GitHub repository describes the installation and configuration.

Code Snippet Meta Information

  1. Version: 1
  2. Coding Language: iRule / tcl

Full Code Snippet

Code is maintained in a GitHub Repository: https://github.com/JuergenMang/f5-dns-logging

Published Jun 05, 2023
Version 1.0
application delivery
  • xuwen's avatar
    xuwen
    Icon for Cumulonimbus rankCumulonimbus
    Jul 03, 2023

    Great, combined with this code, it's completely possible to build an httpdns DoH service using only irules and return the dns response result as a JSON

    or Alternatively, create a fully 0.0.0.0 udp 53 (disable address translation and port translation, bind a gateway pool) Standard mode VS to audit DNS requests and responses in the direction
    Advantages: It can improve the encoding ability of irules,such as binary, upvar and so on
    Disadvantages: Loss of f5 CPU performance, and Github has an httpdns library written in go language. F5 only needs to do https forwarding. By utilizing this open source go library, F5's CPU overhead is greatly reduced

  • John's avatar
    John
    Icon for Altostratus rankAltostratus
    Sep 01, 2023

    Excellent iRules!  Thanks

    One note, on first attempt of using, had lots of oddities, but was due to collision on variable naming from other iRules I had attached to the vips.  Might consider adding more unique prefix to your variable naming.  (note, I am now too ;-))

    --john

  • Juergen_Mang's avatar
    Juergen_Mang
    Icon for MVP rankMVP
    Sep 13, 2023

    I do not tested this iRules with other iRules attached to the same VS. Adding a prefix to all variables is a good idea. I add it to my todo list.