BIG-IP / Virtual Server for UDP & TCP DNS Loadbalancing / extracting client IPs
Hi guys,
I have several VS that do loadbalancing to DNS servers. All of VS have AutoMap configured. The real DNS servers only see the SNATed client IP of the BIG-IP because of AutoMap. Currently there is no way to change that configuration.
I need to extract the client IP address that is querying DNS RRs. I tried different ways, found one solution that is not recommended (local logging) and I am currently stuck with HSL.
Because of AutoMap I tried to figure out the client IPs with iRules. I found one for UDP here: https://community.f5.com/t5/technical-forum/log-dns-queries-with-irule/td-p/212655
when CLIENT_ACCEPTED {
binary scan [UDP::payload] H4@12A*@12H* id dname question
set dname [string tolower [getfield $dname \x00 1 ] ]
log local0. "dns_src_ip=[IP::client_addr] requested dns_query=$dname"
}
For TCP here: https://my.f5.com/manage/s/article/K33126241
when CLIENT_ACCEPTED {
log local0. "[virtual] - client ip=[IP::client_addr]:[TCP::client_port]"
}
Both iRules work gread. The logs were written locally and to the remote syslog server; I configured the the server previously in the "Remote Logging" settings. But unfortunatley there are so many log entries for UDP that I was afraid the hard disk will be blown away some time. So I turned off logging.
I then tried to send the logs to my remote syslog server and changed the log command in the iRule to something like this:
log <MySyslogIPaddress> "dns_src_ip=[IP::client_addr] requested dns_query=$dname"
Unfortunately I can see no logs. I found out that the command log <IPaddress> needs this:
"<remote_ip> must be a TMM-routed address. If you must route specific messages to a remote address via the management interface, you must log locally. syslog-ng is able to route messages via both TMM and management interfaces using the standard syntax. You can define an appropriate filter and remote log destination in LTM’s syslog-ng service."
In my environment the default route points to "mgmt". I have no special route for the syslog servers so the traffic is being routed through "mgmt". I couldn't find a way to route the traffic over a tmm-routed interface.
My next try was to solve the problem via HSL. I followed this guide: https://techdocs.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/bigip-external-monitoring-implementations-12-0-0/4.html
I tried to trigger the HSL publisher like this:
when CLIENT_ACCEPTED {
binary scan [UDP::payload] H4@12A*@12H* id dname question
set dname [string tolower [getfield $dname \x00 1 ] ]
# logs locally only
#log local0. "dns_src_ip=[IP::client_addr] requested dns_query=$dname"
# high speed logging
set hsl [HSL::open -publisher /<Partition>/<Publisher>]
HSL::send $hsl "dns_src_ip=[IP::client_addr] requested dns_query=$dname"
}
Unfortunately it did'nt work. There are no logs on my remote syslog server visible.
My last try was to bind the HSL publisher to a Virtual Server. But it seems that I still don't understand the whole concept of HSL. I am sort of mixed up for the moment. I hope the community can help me sorting this out.
Have you tried using this guide to send HSL via the management interface?
K50040950: Configuring the BIG-IP system to send high-speed logs through the management interface