Technical Forum
Ask questions. Discover Answers.
cancel
Showing results for 
Search instead for 
Did you mean: 
Custom Alert Banner

BIG-IP / Virtual Server for UDP & TCP DNS Loadbalancing / extracting client IPs

Hi guys,

I have several VS that do loadbalancing to DNS servers. All of VS have AutoMap configured. The real DNS servers only see the SNATed client IP of the BIG-IP because of AutoMap. Currently there is no way to change that configuration.

I need to extract the client IP address that is querying DNS RRs. I tried different ways, found one solution that is not recommended (local logging) and I am currently stuck with HSL.

Because of AutoMap I tried to figure out the client IPs with iRules. I found one for UDP here: https://community.f5.com/t5/technical-forum/log-dns-queries-with-irule/td-p/212655

 

 

when CLIENT_ACCEPTED {
    binary scan [UDP::payload] H4@12A*@12H* id dname question
    set dname [string tolower [getfield $dname \x00 1 ] ]
  log local0. "dns_src_ip=[IP::client_addr] requested dns_query=$dname"
}

For TCP here: https://my.f5.com/manage/s/article/K33126241

when CLIENT_ACCEPTED {
  log local0. "[virtual] - client ip=[IP::client_addr]:[TCP::client_port]"
    }

Both iRules work gread. The logs were written locally and to the remote syslog server; I configured the the server previously in the "Remote Logging" settings. But unfortunatley there are so many log entries for UDP that I was afraid the hard disk will be blown away some time. So I turned off logging. 

I then tried to send the logs to my remote syslog server and changed the log command in the iRule to something like this:

log <MySyslogIPaddress> "dns_src_ip=[IP::client_addr] requested dns_query=$dname"

Unfortunately I can see no logs. I found out that the command log <IPaddress> needs this:

"<remote_ip> must be a TMM-routed address. If you must route specific messages to a remote address via the management interface, you must log locally. syslog-ng is able to route messages via both TMM and management interfaces using the standard syntax. You can define an appropriate filter and remote log destination in LTM’s syslog-ng service."

In my environment the default route points to "mgmt". I have no special route for the syslog servers so the traffic is being routed through "mgmt". I couldn't find a way to route the traffic over a tmm-routed interface.

My next try was to solve the problem via HSL. I followed this guide: https://techdocs.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/bigip-external-monitoring-imple...

I tried to trigger the HSL publisher like this:

when CLIENT_ACCEPTED {
    binary scan [UDP::payload] H4@12A*@12H* id dname question
    set dname [string tolower [getfield $dname \x00 1 ] ]
    # logs locally only
    #log local0. "dns_src_ip=[IP::client_addr] requested dns_query=$dname"

    # high speed logging
    set hsl [HSL::open -publisher /<Partition>/<Publisher>]
    HSL::send $hsl "dns_src_ip=[IP::client_addr] requested dns_query=$dname"
}

Unfortunately it did'nt work. There are no logs on my remote syslog server visible.

My last try was to bind the HSL publisher to a Virtual Server. But it seems that I still don't understand the whole concept of HSL. I am sort of mixed up for the moment. I hope the community can help me sorting this out.

1 ACCEPTED SOLUTION

Michael_Saleem
Cirrocumulus
Cirrocumulus
6 REPLIES 6

Michael_Saleem
Cirrocumulus
Cirrocumulus

Have you tried using this guide to send HSL via the management interface? 
K50040950: Configuring the BIG-IP system to send high-speed logs through the management interface

Hi Michael,

Thanks for the quick reply. I'm gonna give it a hit. I'll keep you posted.

Unfortunately I doesn't work. The iRule code example states the following

when CLIENT_ACCEPTED {
  set my_hsl [HSL::open -publisher /<partition>/<log publisher>]
}
when HTTP_REQUEST {
  HSL::send $my_hsl "Request: [HTTP::host][HTTP::uri]"
  log local0.info "Request: [HTTP::host][HTTP::uri]"
}
when CLIENT_CLOSED {
  unset my_hsl
}

In my case I have UDP DNS traffic that I want to log to a remote syslog. However my iRule code only has the "when CLIENT_ACCEPTED" statement where I set the HSL variable and send the logs via HSL::send. Maybe this is the problem?

I configured the HSL pool in the Common partition as well as the log configuration (publisher, destination etc.). The iRule is configured in another partition. Is such a configuration valid or problematic?

Michael_Saleem
Cirrocumulus
Cirrocumulus

Hi,

I'm not sure about the partition part. However,  I labbed this (all objects in the /Common partition) and it tested fine:

1) Create HSL management-port destination

create sys log-config destination management-port HSL-MGMT-DESTINATION ip-address <SYSLOG DST IP> port 514 protocol udp

2) Create HSL publisher referencing management-port destination

create sys log-config publisher management-port-pub destinations add { HSL-MGMT-DESTINATION }

3) Create DNS logging iRule 

ltm rule IRULE-SYSLOG-MGMT {
when CLIENT_ACCEPTED {
    binary scan [UDP::payload] H4@12A*@12H* id dname question
    set dname [string tolower [getfield $dname \x00 1 ] ]
    # logs locally only
    #log local0. "dns_src_ip=[IP::client_addr] requested dns_query=$dname"

    # high speed logging
    set hsl [HSL::open -publisher /Common/management-port-pub]
    HSL::send $hsl "dns_src_ip=[IP::client_addr] requested dns_query=$dname"
}
}

4) Create pool

create ltm pool <POOL NAME> members add { <POOL MEMBER IP>:53 }

5) Create UDP/53 virtual server

create ltm virtual <VS NAME> destination <VIP>:53 pool <POOL NAME> profiles add { udp } source-address-translation { type automap } rules { IRULE-SYSLOG-MGMT }


===============
// VERIFICATION
===============

# tcpdump on F5 MGMT interface for UDP syslog traffic

[root@bigip-1:Active:In Sync] config # tcpdump -i mgmt -nn -c 100 -A "udp port 514"
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on mgmt, link-type EN10MB (Ethernet), capture size 65535 bytes
09:11:24.929974 IP <F5 MGMT IP>.39556 > <SYSLOG DST IP>.514: [|syslog]
E..S<.@.@...
...
..
.....?.Qdns_src_ip=<CLIENT IP> requested dns_query=.google.com

# Kiwi Sylog server entry showing client IP

04-28-2023	09:11:24	Local7.Debug	<F5 MGMT IP>	dns_src_ip=<CLIENT IP> requested dns_query=google.com

 

Hey Michael,

Thanks for labbing this. I had the configuration you posted in mind but dont't know why I didn't do it 😉 I will give it try.

I re-implemented my whole configuration for "HSL via mgmt" in the specific partition and it worked out! For me the topic is solved. Thanks a lot for your support, @Michael_Saleem.

Awesome. I'm glad that I could help 😊