cancel
Showing results for 
Search instead for 
Did you mean: 

Bypassing DNS Cache for specific DNS queries

David_Gill
Cirrus
Cirrus

 

I have a VPN configuration where Edge Client users point to a virtual server that load balances DNS requests to three back end servers. I also have DNS transparent cache setup and everything works great. I have a new requirement which is to forward requests for three specific domains to a different pool of back end servers but ONLY if the user making the request is a member of a specific AD group.

 

The logic is simple:

 

when DNS_REQUEST {    if { [class match [string tolower [DNS::question name]] ends_with special-dnsentries_data-group] } {        if { [ACCESS::session data get session.ad.last.attr.memberOf] contains "CN=special-AD-group" } {            pool dns_special_pool        }    } }

 

So, if a DNS request comes in for special.intranet.com (which is in the data group) AND the user is a member of the “special-AD-group” Active Directory group, then I forward the DNS request to the “dns_special_pool” instead of the default pool assigned to the virtual. I believe the problem I am having is that the next person who requests the same FQDN (special.intranet.com in this example) will receive the IP from the dns_special_pool even if they are not a member of the AD group simply because the FQDN is cached. Assuming this is what is happening, I want to disable the caching of the domains in this data group so that the DNS request always gets forwarded to a physical DNS server for resolution. What’s the best way to do this? If I just add an "else" with the default pool will the irule ignore the cache and always forward the request?

 

Thanks for the help.

 

APM 14.1.2

0 REPLIES 0