I have a VPN configuration where Edge Client users point to a virtual server that load balances DNS requests to three back end servers. I also have DNS transparent cache setup and everything works great. I have a new requirement which is to forward requests for three specific domains to a different pool of back end servers but ONLY if the user making the request is a member of a specific AD group.

The logic is simple:

when DNS_REQUEST {
   if { [class match [string tolower [DNS::question name]] ends_with special-dnsentries_data-group] } {
       if { [ACCESS::session data get session.ad.last.attr.memberOf] contains "CN=special-AD-group" } {
           pool dns_special_pool
       }
   }
}

So, if a DNS request comes in for special.intranet.com (which is in the data group) AND the user is a member of the “special-AD-group” Active Directory group, then I forward the DNS request to the “dns_special_pool” instead of the default pool assigned to the virtual. I believe the problem I am having is that the next person who requests the same FQDN (special.intranet.com in this example) will receive the IP from the dns_special_pool even if they are not a member of the AD group simply because the FQDN is cached. Assuming this is what is happening, I want to disable the caching of the domains in this data group so that the DNS request always gets forwarded to a physical DNS server for resolution. What’s the best way to do this? If I just add an "else" with the default pool will the irule ignore the cache and always forward the request?

Thanks for the help.

APM 14.1.2