Forum Discussion
Kelly
Nimbostratus
NimbostratusLog DNS queries with iRule?
We are load balancing our DNS requests through LTM. We'd like to log at the F5 so we capture the client address (LTM uses SNAT). Based on a few examples on Devcentral, they mostly use this same query. We've added a logging statement capture the client address and query.
when CLIENT_ACCEPTED {
binary scan [UDP::payload] H4@12A*@12H* id dname question
set dname [string tolower [getfield $dname \x00 1 ] ]
log local0 "dns_src_ip=[IP::client_addr] requested dns_query=$dname"
}The only issue with this is the formatting of the domain is lost. The log statements display as "googlecom" or "mapsgooglecom", obviously missing the periods between the domain names. Is there some other way to parse the statements to get the original domain formatting to persist through to the log statement?
The only code I found online was this post from 2006, which seems to work correctly. Is that code still correct 9 years later? Is there a more graceful way to do that?
VernonWellsEmployee
Which version of code are you running, and how is it licensed? If the dns profile is applied to the Virtual Server, you may have access to a set of these primitives:
Alternatively -- and more easily -- if you have a version that supports it, you can use a DNS logging profile:
Kelly11.6 LTM only, no DNS or GTM licenses unfortunately.
I didn't see any of those commands that appear to work without a DNS license
- VernonWells
That shouldn't matter. A set of those commands work with LTM, including
. I just tried the following for a VE licensed and provisioned for LTM (no GTM) and it did what I expected:DNS::questionwhen DNS_REQUEST { log local0. "QUERY from ([IP::client_addr]) for ([DNS::question class] [DNS::question type] [DNS::question name])" }A log entry looks like this:
tmm1[9500]: Rule /Common/dns_test_rule : QUERY from (10.11.210.200) for (IN A www.foo.com) - Kelly
Vernon, thanks for the response. You got my hopes up but this doesn't output anything for me. It does apply without error (after applying a dns profile).
Is it possible you have the LTM DNS Services license applied to your BigIP? We definitely don't have that license.