Help
Technical Forum
Ask questions. Discover Answers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions
Custom Alert Banner

F5 AppWorld 2024 session proposal deadline extended to Friday, December 8th!

Using RESOLVER::name_lookup to return an IP address for a FQDN

cccu_werner
Altostratus
Altostratus

‎22-Apr-2021 02:09

Hi.

 

We are running 15.1 and we have a Virtual Server (webservice app) with an irule that only allows certain IP addresses making requests to it.

 

One of our external service providers have a service in AWS which needs to make requests to this VS, but their IP address is dynamic and thus it changes every 24 hours.

 

Obviously we have got the FQDN of the external service, but in our irule we need to use RESOLVER::name_lookup to lookup the FQDN based on the [IP::client_addr] and then compare before we can either allow the traffic or drop it.

 

So far we have managed to return a 94 character string using RESOLVER::name_lookup, but I can not get RESOLVER::summarize to return anything.

 

So far we have tried examples on https://devcentral.f5.com/s/feed/0D51T00007szTWjSAM and https://clouddocs.f5.com/api/irules/RESOLVER__summarize.html but with no results.

 

Maybe there is another way which we are not aware of yet.

 

 

Labels:
0 Kudos
4 REPLIES 4

JRahm
Community Manager
Community Manager

‎22-Apr-2021 11:28

a couple quick questions

  • Is it IPv4 or IPv6?
  • Is the net resolver destination you've configured the same as one you use for command line validiation, so they get the same response?
  • Have you read through my article (don't remember if we touched on that in the stream)?

 

Can you post a sanitized version of your rule, and feel free to shoot me the string you're receiving via email and I can debug that in my lab.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
https://twitter.com/jasonrahm
https://www.youtube.com/devcentral
0 Kudos

cccu_werner
Altostratus
Altostratus

‎23-Apr-2021 05:27

Hi Jason

 

Here is a section of the irule

 

when HTTP_REQUEST { 

 

#work in progress section

  set fqdn testing.test-url.com

  set ips [RESOLVER::name_lookup "/Common/f5-aws-dns" $fqdn a]

   

  log local0. "$fqdn IP address resolved to $ips"

   

  set rs [RESOLVER::summarize $ips]

  log local0. "which resolves to $rs"

 

}

 

Yes we have read through your article.

 

Many thanks

0 Kudos

JRahm
Community Manager
Community Manager
In response to cccu_werner

‎27-Apr-2021 15:51 - last edited on ‎04-Jun-2023 20:56 by Fog

Hi there. Sorry for the delay. Since you are using the /Common/f5-aws-dns resolver, did you modify it to include the zone for which your fqdn resides? For example, if I'm going to look up espn.com on my local test box, my aws resolver would need to look like this:

net dns-resolver f5-aws-dns {
    forward-zones {
        amazonaws.com {
            nameservers {
                8.8.8.8:domain { }
            }
        }
        espn.com {
            nameservers {
                8.8.8.8:domain { }
            }
        }
        idservice.net {
            nameservers {
                8.8.8.8:domain { }
            }
        }
        shpapi.com {
            nameservers {
                8.8.8.8:domain { }
            }
        }
    }
    route-domain 0
}

And if I change my iRule to do more logging like this:

when CLIENT_ACCEPTED {
  set fqdn espn.com
  set lookup_result [RESOLVER::name_lookup "/Common/f5-aws-dns" $fqdn a]
  log local0.debug "Lookup: $lookup_result"
  set lookup_summary [RESOLVER::summarize $lookup_result]
  log local0.debug "Summary: $lookup_summary"
  foreach rr $lookup_summary {
    log local0.debug $rr
    log local0.debug [lindex $rr 4]
  }
}

Then my results are:

Apr 27 17:38:39 ltm15a debug tmm1[87967]: Rule /Common/resolver_test <CLIENT_ACCEPTED>: Lookup: 000081800001000400000000046573706E03636F6D0000010001C00C000100010000003B00046354A008C00C000100010000003B00046354A00AC00C000100010000003B00046354A037C00C000100010000003B00046354A044
Apr 27 17:38:39 ltm15a debug tmm1[87967]: Rule /Common/resolver_test <CLIENT_ACCEPTED>: Summary: {espn.com.	59	IN	A	99.84.160.8} {espn.com.	59	IN	A	99.84.160.10} {espn.com.	59	IN	A	99.84.160.55} {espn.com.	59	IN	A	99.84.160.68}
Apr 27 17:38:39 ltm15a debug tmm1[87967]: Rule /Common/resolver_test <CLIENT_ACCEPTED>: espn.com.	59	IN	A	99.84.160.8V
Apr 27 17:38:39 ltm15a debug tmm1[87967]: Rule /Common/resolver_test <CLIENT_ACCEPTED>: 99.84.160.8
Apr 27 17:38:39 ltm15a debug tmm1[87967]: Rule /Common/resolver_test <CLIENT_ACCEPTED>: espn.com.	59	IN	A	99.84.160.10
Apr 27 17:38:39 ltm15a debug tmm1[87967]: Rule /Common/resolver_test <CLIENT_ACCEPTED>: 99.84.160.10
Apr 27 17:38:39 ltm15a debug tmm1[87967]: Rule /Common/resolver_test <CLIENT_ACCEPTED>: espn.com.	59	IN	A	99.84.160.55
Apr 27 17:38:39 ltm15a debug tmm1[87967]: Rule /Common/resolver_test <CLIENT_ACCEPTED>: 99.84.160.55
Apr 27 17:38:39 ltm15a debug tmm1[87967]: Rule /Common/resolver_test <CLIENT_ACCEPTED>: espn.com.	59	IN	A	99.84.160.68
Apr 27 17:38:39 ltm15a debug tmm1[87967]: Rule /Common/resolver_test <CLIENT_ACCEPTED>: 99.84.160.68

I added espn.com to the aws resolver since you're using it, but in a real scenario, I'd create a standalone resolver specifically for the iRule instead of modifying the aws one.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
https://twitter.com/jasonrahm
https://www.youtube.com/devcentral
0 Kudos

cccu_werner
Altostratus
Altostratus

‎07-May-2021 02:52

Hi Jason

 

Thank you for this. The vendor has actually now added the http.referer to their app so we are now able to use that value in our check.

 

I can definitely see us using your DNS Resolver method in the future though.

 

Regards

0 Kudos
Copyright © 2023 Khoros, LLC