authoritative
2 Topicsdns transparent cache as authoritative?
Hello, I have inherited an f5 pair that is (in theory) an authoritative-only name server. it has a pool of three dns servers it passes queries to. The first lookup using the f5 as the dns server has the authoritative bit set. However, subsequent queries (cache hit) do not, until the ttl time has elapsed. In other words, it acts as a standard dns caching server that sets authoritative when it has to query an authoritative server for an answer. Is there a way to set up the F5 with this configuration to always answer authoritative? bigip version 15.1.0.5 udp listener with dns profile name: "authoritative_dns" authoritative_dns profile set: parent == dns dns express enabled dns cache enabled: set to "authoritative_cache" authoritative_cache set: resolver type: transparent (NONE)601Views0likes1CommentBIG-IP DNS Express - Private Zone Blocker
Problem this snippet solves: With BIG-IP DNS; you cannot enable/disable configured DNS Express Zones on a per-listener basis. This makes scenarios where a single BIG-IP DNS system has listeners exposed to internal networks with RFC1918 addresses and public Internet networks. DNS Express doesn't support DNS Views, in short. This iRule allows you to configure a datagroup containing "disabled_zones" and the iRule will validate if the query matches a zone listed in disabled_zones. If it gets a match, it simply returns nothing. Additionally, the iRule examines all responses and checks that resource records in the response do not contain RFC1918 addresses and if it finds them, it removes those Resource Records. All code in the "DNS_RESPONSE" event can be commented or deleted if this behavior isn't desired. How to use this snippet: enable iRule on DNS listener (most likely a listener available only to private network clients) and configure "disabled_zones" data group as shown in example. Log lines can be deleted or commented out once proper operation of the rule is confirmed and understood or retained for purposes of auditing queries that are dropped/blocked. Code : when DNS_REQUEST { log "Got request from: [IP::remote_addr] for [DNS::question name]" if {[class match [DNS::question name] ends_with disabled_zones]}{ log "Query for [DNS::question name] is for a disabled zone - Dropping" DNS::return } } when DNS_RESPONSE { log "Got Response = [DNS::answer]" set rrs [DNS::answer] set privateresponse 0 foreach rr $rrs { log "DNS Response rr: $rr" if {[DNS::type $rr] == "A"}{ if {[class match [DNS::rdata $rr] equals private_net]}{ set privateresponse 1 DNS::answer remove $rr } log "DNS RR data: [DNS::rdata $rr]" } } if {$privateresponse}{ log "DNS response contains private addresses" } } Tested this on version: 13.0499Views0likes1Comment