Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
code share

Implementing Client Subnet DNS Requests

Problem this snippet solves:

Update 2018-10-23: As of BIG-IP DNS 14.0 there is now a checkbox feature for edns-client-subnet. Please see: Using Client Subnet in DNS Requests. The following is still useful if you want to customize your responses.

Original post:

Using an iRule and edns-client-subnet (ECS) we can improve the accuracy of F5 GTM’s topology load balancing.

How to use this snippet:

There are two different iRules. One is an LTM iRule and the second is a GTM iRule. These should be deployed separately.

Tested on Version:
11.6
Comments on this Snippet
Comment made 20-Dec-2015 by tiny cloud ninja
Testing this iRule in TMOS 11.5.3 HF1 without success. It looks as if whereis is not returning a value. on test DNS ./bin/dig/dig @10.1.10.100 record.siterequest.com +client=8.8.8.8 A Dec 20 18:36:53 gtm info tmm1[12620]: Rule /Common/mvpn_EDNS_iRule <DNS_REQUEST>: LDNS LOC: 10.1.10.222 Dec 20 18:36:53 gtm info tmm1[12620]: Rule /Common/mvpn_EDNS_iRule <DNS_REQUEST>: ECS LOC: 8.8.8.8 Dec 20 18:36:53 gtm info tmm1[12620]: Rule /Common/mvpn_EDNS_iRule <DNS_REQUEST>: defualt
0
Comment made 21-Dec-2015 by Eric Chen
Hi, I'm seeing a similar result with using 11.5.3. I agree that the issue appears to be with passing the variable $gtm_ecs_address to whereis and getting back an empty response. When I created the iRule I had tested with 11.6.0, but not with 11.5.3. I'll update the codeshare to reflect that this works 11.6.0 and forward.
0
Comment made 18-Apr-2016 by Chris G 01 97
Do we know if there is any way to get this working in 11.5.3 or 11.5.4?
0
Comment made 15-May-2016 by bodra
the whereis fails due to a bug As a workaround you can force a string interpretation of the IP i.e. set loc [whereis [string tolower $ldns]]
0
Comment made 31-Aug-2016 by mchaas 3

Hi,

is there a way to tamper with the DNS response based on this information? We are running GTM. When the listener is receiving a DNS query, I would like to decide which virtual server out of the selected pool is used and posted back in the dns response depending on both location (based on the EDNS information) AND availability of the respective resource.

So, ideally, in analogy to the GSLB "Topology Record Builder" settings, I would like to set the datacenter information, but not based on the Client-IP in the Layer3 Header, but based on the EDNS client information, as shown in the code snippet.

Is this possible? Thanks!

Regards, Matt

0
Comment made 06-Sep-2016 by Eric Chen

Matt, if you have a second LTM/GTM device it is possible to SNAT the connection to match the ecs_address. You end up with something like:

when DNS_REQUEST {
...
  snat $ecs_address
...
}

This works by using a feature of LTM/GTM of auto last hop to route the snat'd traffic back to the original device that received the request. It assumes that both LTM/GTM devices are L2 adjacent.

The config is

Device #1: LTM listener with DNS profile/LTM iRule performing SNAT. Pool is GTM listener on Device #2. Device #2: GTM listener with DNS profile (vanilla GTM)

Traffic flow:

Internet (LDNS IP) -> Device #1 (SNAT to ECS IP) -> Device #2 -> Device #1 -> Internet

Be warned that you are trusting the ECS records to intentionally spoof traffic to Device #2. I have only tested this in a lab environment and have noted that it does some weird things to the EDNS records that get passed along to Device #2.

0
Comment made 27-Feb-2018 by Gary Boniface

As an FYI for anyone testing, using a recent DIG version (eg 9.10), the "+subnet" is used to send a ENDS0 request , eg:

$ dig @10.1.10.53 www.gtm.acme.com +subnet=205.168.2.3/32

The response should show

;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096

; CLIENT-SUBNET: 205.168.2.3/32/0

;; QUESTION SECTION:

0
Comment made 3 months ago by alex 1

hello, is it possible to configure persistency based on the source IP captured via the eDNS header ?

0
Comment made 3 months ago by Eric Chen

@alex. Not sure if you saw that this is now a feature in BIG-IP DNS 14.0 (I just updated this post to mention that as well). Using Client Subnet in DNS Requests.

If you are not running BIG-IP DNS 14.0; then you could potentially use a custom persist method with an iRule: K7392 talks about using HTTP URI, but you could use the string value from eDNS in theory. I haven't thought it through fully, so not sure that would work.

0
Comment made 3 months ago by alex 1

hi Eric, i have the feeling version 14.0 + 14.1 are not stable and recommended versions yet. i am right to saythe irule in the K7392 only applies to LTM and not GTM ?

thanks in advance.

0
Comment made 2 weeks ago by Nabarun 55

Hi ,

Is it require any extra license for EDNS ? Can support EDNS on 12.1.3.5 version ?

0