iRule for logging purposes

Hi Mark,

 

 

That rule looks valid. What are you trying to accomplish? What's not working?

 

 

Aaron

A couple of comments:

 

 

1. It would be good to create a separate VS for the port 53 traffic. You can then set a much lower idle timeout to clear out the connections quicker. We discussed a number of methods here:

 

 

http://devcentral.f5.com/Forums/tabid/1082223/asg/52/showtab/groupforums/aff/31/aft/1168069/afv/topic/Default.aspx

 

 

I think there is also an AskF5 solution on this, but I wasn't able to find it immediately. I'll post back if I do see it.

 

 

2. The DNS_* events are specific to GTM. There isn't an event that's triggered within LTM which directly corresponds to this. I'd try optimizing the virtual server configuration before worrying too much about which clients are generating the connections.

 

 

Aaron

Hi Mark,

 

 

I think setting an immediate timeout for the UDP traffic might eliminate the high connection count problem. I'd suggest testing it on a non-production virtual server first though.

 

 

I could see DNS parsing being a useful feature for LTM. It can't hurt to open an RFE case with F5 Support.

 

 

You could log the DNS requests, but it would be binary data. You could use binary scan to parse it. Nat Thirasuttakorn added a great codeshare example for this:

 

http://devcentral.f5.com/wiki/default.aspx/iRules/DNS_decoding.html

 

 

The act of parsing and logging locally so many events itself could potentially take the box down or affect production traffic handling. You could try using the HSL:: commands to do this.

 

 

http://devcentral.f5.com/wiki/default.aspx/iRules/hsl

 

 

If it were me, I'd probably just capture a tcpdump and analyze it off the LTM. Not very sexy, but it would have the least impact.

 

 

Aaron