DNS notify loadbalancing

Question

&nbsp;I'm trying to handle the case of a loadbalanced authoritative DNS server pool.  This pool has two members, however DNS notifies need to go to only one of them (the one with the master SQL database).&nbsp;
&nbsp;I've put together an iRule for the UDP notify request and it seems to be working,  however I'm not having any luck creating a TCP version of it.&nbsp;
&nbsp;UDP iRule for DNS notify
&nbsp;when CLIENT_ACCEPTED {
&nbsp;        binary scan [UDP::payload] SS id flags   
&nbsp;        set opcode [expr ($flags &gt;&gt; 11) &amp; 0xf]
&nbsp;         Send NOTIFYs (opcode 4) to the master SQL database node.
&nbsp;        if { $opcode == 4 } {
&nbsp;                log local0. "DEBUG: NOTIFY, sending to MASTER"
&nbsp;                node MASTER_SERVER_IP 53
&nbsp;        }
&nbsp;        else {
&nbsp;                log local0. "DEBUG: NOT A NOTIFY"
&nbsp;        }
&nbsp;}
&nbsp;This test irule works OK for UDP,  however not being an irule expert my naive attempt to convert that to a TCP irule doesn't appear to work.&nbsp;
&nbsp;when CLIENT_ACCEPTED {
&nbsp;        binary scan [TCP::payload] SS id flags   
&nbsp;        set opcode [expr ($flags &gt;&gt; 11) &amp; 0xf]
&nbsp;         Send NOTIFYs (opcode 4) to the master SQL database node.
&nbsp;        if { $opcode == 4 } {
&nbsp;                log local0. "DEBUG: NOTIFY TCP, sending to MASTER"
&nbsp;                node  MASTER_SERVER_IP 53
&nbsp;        }
&nbsp;        else {
&nbsp;                log local0. "DEBUG TCP: NOT A NOTIFY"
&nbsp;        }
&nbsp;}&nbsp;
&nbsp;Any suggestions?    According to the RFC's a DNS notify can come over TCP or UDP (UDP is tried first,  but it falls back to TCP in the case of a large packet and or firewall blocking).&nbsp;
&nbsp;Thx
&nbsp;-- david&nbsp;

nat_thirasuttakorn · Answer

2 things 
  
 1) when dealing with TCP, in client_accepted, you may collect data first...do what you need in client_data, then release the data...   
 your irule may look like this... 
  
 when CLIENT_ACCEPTED { 
     TCP::collect 
 } 
 when CLIENT_DATA { 
      do what you what here... 
     TCP::release 
 } 
  
 2) 
 according to rfc 1035 
  
 4.2.2. TCP usage 
  
 Messages sent over TCP connections use server port 53 (decimal).  The 
 message is prefixed with a two byte length field which gives the message 
 length, excluding the two byte length field.  This length field allows 
 the low-level processing to assemble a complete message before beginning 
 to parse it. 
  
 so your binary scan command has to change to  
  
 binary scan [TCP::payload] SSS length id flags 
  
 combine both together it probably look like this... (not test) 
 
when CLIENT_ACCEPTED {
        TCP::collect
}
when CLIENT_DATA {
        binary scan [TCP::payload] SSS length id flags   
        set opcode [expr ($flags &gt;&gt; 11) &amp; 0xf]
         Send NOTIFYs (opcode 4) to the master SQL database node.
        if { $opcode == 4 } {
                log local0. "DEBUG: NOTIFY TCP, sending to MASTER"
                node  MASTER_SERVER_IP 53
        }
        else {
                log local0. "DEBUG TCP: NOT A NOTIFY"
        }
        TCP::release
}

Nat

Forum Discussion

DNS notify loadbalancing

1 Reply

Recent Discussions

import live updates from version x to version y

Tenant image upgrade

iRule editor partition button does not work

F5Access | MacOS Sonoma

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

Related Content

Using F5 Distributed Cloud DNS Load Balancer health checks and DNS observability

BIG-IP / Virtual Server for UDP & TCP DNS Loadbalancing / extracting client IPs

Logging of DNS Requests and Responses without a DNS license

ESRP Strategies: DNS Water Torture Attack

Logging DNS Requests