Forum Discussion

MH1_273408's avatar
MH1_273408
Icon for Nimbostratus rankNimbostratus
Jun 22, 2016

DNS response validation?

Hey All, I've got an environment with two sets of untrusted forests, one of which needs to be able to perform reverse DNS queries to both domains. The tricky part is, they share the same /24 network so I can't just do a secondary zone. I've turned to hopefully being able to leverage my F5 for this, is there any way (an irule maybe?) to do DNS request validation? IE. I have a pool of DNS serves, and if the response comes back "unknown" then the F5 then asks another member in the pool until it finds the answer?

 

Thanks!

 

application delivery
BIG-IP DNS
LTM

3 Replies

Sort By
  • MH1_273408's avatar
    MH1_273408
    Icon for Nimbostratus rankNimbostratus
    Jun 26, 2016
    I'm thinking an iRule is the right way to go here. I'll do something like throw both sets of authoritative servers for that reverse zone in a pool, then when DNS_Response if DNS::ptype =="NXDOMAIN" try next member of pool. Then iterate each member of the pool and if none of them return an answer then return nxdomain to the client. Is that something that is possible? Note that I'm using SNAT auto mapping, since the clients aren't routed through the F5. I'm new to iRules, should the rule begin with DNS_Request then if DNS_Reponse and nested DNS::ptype? Not sure if the rules watch the whole session or not.
  • MH1_273408's avatar
    MH1_273408
    Icon for Nimbostratus rankNimbostratus
    Jun 26, 2016
    Like this, except replace the 40x/50x errors with DNS::ptype =="NXDOMAIN". https://clouddocs.f5.com/api/irules/Retry-40x-50x-errors.html Unfortunately the http commands aren't 1:1 with DNS and I'm not sure which once I'll need to use.
  • MH1_273408's avatar
    MH1_273408
    Icon for Nimbostratus rankNimbostratus
    Jun 26, 2016
    Or I suppose, to make this more simple. If DNS::ptype =="NXDOMAIN", set pool to alt_pool and retry. I can't seem to find a way to retry DNS though.