DNS Caches and iRules

Question

I've got a VIP handling DNS requests with a transparent cache profile on it, and I'm trying to stop queries certain zones by sending an NXDOMAIN automatically. Is it correct to assume that this'll somehow be bypassed by the cache? It seems to be the case.
My iRule is as follows (it also points some internal domains to other nameservers):
when DNS_REQUEST {
    set query [string tolower [DNS::question name]]
    set dns_pool [class match -value -- $query ends_with dg_dns_steering]
    if [ $dns_pool eq "pool_dns_NXDOMAIN" ] {
        log local0. "nxdomain $query"
        DNS::answer clear
        DNS::header rcode NXDOMAIN
        DNS::return
    } else {
        pool $dns_pool
    }
}

And the datagroup has "example.com" : "pool_dns_NXDOMAIN" for example.
I can see it's working, because I get log events, but I can still see queries going out with tcpdump.

iaine · Answer

Hi
Apart from a bracket issue on you if line - should be { rather than [
if { $dns_pool eq "pool_dns_NXDOMAIN" } {
which i'm guessing is a copy and paste issue as the code wouldn't work otherwise then your code works for me. When querying the VIP I can see requests for all of me DNS suffixes hitting the DNS servers but the call for the specific host in the Data Group gets served by the iRule.
Changing your code tocontains dg_dns_steering&nbsp;tidied this up for me.

Forum Discussion

DNS Caches and iRules

1 Reply

Recent Discussions

F5 loadbalancer not working

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

Pricing when used with aws waf

F5 terminal - help to run commands - disk space full

import live updates from version x to version y

Related Content

DNS Caching

GSLB Split DNS by iRule

Distributed caching of authentication requests with NGINX Ingress Controller

Using F5 Distributed Cloud DNS Load Balancer health checks and DNS observability

Dynamic FQDN Node DNS Resolution based on URI with Route Domains and Caching iRule