james_hodgkinso
Aug 28, 2018Nimbostratus
DNS Caches and iRules
I've got a VIP handling DNS requests with a transparent cache profile on it, and I'm trying to stop queries certain zones by sending an NXDOMAIN automatically. Is it correct to assume that this'll somehow be bypassed by the cache? It seems to be the case.
My iRule is as follows (it also points some internal domains to other nameservers):
when DNS_REQUEST {
set query [string tolower [DNS::question name]]
set dns_pool [class match -value -- $query ends_with dg_dns_steering]
if [ $dns_pool eq "pool_dns_NXDOMAIN" ] {
log local0. "nxdomain $query"
DNS::answer clear
DNS::header rcode NXDOMAIN
DNS::return
} else {
pool $dns_pool
}
}
And the datagroup has "example.com" : "pool_dns_NXDOMAIN" for example.
I can see it's working, because I get log events, but I can still see queries going out with tcpdump.