The tricky part is that the response also contains the question, so you have to change all instances of "app4.pac.com" back as the response passes by or the original requestor will reject it.
You need to be running 11.1 or newer and have either GTM or DNS Services licensed for this rule to work:
when DNS_REQUEST {
if { [DNS::question name] eq "app.pac.com" } {
DNS::question name app4.pac.com
}
}
when DNS_RESPONSE {
if { [ expr { [DNS::header rcode] eq "NOERROR"} ] && [ expr { [DNS::header ancount] > 0 } ] } {
if { [DNS::question name] eq "app4.pac.com" } {
DNS::question name app.pac.com
}
foreach a [DNS::answer] {
if { [DNS::name $a] eq "app4.pac.com" } {
DNS::name $a app.pac.com
}
}
}
}
But since the effect of this rule is to create an alias, why don't you just use a CNAME entry in the dns zone file?