Hi Sachin,
you can pretty much streamline your iRule by generating the
DNS::answer
directly within the
DNS_REQUEST
event. This will make the syntax much simpler and also save a roundtrip between your F5 and your DNS Servers (which is wasted computing power since the
DNS::answer
gets always replaced).
when RULE_INIT {
set static::whitelist_ttl "300"
}
when DNS_REQUEST {
if { ( [string tolower [DNS::question name]] starts_with "www.domain.tld" )
and ( [DNS::question type] equals "A" ) } then {
log local0.debug "DNS Request match..."
if { [class match [IP::client_addr] equals private_net] } then {
log local0.debug "Client is private..."
DNS::answer insert "[DNS::question name]. $static::whitelist_ttl [DNS::question class] [DNS::question type] 10.10.10.10"
} else {
log local0.debug "Client is public..."
DNS::answer insert "[DNS::question name]. $static::whitelist_ttl [DNS::question class] [DNS::question type] 193.11.11.1"
}
DNS::return
}
}
Cheers, Kai