GTM iRule - cname

There is no RFC for returning a CNAME when the client sends an A query to a root record so i'm unsure if the client will even accept a CNAME in response and act upon it.

 

 

I dont know much about this.. but I feel like saying;

 

 

Is there any RFC saying any different? Any RFC stating that a DNS query for "root zone" can not be answered with a CNAME?

I was told by my F5 rep that the RFC states that a root record query can only be answered with an A record. The link i posted previously states pretty much the same thing.

 

 

Anyways, I was able to come with a solution. Since the application will be hosted within AWS and all i need to do is host the domain I really have no need to check the health of the application. Essentially, i just need to provide DNS resolution and let AWS provide the global load balancing.

 

 

I ended writing a simple shell script to lookup the IP's of the AWS Alias, output the IP's to a file and then update an iFile. The iRule then uses the iFile to return the IP as an A record.

 

 

This would be much simpler if I could have used the Resolve::Lookup iRule method on the GTM, however, it only seems to be available within the LTM Module.

 

 

Anyways, for anyone who is interested here is the script. I initially created the iFile record via the gui so this script just updates the existing iFile.

 

 

I use dig to get the IP's. Amazon returns two IP's so I remove the second listed IP. I then have to remove the new line and trailing white spaces before outputting to a file. This is essential as the iRule Host command doesn't like any white spaces. I then issue the TMSH commands to update the iFile.

 

 

I have to thank the guys on this post for giving me the syntax to specify a file on the local file system when modifying the iFile. I could not find any documentation on AskF5 for this.

 

https://devcentral.f5.com/Community/GroupDetails/tabid/1082223/asg/53/aft/2159165/showtab/groupforums/Default.aspx

 

 

I will end up rewriting this to return both IP's and error checking but this works for now.

 

-----------------------------------------------------------------------------------------------

 

!/bin/bash

 

 

dig +short @8.8.8.8 node.amazonaws.com IN A | sed '$d' | tr '\n' ' ' | sed 's/ $//' > /config/scripts/ag_aname.txt

 

 

tmsh modify /sys file ifile ag_aname.txt source-path file:/config/scripts/ag_aname.txt

 

tmsh save /sys config >>/dev/null

 

 

---------------------------------------------------------------------------------------------

 

 

And here is the iRule

 

 

------------------------------------------------------------------------------------------

 

when DNS_REQUEST {

 

set ifileContent [ifile get "/Common/ag_aname"]

 

host $ifileContent

 

log local0. $ifileContent

 

unset ifileContent

 

}

 

 

If anyone has a simpler way of doing this I would love to hear it.

Not directly answering the thread, but need to repost my EAV posted above (original copy/paste issue.)

 

Anyway, here is the EAV based on 2 AWS DNS server lookups, to avoid resolver delays if down

 

 

Resolve name to IP address

 

Do a curl against the site to see if it is up .. based on DNS lookup above

 

* If it is up, then iRule will return CNAME to send client tot he cloud

 

If curl fails, means the cloud site is down, and then irule will return wideip from GTM pool for internal resorce

 

 

==================

 

 

!/bin/bash

 

 

For Bip-IP v11 use GUI to import EAV

 

 

For Big-IP pre v11

 

Save as /usr/bin/monitors/custom_monitor.bash

 

or

 

Save as /config/monitors/custom_monitor.bash

 

Make executable using chmod 755 custom_monitor.bash

 

 

The below arguments are supplied automatically

 

based on the pool members that the EAV is assigned to

 

$1 = IP (::ffff:nnn.nnn.nnn.nnn notation or hostname)

 

$2 = port (decimal, host byte order)

 

 

Log debug to /var/log/ltm

 

Check if a variable named DEBUG exists from the monitor definition

 

 

The following must be set in the EAV GUI

 

DEBUG=0 or 1

 

RESPONSE_CHECK

 

FQDN_TO_RESOLVE

 

DNS_SERVER_1

 

DNS_SERVER_2

 

 

if [ -n "$DEBUG" ]

 

then

 

if [ $DEBUG -eq 1 ]; then echo "EAV `basename $0`: \$DEBUG: $DEBUG" | logger -p local0.debug; fi

 

fi

 

 

Remove IPv6/IPv4 compatibility prefix (LTM passes addresses in IPv6 format)

 

We are not actually using it in this monitor

 

IP=`echo $1 | sed 's/::ffff://'`

 

 

Save the port for use in the shell command

 

PORT=$2

 

 

Check if there is a prior instance of the monitor running

 

pidfile="/var/run/`basename $0`.$IP.$PORT.pid"

 

if [ -f $pidfile ]

 

then

 

kill -9 `cat $pidfile` > /dev/null 2>&1

 

echo "EAV `basename $0`: exceeded monitor interval, needed to kill ${IP}:${PORT} with PID `cat $pidfile`" | logger -p local0.error

 

fi

 

 

Add the current PID to the pidfile

 

echo "$$" > $pidfile

 

 

Resolve name to IP address

 

QUERY_RESULT=$(dig @${DNS_SERVER_1} +time=1 +tries=1 +short ${FQDN_TO_RESOLVE} IN A | head -n1)

 

 

if [[ $QUERY_RESULT =~ ^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$ ]]; then

 

if [ $DEBUG -eq 1 ]; then echo "EAV `basename $0`: Succeeded for ${MY_FQDN} from ${DNS_SERVER_1}" | logger -p local0.debug; fi

 

Do a curl against the site to see if it is up .. based on DNS lookup above

 

curl -fNs ${QUERY_RESULT} --header 'Host: ${FQDN_TO_RESOLVE}' | grep -i "${RESPONSE_CHECK}" 2>&1 > /dev/null

 

 

if [ $? -eq 0 ]

 

then

 

echo "up"

 

fi

 

rm -f $pidfile

 

 

 

else

 

QUERY_RESULT=$(dig @${DNS_SERVER_2} +time=1 +tries=1 +short ${FQDN_TO_RESOLVE} IN A | head -n1)

 

 

if [[ $QUERY_RESULT =~ ^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$ ]]; then

 

if [ $DEBUG -eq 1 ]; then echo "EAV `basename $0`: Succeeded for ${MY_FQDN} from ${DNS_SERVER_2}" | logger -p local0.debug; fi

 

curl -fNs ${QUERY_RESULT} --header 'Host: ${FQDN_TO_RESOLVE}' | grep -i "${RESPONSE_CHECK}" 2>&1 > /dev/null

 

 

if [ $? -eq 0 ]

 

then

 

echo "up"

 

fi

 

rm -f $pidfile

 

 

 

else

 

rm -f $pidfile

 

if [ $DEBUG -eq 1 ]; then echo "EAV `basename $0`: Failed for ${MY_FQDN} across all DNS servers ${DNS_SERVER_1} and ${DNS_SERVER_2} and ${DNS_SERVER_3}" | logger -p local0.debug; fi

 

fi

 

 

Not directly answering the thread, but need to repost my EAV posted above (original copy/paste issue.)

 

Anyway, here is the EAV based on 2 AWS DNS server lookups, to avoid resolver delays if down

 

 

Resolve name to IP address

 

Do a curl against the site to see if it is up .. based on DNS lookup above

 

* If it is up, then iRule will return CNAME to send client tot he cloud

 

If curl fails, means the cloud site is down, and then irule will return wideip from GTM pool for internal resorce

 

 

==================

 

 

!/bin/bash

 

 

For Bip-IP v11 use GUI to import EAV

 

 

For Big-IP pre v11

 

Save as /usr/bin/monitors/custom_monitor.bash

 

or

 

Save as /config/monitors/custom_monitor.bash

 

Make executable using chmod 755 custom_monitor.bash

 

 

The below arguments are supplied automatically

 

based on the pool members that the EAV is assigned to

 

$1 = IP (::ffff:nnn.nnn.nnn.nnn notation or hostname)

 

$2 = port (decimal, host byte order)

 

 

Log debug to /var/log/ltm

 

Check if a variable named DEBUG exists from the monitor definition

 

 

The following must be set in the EAV GUI

 

DEBUG=0 or 1

 

RESPONSE_CHECK

 

FQDN_TO_RESOLVE

 

DNS_SERVER_1

 

DNS_SERVER_2

 

 

if [ -n "$DEBUG" ]

 

then

 

if [ $DEBUG -eq 1 ]; then echo "EAV `basename $0`: \$DEBUG: $DEBUG" | logger -p local0.debug; fi

 

fi

 

 

Remove IPv6/IPv4 compatibility prefix (LTM passes addresses in IPv6 format)

 

We are not actually using it in this monitor

 

IP=`echo $1 | sed 's/::ffff://'`

 

 

Save the port for use in the shell command

 

PORT=$2

 

 

Check if there is a prior instance of the monitor running

 

pidfile="/var/run/`basename $0`.$IP.$PORT.pid"

 

if [ -f $pidfile ]

 

then

 

kill -9 `cat $pidfile` > /dev/null 2>&1

 

echo "EAV `basename $0`: exceeded monitor interval, needed to kill ${IP}:${PORT} with PID `cat $pidfile`" | logger -p local0.error

 

fi

 

 

Add the current PID to the pidfile

 

echo "$$" > $pidfile

 

 

Resolve name to IP address

 

QUERY_RESULT=$(dig @${DNS_SERVER_1} +time=1 +tries=1 +short ${FQDN_TO_RESOLVE} IN A | head -n1)

 

 

if [[ $QUERY_RESULT =~ ^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$ ]]; then

 

if [ $DEBUG -eq 1 ]; then echo "EAV `basename $0`: Succeeded for ${MY_FQDN} from ${DNS_SERVER_1}" | logger -p local0.debug; fi

 

Do a curl against the site to see if it is up .. based on DNS lookup above

 

curl -fNs ${QUERY_RESULT} --header 'Host: ${FQDN_TO_RESOLVE}' | grep -i "${RESPONSE_CHECK}" 2>&1 > /dev/null

 

 

if [ $? -eq 0 ]

 

then

 

echo "up"

 

fi

 

rm -f $pidfile

 

 

 

else

 

QUERY_RESULT=$(dig @${DNS_SERVER_2} +time=1 +tries=1 +short ${FQDN_TO_RESOLVE} IN A | head -n1)

 

 

if [[ $QUERY_RESULT =~ ^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$ ]]; then

 

if [ $DEBUG -eq 1 ]; then echo "EAV `basename $0`: Succeeded for ${MY_FQDN} from ${DNS_SERVER_2}" | logger -p local0.debug; fi

 

curl -fNs ${QUERY_RESULT} --header 'Host: ${FQDN_TO_RESOLVE}' | grep -i "${RESPONSE_CHECK}" 2>&1 > /dev/null

 

 

if [ $? -eq 0 ]

 

then

 

echo "up"

 

fi

 

rm -f $pidfile

 

 

 

else

 

rm -f $pidfile

 

if [ $DEBUG -eq 1 ]; then echo "EAV `basename $0`: Failed for ${MY_FQDN} across all DNS servers ${DNS_SERVER_1} and ${DNS_SERVER_2} and ${DNS_SERVER_3}" | logger -p local0.debug; fi

 

fi

 

 

Bump on this.

 

QUERY_RESULT=$(dig @${DNS_SERVER_1} +time=1 +tries=1 +short ${FQDN_TO_RESOLVE} IN A | head -n1)

 

 

Much better than what I was using to parse out the IP address. Thanks!

Anyone happen to have duplicated the AWS/EAV/iRule configuration on v12+?

 

I got it running on v11 but v13 is so very different (and just running an upgrade only brings in the objects, it breaks it completely)...like you can't apply an EAV to a CNAME pool. And if you use an 'A' record pool you can't have a CNAME.

 

Even in my iRule if I try to tell it to return the CNAME pool it doesn't work - as soon as you use the keyword 'cname' it returns the next entry as the CNAME itself, not the pool. And if you don't use the keyword 'cname' it says it can't find the CNAME pool. lol.

 

Thx