Log DNS queries with iRule?
We are load balancing our DNS requests through LTM. We'd like to log at the F5 so we capture the client address (LTM uses SNAT). Based on a few examples on Devcentral, they mostly use this same query. We've added a logging statement capture the client address and query.
when CLIENT_ACCEPTED {
binary scan [UDP::payload] H4@12A*@12H* id dname question
set dname [string tolower [getfield $dname \x00 1 ] ]
log local0 "dns_src_ip=[IP::client_addr] requested dns_query=$dname"
}
The only issue with this is the formatting of the domain is lost. The log statements display as "googlecom" or "mapsgooglecom", obviously missing the periods between the domain names. Is there some other way to parse the statements to get the original domain formatting to persist through to the log statement?
The only code I found online was this post from 2006, which seems to work correctly. Is that code still correct 9 years later? Is there a more graceful way to do that?