I am seeing the same behavior. I never see the DNS query leave the F5. I must be missing something. It takes a full 20 seconds, so it looks like it is timing out trying to do the lookup. I also do not see any traffic leaving the F5 on 53 when running tcpdump. When I just do a lookup from the CLI, I see everything fine.
May 19 14:47:17 local/tmm2 info tmm2[5006]: Rule DNS_PTR_Domain_Lookup : 10.34.18.213:55386: New connection to 10.26.16.5:80
May 19 14:47:17 local/tmm2 info tmm2[5006]: Rule DNS_PTR_Domain_Lookup : 10.34.18.213:55386: Collecting HTTP for new lookup
May 19 14:47:37 local/tmm2 info tmm2[5006]: Rule DNS_PTR_Domain_Lookup : 10.34.18.213:55386: Lookup result:
My code is as follows (I stripped it down trying to troubleshoot):
when CLIENT_ACCEPTED {
Trigger a name lookup for new connections
set do_lookup 1
log local0. "[IP::client_addr]:[TCP::client_port]: New connection to [IP::local_addr]:[TCP::local_port]"
}
when HTTP_REQUEST {
Check if we haven't done a lookup already on this connection
if { $do_lookup }{
log local0. "[IP::client_addr]:[TCP::client_port]: Collecting HTTP for new lookup"
Hold HTTP data until client IP address is resolved
HTTP::collect
Start a name resolution on the client IP address
NAME::lookup -ptr [IP::client_addr]
}
}
when NAME_RESOLVED {
FQDN of client IP address
log local0. "[IP::client_addr]:[TCP::client_port]: Lookup result: [NAME::response]"
set do_lookup 0
HTTP::release
}