Forum Discussion

meena_60183's avatar
meena_60183
Icon for Nimbostratus rankNimbostratus
Jun 09, 2009

reverse DNS lookup on iRule

Hi All,

 

 

I have the following requirement. The apache web server currently has the logic.

 

 

. port 80 and DNS match

 

When users come in on port 80 and the reverse DNS lookup on the client IP contains xxx.com, it sends the traffic to port 8080 on the web server.

 

 

. port 443 and DNS match

 

when users come in on port 443 and the reverse DNS lookup on the client IP contains xxx.com, it sends the traffic to port 8443 on the web server.

 

 

. port 80 and DNS mismatch

 

When users come in on port 80 and the reverse DNS lookup on the client ip is not xxx.com, redirect to port 8443 on the server.

 

 

.port 443 and DNS mismatch

 

When users come in on port 443 and the reverse DNS lookup on the client ip is not xxx.com, send it to port 8443 on the server.

 

 

Can this be done using iRules? Only piece that I do not know is how to do the reverse lookup using the DNS server.

 

 

Meena

 

10 Replies

  • Yes I believe it can be done.

     

     

    Here is a link to a command that may work for you nicely

     

     

    http://devcentral.f5.com/wiki/default.aspx/iRules/NAME__lookup.html

     

     

    Hope this help,

     

    CB

     

  • Thank you for the response. I tried the irule and I did not get the resolved name. I logged the client IP

     

     

    when HTTP_REQUEST {

     

    Hold HTTP data until hostname is resolved

     

    HTTP::collect

     

    log local0. "client ip = [IP::client_addr]"

     

    Start a name resolution on the hostname

     

    NAME::lookup [IP::client_addr]

     

    }

     

    when NAME_RESOLVED {

     

    log local0. "client name = >[NAME::response]<"

     

     

    Release HTTP data once hostname is resolved

     

    HTTP::release

     

    }

     

    and the log shows

     

     

    Jun 11 15:32:39 tmm tmm[1788]: Rule dns-name-lookup : client ip = 10.124.242.84

     

    Jun 11 15:32:39 tmm tmm[1788]: Rule dns-name-lookup : client name = ><

     

     

    I have the correct DNS configured on the bigIP. When I do a manual nslookup using that DNS server, it gets resolved.

     

     

    Any ideas?

     

     

    Meena
  • I am seeing the same behavior. I never see the DNS query leave the F5. I must be missing something. It takes a full 20 seconds, so it looks like it is timing out trying to do the lookup. I also do not see any traffic leaving the F5 on 53 when running tcpdump. When I just do a lookup from the CLI, I see everything fine.

     

     

    May 19 14:47:17 local/tmm2 info tmm2[5006]: Rule DNS_PTR_Domain_Lookup : 10.34.18.213:55386: New connection to 10.26.16.5:80

     

    May 19 14:47:17 local/tmm2 info tmm2[5006]: Rule DNS_PTR_Domain_Lookup : 10.34.18.213:55386: Collecting HTTP for new lookup

     

    May 19 14:47:37 local/tmm2 info tmm2[5006]: Rule DNS_PTR_Domain_Lookup : 10.34.18.213:55386: Lookup result:

     

     

    My code is as follows (I stripped it down trying to troubleshoot):

     

     

     

    when CLIENT_ACCEPTED {

     

     

    Trigger a name lookup for new connections

     

    set do_lookup 1

     

    log local0. "[IP::client_addr]:[TCP::client_port]: New connection to [IP::local_addr]:[TCP::local_port]"

     

    }

     

    when HTTP_REQUEST {

     

     

    Check if we haven't done a lookup already on this connection

     

    if { $do_lookup }{

     

    log local0. "[IP::client_addr]:[TCP::client_port]: Collecting HTTP for new lookup"

     

     

    Hold HTTP data until client IP address is resolved

     

    HTTP::collect

     

     

    Start a name resolution on the client IP address

     

    NAME::lookup -ptr [IP::client_addr]

     

    }

     

    }

     

     

    when NAME_RESOLVED {

     

     

    FQDN of client IP address

     

     

    log local0. "[IP::client_addr]:[TCP::client_port]: Lookup result: [NAME::response]"

     

     

    set do_lookup 0

     

    HTTP::release

     

    }

     

  • Do you have a TMM route for the DNS server? TMM won't be able to use a DNS server on the management interface.

     

     

    Also, if you're on 10.1 or higher, you should use RESOLV::lookup instead as it is simpler and more efficient:

     

     

    http://devcentral.f5.com/wiki/default.aspx/iRules/resolv__lookup

     

     

    Aaron
  • There is no specific route to the DNS server, but the default route should get it there ( I can ping the DNS server from the self IP).

     

     

    Let me try RESOLV and see what happens.
  • Is there a TMM default route which allows you to reach the DNS server? Pinging from the command line can use mgmt routes. RESOLV::lookup will show the same issue as TMM tries to do the DNS query.

     

     

    For details on TMM versus management routing, see

     

     

    sol3669: Overview of management interface routing

     

    http://support.f5.com/kb/en-us/solutions/public/3000/600/sol3669.html

     

     

    Aaron
  • There is a default route defined in TMM. The issue looks to be that when executing RESOLV or NAME without specifying a DNS server, it goes nowhere. I thought it would have used the DNS servers defined on the TMM. Was this a false assumption?

     

    When I specify a DNS, it resolves correctly: [RESOLV::lookup @xxx.xxx.xxx.xxx -ptr [IP::client_addr]], which brings up a whole other issue. I'm going to have to define a pool of DNS servers to do the lookups against to provide the redundancy I need (not a big deal really).
  • I didn't think you'd have to specify a DNS server in either command. But if it works with a virtual server or explicit IP, I say go for it :) If you want to use a pool of DNS servers, you can define a virtual server pointing to that pool and then use the virtual server name in the RESOLV::lookup command.

     

     

    Aaron
  • Exactly Aaron. Thanks for the help.

     

     

    It is a little disconcerting that I need to specify the server....I need to dig into that a bit more, but with a workable solution, it doesn't really bother me much.

     

     

    I guess the RESOLV ptr lookup issue was fixed in 10.x.x? That was the reason I started off with NAME in the first place.
  • The -ptr issue with RESOLV::lookup was fixed in 10.2.1HF1. You can download the latest 10.2.1 hotfix from downloads.f5.com.

     

     

    Aaron