Forum Discussion
10 Replies
- OTS02Cirrus
I have a similar situation (2 pure GTMs). In my case, the irule works very well. I have set up all of the internal records as WideIPs, then you can apply the irule directly to the WideIP It can also be done using an additional "view" (under Zonerunner view list), but I think that the irule on WIP is simpler and more flexible.
In my case, I have an irule that drops everything that does not have an RFC1918 source address. this rule is applied to the internal WIPs.
when DNS_REQUEST { if { ([IP::addr [IP::client_addr]/8 equals 10.0.0.0])} { } elseif { ([IP::addr [IP::client_addr]/12 equals 172.16.0.0])} { } elseif { ([IP::addr [IP::client_addr]/16 equals 192.168.0.0])} { } else {log "[IP::client_addr] attempting to query internal dns zone!!!!!" discard } }
- HamishCirrocumulus
An iRule will allow this...
I'm not aware of any other way to doit (Apart from perhaps topology records to force resolution from an empty pool... A bit of a hack that though).
The iRule should be about to be implemented at either at the GTM or lTM level.
H
- ruiqiang_lu_121Historic F5 Account
i think you can use irule to resolve this issue. you can add one irule to one listener, another irule to another listener. this irule is LTM's irule, you can Provisioning LTM, and configure this irule to VS of listener.
the irule like this:
when DNS_REQUEST { if { [DNS::question name] equals "www.a.com"} { DNS::drop } }
- Jon_Ole_Nome_46NimbostratusThanks for you input, I will check to see if this is possible on a "pure" GTM, or if I would need a LTM/GTM setup to do that.
- Kevin_StewartEmployee
Here's a slight twist to get multi-homed records.
-
Create an "internal" topology region - include all of the local/internal IP subnets.
-
Create separate internal and external pools for each WIP resource with a common naming extension (ex. int_foo.example.com_pool and ext_foo.example.com_pool).
-
Create a "drop" pool - no members, preferred LB Method: Fallback IP, Fallback IP: 1.1.1.1, Alternate and Fallback LB Methods set to none.
-
Assign the external pool to the WIP.
-
Apply this iRule to all multi-homed WIPs:
when DNS_REQUEST { if { [matchregion [IP::client_addr] internal_network] } { if { [catch { try to send internal GTM pool set pool [findstr [LB::server pool] "ext_" 4] pool "int_$pool" } error] } { internal GTM pool doesn't exist - send nothing pool drop_pool } } }
This is really nothing more than a variation on some of the examples above, and probably pretty close to Jason's comments, but can be done completely inside a GTM iRule and will allow you to serve up internal and external DNS entries for the same resources (if they exist).
-
- Chad_83686Nimbostratus
OTS02,
I like the simplicity of your irule. I added this irule and added to my internal WIPs, but for whatever reason, I still get the resolution for the internal WIPs (Having your irule) when queried from an external IP.
Any idea what I might be missing?
Thanks...
NOTE: I rule I am using:
when DNS_REQUEST { if { ([IP::addr [IP::client_addr]/8 equals 10.0.0.0])} { } elseif { ([IP::addr [IP::client_addr]/12 equals 172.16.0.0])} { } elseif { ([IP::addr [IP::client_addr]/16 equals 192.168.0.0])} { } else {log "[IP::client_addr] attempting to query internal dns zone!!!!!" discard } }
- rob_carrCirrostratus
You could use the GTM's ability to setup views:
http://support.f5.com/kb/en-us/solutions/public/14000/400/sol14421.html?sr=32308789
- Chad_83686Nimbostratus
Hello,
I don't think that the GTM Views setup is what I am really asking. I have a bunch of WIPs that are INTERNAL WIPs ONLY, and another set which are EXTERNAL ONLY. When a client queries the GTM, I want the external user not to be able to get a response to WIPs that are meant to be internal. The article above describes how to responde to clients with either internal IPs or external IPs based on the location of the client.
I can configure multiple topology rules, basically one per Internal POOL, and specifiy the source to be the RFC 1918 only, that will work, but that means creating multiple topology entries, one per private subnet and pool... that is a lot of topology entires.
That is why I hoped the irules, if I attach it to all internal WIPs, if it will simply block DNS response if the client is on the external network.
Thanks...
- Chad_83686Nimbostratus
Looks like problem is with script, it logs but doesn't discard...
I just removed the log entry, and left discard at the end, and it worked:
when DNS_REQUEST { if { ([IP::addr [IP::client_addr]/8 equals 10.0.0.0])} { } elseif { ([IP::addr [IP::client_addr]/12 equals 172.16.0.0])} { } elseif { ([IP::addr [IP::client_addr]/16 equals 192.168.0.0])} { } else { discard } }
Thanks,
- John_Heyer_1508Cirrostratus
I had the same requirement, and was able to accomplish this using views. I have a configuration sample in this thread:
==
gtm-query-regarding-internal-and-external-zone-views