BIG-IP DNS iRule issue with static variable
I am trying to develop an iRule bypassing DNS processing when a DNS request matching a wide ip comes via a specific listener on our BIG-IP DNS. Code is below: when RULE_INIT { set static::ul_ip "10.X.Y.Z" set static::ul_debug true } when DNS_REQUEST priority 100 { if { [IP::addr [IP::local_addr]/32 equals $static::ul_ip]} { DNS::disable all #apparently event disable is no longer accepted? #event disable if { [$static::ul_debug]} { log local0. "DNS Request [DNS::question name] triggered bypass" } } } This rule is meant to be applied to specific wide ip's (for reasons). When this rule is applied and tested, I am seeing the message below in /var/log/gtm: Apr 30 12:06:37 somebigipdns.nope.com err slot1 tmm[18454]: 011a7001:3: TCL error: Rule /Common/ul-bypass-rule <DNS_REQUEST> - can't read "static::ul_ip": no such variable while executing "IP::addr [IP::local_addr]/32 equals $static::ul_ip" I'm completely unclear on why the TCL error is occurring. For bonus points, any idea why 'event disable' isn't working in the DNS_REQUEST event? This message shows up in /var/log/ltm unless 'event disable' is commented out: Apr 30 11:11:27 somebigipdns.nope.com err slot1 mcpd[6981]: 01070151:3: Rule [/Common/ul-bypass-rule] error: /Common/ul-bypass-rule:23: error: [undefined procedure: event][event disable] Thanks in advance for any assistance provided. - R39Views0likes3CommentsNIC on Server points Default Gateway to Big-IP's Self IP and does not see domain.
I have a load balancing situation that requires a strange setup for me. The Nodes that the VIP points to are Windows servers and they require a nic that has the default gateway point back to the Self IP of the Big-IP. The issue is the Network Location Awareness is seeing the network as a public network instead of a domain network. I am unsure of how-to setup the Bio-IP to make the server see the domain. The link below is a PDF with the instructions for the setup. Direct Link to pdf. https://www.kofaxdemocenter.com/IManager/Download/886/71293/17858/2017725/EN/17858_2017725_Jfij_03841bv1.TechTips_F5_DNAT_AutoStore_PCC5.1.pdf The website the pdf is located. High Availability using Network Load Balancers (kofaxdemocenter.com) All servers and clients are internal and on the same domain. All other VIPs work correctly. The Self IP and the servers are on the same VLAN.35Views0likes0CommentsGTM as a Forwarder to multiple ADs
Hi I have gone through the community articles and F5 docs as well before posting this question. There are some information related to this query but I am still confused to how simply achieve this use case I want to deploy my GTM as a forwarder for internal queries to my ADs, ADs will still handle all the resolution and return the response to client via GTM. GTM will check the health, load balance etc for client request to AD and provide availability incase any primary AD fail. So do I need to configure anything specific on the GTM apart from SELF IPs, Listeners , Pools ( AD members ). and my understanding is correct regarding the traffic path User -> GTM -> AD and AD -> GTM -> User User will have GTM Listener as DNS server on the client machine. I have 2 GTM, one on Primary and other in DR Two AD servers in primary, one in DR37Views0likes1Commentprober pool Round Robin with multi health monitors and with multi prober pool members
I have a question about The GTM monitors and prober pools: In my case, I have three datacenters, three gtm(one in each DC), and one prober pool, the prober pool include all three GTM, and the prober pool was set to use Round Robin. And two vs, vs1 and vs2 in different DC, each vs was configured two health monitors(each monitor with different porbe interval, eg. vs1's monitors have interval 5s and 7s, vs2's monitors have interval 9s and 11s). so, my questions is, how does the porber pool Round Robin work? Looking forward to your help, thank you.284Views0likes2CommentsLTM with DNS - logging query answers DNS_RESPONSE clientside
Hi All We have our DNS services behind LTM VIPs. We have the DNS license and are using DNS_QUERY and DNS_RESPONSE events for logging queries and answers. We are not using Express, BIGIP Bind, nor GTM configurations - straight LB work. Last week I was investigating some optimizations and wanted to add Answer header information, specifically the truncate flag. This will allow us to gather some stats on the amount of UDP to TCP based queries occuring. I added[DNS::headertc] to the log message on DNS_RESPONSE and proceeded to test from a client system using DIG for a test SRV record that exceeded 512bytes using UDP. DIG did the expected things and sent a UDP query, got a response with truncate on, and re-queried with TCP. All good. However, when I looked at the logs,[DNS::headertc] was always returning 0. From network trace, I see client to VIP, SNAT to service, service to SNAT, VIP to client. The client side traffic is as expected - no EDNS0, buffer set to 512bytes, etc. As well the answer in UDP shows the truncate flag set to 1. Further examination showed that while the client had specified no EDNS0, buffer 512bytes, etc., the SNAT to DNS service traffic showed EDNS0 on and buffer of 4096bytes. I asked our F5 account rep if he had any insights and he agreed that DNS_RESPONSE seems to be pulling from server-side. I tried using [clientside {DNS::header tc}] in the logging statement, but got the same results - truncate still shows 0. Questions: 1. Is there a way to tell LTM to respect the client settings for the server side communications? 2. Can I get the client-side info in the DNS_RESPONSE event? Thanks517Views0likes6CommentsLogs for local-db-publisher
We are running the DNS module on a dedicated box. We have DNS log publisher set to the "local-db-publisher" - however, we are not certain where these logs are located. DNS log queries and log responses are both enabled. I have found some articles that mention that the logs can be found in /var/log/gtm and some that state they are found in /var/log/ltm but the queries and responses are nowhere to be found. Suggestions?Solved771Views0likes6CommentsTiming/CPU info for BigIP DNS WideIP iRules
I just realized yesterday (or put better, one of my students pointed it out to me...) that BigIP DNS doesn't seem to hold timing information on the execution of iRules. For LTM, this ("show ltm rule <irule name>") is a great way of seeing roughly how much CPU power is required per iRule, and if there's any optimization that can be done, (https://clouddocs.f5.com/api/irules/timing.html). For BigIP DNS iRules though, and specifically the iRules under the Wide IP configuration, this doesn't seem to be recorded. "show gtm rule <irule name>" show the number of executions, but not the timing info. I've tried to lookup any information about this, or a clear statement that this does not NOT happen, but no luck so far. So, does anyone know if this information is available and I'm just looking in the wrong place, or if there's any reason why this isn't recorded? And if not, is there another way in which this information can be obtained? Thanks!Solved736Views0likes5CommentsIs nPath still practical?
Hi We want to use F5 LTM to load balance local DNS server. We have F5 LTM implement as one-arm topology but we need to preserve source IP for DNS traffic. = No SNAT. So I check and find that there is DNS load balance with nPath. But it's a bit old document and I didn't have any experience with it. Is LTM using nPath deployment to load balance microsoft DNS server practical? Kridsana584Views0likes6CommentsImplementing F5 DNS and Creating Custom CNAME Redirects
We are currently implementing a solution in Azure and have encountered some DNS-related issues. I think it's a good idea to implement F5 DNS. However, I wonder if we can create an iRule to set up a CNAME for a specific domain. In other words, if a domain like "example.com" is received, the iRule would inspect this request and respond to the user with a CNAME from "example.com" to "example.2.com". I have created the following irule: when DNS_REQUEST { set original_name [DNS::question name] if { [string tolower $original_name] ends_with "example.com" } { set modified_name [string map {"example.com" "example.2.com"} [string tolower $original_name]] DNS::question name $modified_name set cname_record "${original_name} IN CNAME ${modified_name}." log local0. "$cname_record" set new_rr [DNS::rr $cname_record] log local0. "$new_rr" DNS::answer clear DNS::answer insert $new_rr DNS::header aa 1 DNS::return } } If I see the logs it looks good: <DNS_REQUEST>:test.example.com. IN CNAMEtest.example.2.com. <DNS_REQUEST>: test.example.com. 3600 IN CNAME test.example.2.com However, when I perform an nslookup, dig, or access the domain directly from the browser, it doesn't work. nslookup: nslookup test.example.com Server: UnKnown Address: x.x.x.x Name: test.example.com dig: dig @x.x.x.x test.example.com ;; Question section mismatch: got test.example.2.com/A/IN Browser: DNS_PROBE_FINISHED_NXDOMAIN Any idea if this is possible?1.1KViews0likes6Comments