Pinhole/Pinpoint DNS¶
Description¶
Different addresses in Dev or QA environments whose are named the same as functional or production
Directing users requesting certain hostnames to alternate servers for access control
Creation of a captive portal
Directing connections to an alternate location for single-sign-on via passthrough
Please Note: This iRule requires both v11.x and a “DNS Features” license on your LTM. This is due to its use of the DNS profile and need for DNS-related iRule events. If you aren’t licensed properly, this rule may apply but will not function correctly.
Instructions¶
- Create a pool representing your existing DNS resolvers.
- Create two VIPs for servicing incoming DNS requests - one 53/udp and
one 53/tcp. Name them something that makes sense to you, but name
them identically, except for the UDP VIP. It must be suffixed with
“_udp”. We do this so the host table we will build for this resolver
is the same for both VIPs. If your selected name is “ph-dns1”, then
you would create:
- TCP: “ph-dns1”
- UDP: “ph-dns1_udp”
- Make sure the VIPs both have a DNS profile - the default is fine.
- Associate the DNS resolver pool with both VIPs. Use of SNAT is fine if your routing topology needs it.
- Create a datagroup with the name of the TCP virtual server, suffixed
by the value set in the iRule for static::pinhole_datagroup. By
default, this would make the above names associate to a datagroup
named “ph-dns1-pinhole-entries”.
- The format of the datagroup should be type “String”, with the name being the hostname to match and the value being the IP that will be swapped out to the DNS response. Think of this datagroup as the “host file” for the VIPs.
- Apply the iRule below to both VIPs.
Things to Know¶
The BIG-IP API Reference documentation contains community-contributed content. F5 does not monitor or control community code contributions. We make no guarantees or warranties regarding the available code, and it may contain errors, defects, bugs, inaccuracies, or security vulnerabilities. Your access to and use of any code available in the BIG-IP API reference guides is solely at your own risk.