Options

Controlling against the specific DNS query

escgateescgate Member ✭✭
in aFleX
Hi All,

I have one private DNS server in ineternal area and one ACOS device.
All of traffic destined to ACOS device.

I looking for how to control the DNS request query to the public DNS in the internet.

Drop the query from internal to internet and then show the internal user the warning page or redirect the qurey to private DNS with CNAME so that the internal user force to use the private DNS.

Let me know your know-how.

Thanks,
Vinnie
Tagged:

Comments

  • Options
    tmitsuhatatmitsuhata Member, Administrator admin
    edited August 2015
    Hi Vinnie,

    Based on your statement, I assume that your ACOS device is in the path of all the outgoing traffic (at least for DNS queries). In this case, you might already have wildcard VIP, correct? If this is the case, you can redirect all the DNS request from internal to your private DNS by having tcp/udp port 53 associated with your private DNS as real-server/ service-group. It will be the simplest way (without using aFleX).

    I'm not quite sure what exactly you want to achieve using CNAME based on the explanation above. If you would like to see some aFlex example for DNS_REQUEST event, please take a look the following pages that you may be interested in.

    https://dev-a10wp.pantheonsite.io/index.php/forums/topic/block-dns-queries-with-class-list/#post-1327
    https://dev-a10wp.pantheonsite.io/index.php/forums/topic/drop-certain-dns-queries-any-and-rd/

    Hope this helps.
  • Options
    dshindshin Member
    edited August 2015
    Thanks Taka, I like your approach. Yes, you would need a wild card VIP to solve this. Basically, intercept all DNS request coming into A10 and forward them to your private DNS server. I do not see CNAME is necessary for this configuration.

    To configuration the ACOS device follow the configuration below;

    Enable promiscuous on the internal facing VE;

    For example

    interface ve 10
    ip allow-promiscuous-vip

    Create a ACL match all UDP traffic to dest port 53

    access-list 120 permit udp any any eq 53

    Define your private server as slb server and then created a virtual server; binding that particular ACL. Add a source nat and use that source nat talking to you private server;

    ip nat pool snat x.x.x.x x.x.x.x netmask /24

    slb server dns x.x.x.x
    port 53 udp

    slb service-group to-dns udp
    member dns:53

    slb virtual-server to-dns 0.0.0.0 acl 120
    port 53 udp
    service-group to-dns
    source-nat pool snat

    That should be it; all traffic to DNS server will be redirected to your private server;

    Which works like this ;

    Client --> DNS 8.8.8.8
    Will match ACL 120 and will use source NAT to your private server;

    A10 SNAT --> Your Private DNS server

    Then Your Private DNS server --> A10 SNAT
    And then
    8.8.8.8 (from A10) --> Client

    Depends on the number of clients; you might want to increase the number of IPs inside the IP NAT Pool.

    Good Luck and hope this works for your application.

    Genard
Sign In or Register to comment.