DNS Support for the Rewrite Feature

July 8, 2020

Contributed by: S

You can configure the rewrite feature to modify DNS requests and responses, as you would for HTTP or TCP requests and responses. You can use rewrite to manage the flow of DNS requests, and make necessary modifications in the header, or in the answer section. For example, if the DNS response does not have the AA bit set in the header flag, you can use rewrite to set the AA bit in the DNS response and send it to the client.

DNS Expressions

In a rewrite configuration, you can use the following Citrix ADC expressions to refer to various portions of a DNS request or response:

See Expressions and Descriptions

DNS Bind Points

The following global bind points are available for policies that contain DNS expressions.

Bind Points	Description
DNS_REQ_OVERRIDE	Override request policy queue.
DNS_REQ_DEFAULT	Standard request policy queue.
DNS_RES_OVERRIDE	Override response policy queue.
DNS_RES_DEFAULT	Standard response policy queue.

In addition to the default bind points, you can create policy labels of type DNS_REQ or DNS_RES and bind DNS policies to them.

Rewrite Action Types for DNS

replace_dns_answer_section—This action replaces the DNS answers section with the defined expression in the DNS policy.
replace_dns_header_field—Checks the opcode type in the DNS request. Returns True or False, indicating whether the opcode type in the DNS request matches the specified opcode type. This action replaces the DNS header section with the defined expression in the DNS policy.

Configuring Rewrite Policies for DNS

The following procedure uses the Citrix ADC command line to configure a rewrite action and policy and bind the policy to a rewrite-specific global bind point.

Configure Rewrite action and policy, and bind the policy for DNS

At the command prompt, type the following commands:

add rewrite action <actName> <actType>

For <actname>, substitute a name for your new action. The name can be 1 to 127 characters in length, and can contain letters, numbers, hyphen (-), and underscore (_) symbols. For <actType>, specify the rewrite action types provided for DNS expressions.
add rewrite policy <polName> <rule> <actName>

For <polname>, substitute a name for your new policy. For <actname>, the name can be 1 to 127 characters in length, and can contain letters, numbers, hyphen (-), and underscore (_) symbols. For <actname>, substitute the name of the action that you just created.
bind rewrite global <polName> <priority> < gotoPriorityExpression> -type <bindPoint>

For <polName>, substitute the name of the policy that you just created. For <priority>, specify the priority of the policy. For <bindPoint>, substitute one of the rewrite -specific global bind points.

Example:

Set the AA bit of DNS request to load balance virtual server.

The following commands configure the Citrix ADC appliance to act as an authoritative DNS server for all the queries that it serves.

add rewrite action set_aa replace_dns_header_field dns.req.header.flags.set(aa)
add rewrite policy pol !dns.req.header.flags.is_set(aa)  set_aa
bind rewrite global  pol  100  -type dns_res_override

Modify the response answer and header section.

If the server responds with an NX domain, you can set the rewrite action to replace the response with specified IP address. A NOPOLICY-REWRITE enables you to invoke an enternal bank without processing an expression (a rule). This entry is a dummy policy that does not contain a rule but directs the entry to a policy label or virtual server specific policy banks.

add rewrite action set_aa_res replace_dns_header_field "dns.res.header.flags.set(aa)"
add rewrite action modify_nxdomain_res replace_dns_answer_section "dns.new_rrset_a(\"10.102.218.160\",300)"
add rewrite policy set_res_aa true set_aa_res
add add rewrite policy modify_answer "dns.RES.HEADER.RCODE.EQ(nxdomain) && dns.RES.QUESTION.TYPE.EQ(A)"
modify_nxdomain_res
add rewrite policylabel MODIFY_NODATA dns_res
bind rewrite policylabel MODIFY_NODATA modify_answer 10 END
bind rewrite policylabel MODIFY_NODATA set_res_aa 11 END
bind lb vserver v1 -policyName NOPOLICY-REWRITE -priority 11 -gotoPriorityExpression END -type
RESPONSE -invoke policylabel MODIFY_NODATA

Limitations:

Rewrite policies are evaluated only if the Citrix ADC appliance is configured as a DNS proxy server and there is a cache miss.
If the Recursion Available (RA) flag in the header is set to YES, the RA flag will not be modified in the rewrites.
If the RA flag in the header is set to YES, the CD flag in the header is modified regardless of any rewrite action.

The official version of this content is in English. Some of the Citrix documentation content is machine translated for your convenience only. Citrix has no control over machine-translated content, which may contain errors, inaccuracies or unsuitable language. No warranty of any kind, either expressed or implied, is made as to the accuracy, reliability, suitability, or correctness of any translations made from the English original into any other language, or that your Citrix product or service conforms to any machine translated content, and any warranty provided under the applicable end user license agreement or terms of service, or any other agreement with Citrix, that the product or service conforms with any documentation shall not apply to the extent that such documentation has been machine translated. Citrix will not be held responsible for any damage or issues that may arise from using machine-translated content.

DNS Support for the Rewrite Feature

July 8, 2020

Contributed by: S

DNS Support for the Rewrite Feature

DNS Expressions

DNS Bind Points

Rewrite Action Types for DNS

Configuring Rewrite Policies for DNS

Configure Rewrite action and policy, and bind the policy for DNS

DNS Support for the Rewrite Feature

In this article