Product Documentation

DNS Support for the Rewrite Feature

Oct 28, 2015

You can configure the rewrite feature to modify DNS requests and responses, as you would for HTTP or TCP requests and responses. You can use rewrite to manage the flow of DNS requests, and make necessary modifications in the header, or in the answer section. For example, if the DNS response does not have the AA bit set in the header flag, you can use rewrite to set the AA bit in the DNS response and send it to the client.

DNS Expressions

In a rewrite configuration, you can use the following NetScaler expressions to refer to various portions of a DNS request or response:

Expressions Descriptions
DNS.REQ.HEADER.FLAGS.IS_SET <FLAG> Returns True if any of the following flags are set in the DNS request.
  • QR
  • AA
  • TC
  • RD
  • RA
  • AD
  • CD

DNS.REQ.HEADER.FLAGS. SET <FLAG> Sets the specified flag. Note: You can set only the RD or CD flag in the header.
DNS.REQ.HEADER.FLAGS. UNSET <FLAG> Unsets the specified flag. Note: You can unset only the RD or CD flag in the header.
DNS.REQ.HEADER.OPCODE.EQ <pcode types> Checks the opcode type in the DNS request. Returns True or False, indicating whether the opcode type in the DNS request matches the specified opcode type.
DNS.RES.HEADER.FLAGS.IS_SET <FLAG> Returns True if any of the following specified flags are set in the DNS response.
  • QR
  • AA
  • TC
  • RD
  • RA
  • AD
  • CD

DNS.RES.HEADER.FLAGS.SET <FLAG> Sets the specified flag.
DNS.RES.HEADER.FLAGS.UNSET <FLAG> Unsets the specified flag.
DNS.REQ.HEADER.OPCODE.NE <opcode type> Checks the opcode type in the DNS request. Returns True or False, indicating whether the opcode type in the DNS request matches the specified opcode type.
DNS.REQ.HEADER.OPCODE.SET <opcode type> Sets the specified opcode type in the DNS request.
DNS.RES.HEADER.RCODE.SET <rcode type> Sets the rcode type in the DNS response.
DNS.NEW_RRSET_A <ip_add, ttl> Replaces the Answer section in the DNS response with the specified IPv4 address and TTL value.
DNS.NEW_RRSET_AAAA <ipv6, ttl> Replaces the Answer section in the DNS response with the specified IPv6 address and TTL value.
DNS.REQ.HEADER.FLAGS.GET_STRING_REPRESENTATION Returns the DNS flags in string format that can be used for audit logging.
DNS.RES.HEADER.FLAGS.GET_STRING_REPRESENTATION Returns the DNS flags in string format that can be used for audit logging.

DNS Bind Points

The following global bind points are available for policies that contain DNS expressions.

Bind Points Description
DNS_REQ_OVERRIDE Override request policy queue.
DNS_REQ_DEFAULT Standard request policy queue.
DNS_RES_OVERRIDE Override response policy queue.
DNS_RES_DEFAULT Standard response policy queue.

In addition to the default bind points, you can create policy labels of type DNS_REQ or DNS_RES and bind DNS policies to them.

Rewrite Action Types for DNS

  • replace_dns_answer_section—This action replaces the DNS answers section with the defined expression in the DNS policy.
  • replace_dns_header_field—Checks the opcode type in the DNS request. Returns True or False, indicating whether the opcode type in the DNS request matches the specified opcode type. This action replaces the DNS header section with the defined expression in the DNS policy.

Configuring Rewrite Policies for DNS

The following procedure uses the NetScaler command line to configure a rewrite action and policy and bind the policy to a rewrite-specific global bind point.

To configure Rewrite action and policy, and bind the policy for DNS

At the command prompt, type the following commands:

  1. add rewrite action <actName> <actType>

    For <actname>, substitute a name for your new action. The name can be 1 to 127 characters in length, and can contain letters, numbers, hyphen (-), and underscore (_) symbols. For <actType>, specify the rewrite action types provided for DNS expressions.

  2. add rewrite policy <polName> <rule> <actName>

    For <polname>, substitute a name for your new policy. For <actname>, the name can be 1 to 127 characters in length, and can contain letters, numbers, hyphen (-), and underscore (_) symbols. For <actname>, substitute the name of the action that you just created.

  3. bind rewrite global <polName> <priority> < gotoPriorityExpression> -type <bindPoint>

    For <polName>, substitute the name of the policy that you just created. For <priority>, specify the priority of the policy. For <bindPoint>, substitute one of the rewrite -specific global bind points.

Example

Set the AA bit of DNS request to load balance virtual server

The following commands configure the NetScaler appliance to act as an authoritative DNS server for all the queries that it serves.

``` pre codeblock add rewrite action set_aa replace_dns_header_field dns.req.header.flags.set(aa) add rewrite policy pol !dns.req.header.flags.is_set(aa) set_aa bind rewrite global pol 100 -type dns_res_override


**Modify the response answer and header section**

If the server responds with an NX domain, you can set the rewrite action to replace the response with specified IP address. A NOPOLICY-REWRITE enables you to invoke an enternal bank without processing an expression (a rule). This entry is a dummy policy that does not contain a rule but directs the entry to a policy label or virtual server specific policy banks.

``` pre codeblock
add rewrite action set_aa_res replace_dns_header_field "dns.res.header.flags.set(aa)"
add rewrite action modify_nxdomain_res replace_dns_answer_section "dns.new_rrset_a(\"10.102.218.160\",300)"
add rewrite policy set_res_aa true set_aa_res
add add rewrite policy modify_answer "dns.RES.HEADER.RCODE.EQ(nxdomain) && dns.RES.QUESTION.TYPE.EQ(A)"
modify_nxdomain_res
add rewrite policylabel MODIFY_NODATA dns_res
bind rewrite policylabel MODIFY_NODATA modify_answer 10 END
bind rewrite policylabel MODIFY_NODATA set_res_aa 11 END
bind lb vserver v1 -policyName NOPOLICY-REWRITE -priority 11 -gotoPriorityExpression END -type
RESPONSE -invoke policylabel MODIFY_NODATA

Limitations

  • Rewrite policies are evaluated only if the NetScaler appliance is configured as a DNS proxy server and there is a cache miss.
  • If the Recursion Available (RA) flag in the header is set to YES, the RA flag will not be modified in the rewrites.
  • If the RA flag in the header is set to YES, the CD flag in the header is modified regardless of any rewrite action.