Follow

Q&A: How do Clients resolve hostnames for an Application Proxy?

 

Question

How do Clients resolve hostnames for an Application Proxy / Web Application Object (WAO) fully-qualified domain name?

 

Environment

  • Silverline WAF
  • Silverline DDoS
  • Proxy / Proxies
  • Regional PoP

 

Answer

The response to DNS requests is dependent on the geographic source of the client query origin or resolvers location.

So a user request for an URL (eg https://www.acme.com) would be sent to a Global Server Load Balancing (GSLB) DNS resolver or authoritative nameserver would check the client's source IP against an "IP Intelligence" database locally.

The GSLB DNS resolver would then identify the region closest to the location or the one that has the minimum response time, adjust the DNS reply and the traffic flow between the client and the proxy origin accordingly.

  • Obtain assigned Application FQDN
    • <random-string-id>.<customer-id>.gslb.f5silverline.com 
      • ie.
        • po9z3q.acmecorp.gslb.f5silverline.com
  • Familiarize yourself with edns-client-subnet (ECS) EDNS0 option and commandline utility dig. 
    • dig @resolver {random string}.{client-id}.gslb.f5silverline.com +subnet={client-source-subnet or host}
      • example:
        • $ dig @107.162.139.175 p0kojm.acmecorp.gslb.f5silverline.com +subnet=13.236.142.199 +short

          13.211.8.24
        • then issue a traceroute or a tcptraceroute to answer provider by given authoritative nameserver or resolver. 
          • # traceroute 13.211.8.24
            traceroute to 13.211.8.24 (13.211.8.24), 30 hops max, 80 byte packets
            1 107.162.5.1 (107.162.5.1) 3.902 ms 3.346 ms 3.431 ms
            2 172.16.100.1 (172.16.100.1) 3.271 ms 0.515 ms 0.434 ms
            3 ix-ae-11-0.tcore1.sqn-sanjose.as6453.net (63.243.205.53) 0.438 ms 0.421 ms 0.787 ms
            4 if-ae-18-3.tcore2.sv1-santaclara.as6453.net (63.243.205.131) 167.579 ms if-ae-18-4.tcore2.sv1-santaclara.as6453.net (63.243.205.13) 167.489 ms if-ae-18-3.tcore2.sv1-santaclara.as6453.net (63.243.205.131) 167.825 ms
            5 if-et-5-2.hcore1.kv8-chiba.as6453.net (209.58.86.143) 168.737 ms 169.245 ms 170.656 ms
            6 if-ae-21-2.tcore1.tv2-tokyo.as6453.net (120.29.217.66) 168.448 ms 168.017 ms 168.040 ms
            7 209.58.61.39 (209.58.61.39) 182.116 ms 182.110 ms 181.882 ms
            8 * * *
            9 * * *
            10 54.239.52.81 (54.239.52.81) 169.631 ms 54.239.52.105 (54.239.52.105) 175.636 ms 174.777 ms
            11 150.222.90.69 (150.222.90.69) 172.667 ms 52.95.30.16 (52.95.30.16) 168.583 ms 150.222.90.65 (150.222.90.65) 174.364 ms
            12 * * *
            13 * 54.239.43.116 (54.239.43.116) 230.807 ms *
            14 52.95.36.116 (52.95.36.116) 190.227 ms 188.856 ms *
            15 54.239.43.116 (54.239.43.116) 230.382 ms 150.222.112.171 (150.222.112.171) 173.734 ms 150.222.112.157 (150.222.112.157) 173.728 ms
            16 52.95.36.36 (52.95.36.36) 182.670 ms 52.95.36.132 (52.95.36.132) 176.094 ms 52.95.36.52 (52.95.36.52) 173.981 ms
            17 150.222.112.179 (150.222.112.179) 174.213 ms 52.95.36.143 (52.95.36.143) 232.188 ms 150.222.112.169 (150.222.112.169) 174.744 ms
            18 52.95.38.19 (52.95.38.19) 232.140 ms 150.222.112.128 (150.222.112.128) 231.646 ms 150.222.112.170 (150.222.112.170) 231.294 ms
            19 52.95.36.47 (52.95.36.47) 232.707 ms 52.95.36.143 (52.95.36.143) 240.615 ms *
            20 52.95.38.17 (52.95.38.17) 232.907 ms * 52.95.38.19 (52.95.38.19) 230.822 ms
  • Familiarize yourself with HTTP response headers, Silverline's Server header is replaced with a via header that contains the proxies appliance and specific region which is proxying given web application object (WAO).  
    • Note: Due to security concerns devices server via headers are obfuscated.  
    • ex:
      • Command:
        • curl -I -k -s -S -I -H "Host: <Proxied FQDN>" --resolve <host header>:443:<web application virtual-fqdn> --verbose scheme://<resolver answer>
      • * Address in 'looneytunes.acmecorp.com:443:p0kojm.acmecorp.gslb.f5silverline.com' found illegal!
        * Rebuilt URL to: http://13.211.8.248/
        * Trying 13.211.8.248...
        * Connected to 13.211.8.248 (13.211.8.248) port 80 (#0)
        > HEAD / HTTP/1.1
        > Host: looneytunes.fandom.com
        > User-Agent: curl/7.47.1
        > Accept: */*
        >
        * HTTP 1.0, assume close after body
        < HTTP/1.0 302 Moved Temporarily
        HTTP/1.0 302 Moved Temporarily
        < Location: https://looneytunes.fandom.com/
        Location: https://looneytunes.fandom.com/
        < Server: F5aaS
        Server: F5aaS
        * HTTP/1.0 connection set to keep alive!
        < Connection: Keep-Alive
        Connection: Keep-Alive
        < Content-Length: 0
        Content-Length: 0

        <
        * Connection #0 to host 13.211.8.248 left intact

Related Content

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request