Reply with a valid A or AAA record to every misspelled DNS request

R

last update: July 12th 2022

If someone makes a typing error when entering the domain name, he will not get a valid response. This is a typical example:

Dig for a non-existing domain name
You can clearly see: The response got an NXDOMAIN status, a non-existing domain.

This, however, is not always desired, instead, you might want to return an IP address. It should have looked like this:


This time, you see an answer section. The IP address is the IP address of the main webserver. That’s exactly, what I wanted to get.

Of course, a Citrix ADC / NetScaler got some kind of bag of tricks with it, and there are plenty of tricks about DNS servers, that’s just one out of many things it can do. Of course, in this case, we use a re-writing policy. Let’s see how the trick works:


The Policy Action

We use Citrix ADC / NetScaler rewriting feature. We simply create a new answer section:


add rewrite action rw_act_send_all_to_www_wonderkitchen replace_dns_answer_section "DNS.NEW_RRSET_A(\"93.83.148.46\",3600)"
so it’s a rewrite action replacing the DNS answer. I wanted to respond with an IP v4 address, so it’s NEW_RRSET_A, if I wanted to reply with an IP v6 address, it would have been a NEW_RRSET_AAAA. I have to add the IP address, in my case 93.83.148.46 and a TTL, in my case 3600 seconds, that’s more or less an hour.


The Policy Expression

The Citrix ADC / NetScaler rewriting policy has to act every time, if the response code is of type NXDOMAIN. If you host several domains on the same server, you would probably have to limit this to a certain domain, in my case, domains containing the string wonderkitchen in their names (I have several wonderkitchen-domains).

Citrix ADC/NetScaler: rewrite a DNS response
add rewrite policy rw_pol_send_all_to_www_wonderkitchen "DNS.RES.HEADER.RCODE.EQ(NXDOMAIN) && DNS.RES.QUESTION.DOMAIN.SET_TEXT_MODE(IGNORECASE).CONTAINS(\"wonderkitchen\")" rw_act_send_all_to_www_wonderkitchen
So we check if the DNS response status is NXDOMAIN and, in addition, if the response domain name contains wonderkitchen.


Binding the policy

This policy has to be bound to the load-balancing vServer. No tricks needed, so no screen shots here 🙂

 

About the author

Johannes Norz

Johannes Norz is a Citrix Certified Citrix Technology Advocate (CTA), Citrix Certified Instructor (CCI) and Citrix Certified Expert on Application Delivery and Security (CCE-AppDS).

He frequently works for Citrix international Consulting Services and several education centres all around the globe.

Johannes lives in Austria. He had been borne in Innsbruck, a small city (150.000 inhabitants) in the middle of the most beautiful Austrian mountains (https://www.youtube.com/watch?v=UvdF145Lf2I)

Add comment

By Johannes Norz

Recent Posts

Recent Comments