Forum Discussion

vmoseley_96930's avatar
Icon for Nimbostratus rankNimbostratus
Jun 05, 2011

Access by reverse dns lookup




I'm currently using a very simple irule on a virtual server for controlling access via a network access APM access profile.






if {not [matchclass [IP::client_addr] equals Subs_IP_ADDR_List]}{


reject }







we have a new customer that needs to access but doesn't have static ip addresses - only dynamic dns domain names like




Which i've added to a data group list.




I've read the articles on RESOLV:lookup and NAME:lookup but could do with a few pointers on where to start.








3 Replies

  • Hi Vaughan,



    I used NAME::lookup in the example below as there was a bug with reverse lookups and RESOLV::lookup. Now that that bug has been fixed in 10.2.1HF1, you could change it to RESOLV::lookup.





    • Pete_A's avatar
      Icon for Nimbostratus rankNimbostratus

      I know this is over a decade too late - but I've recently had the issue of having a support company with a dynamic DNS record wanting to be able to access the login URL of our website.  We have a list of static IPs in IPS_OF_MANAGEMENT_HOSTS - but they wanted to add their DYNAMIC.DNS.NAME entry as well.

      It may not be pretty - but here's what I did, hopefully it'll help someone (note that I put the calculation as far into the process as possible to minimise the chance of it running):

      when HTTP_REQUEST {
      	switch -glob [string tolower [HTTP::host]] {  
              "" {
      		    switch -glob [string tolower [HTTP::uri]] {
      				"/logonpage*" {
      					if { [class match [IP::client_addr] equals IPS_OF_MANAGEMENT_HOSTS] } {
      						pool BACKEND_SERVERS
      					} else {
                              set IPlookup [RESOLVER::summarize [RESOLVER::name_lookup "/Common/rr" DYNAMIC.DNS.NAME a] ]
                              set match "0"
                              foreach result $IPlookup {
                                  if { [IP::client_addr] equals [lindex $result 4] } {
                                      set match "1"
                              if {$match == 1} {
                                  pool BACKEND_SERVERS
                              } else {
      						    HTTP::respond 403 content "Access denied"
      				default {
      					pool BACKEND_SERVERS

       Note that you will've had to define your resolvers in TMSH in order to refer to it here.  In theory it'll work where DNS returns multiple entries - although I haven't tested it.

  • Pete_A - What is a decade between friends eh? 🙂
    Love it.

    I don't understand the tech enough here but I'm betting that this should be:
    A) marked as the solution and
    B) submitted as a standalone Codeshare item. (we could link to it from this thread too)

    Tagging in JRahm to take a look & confirm.