For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

vmoseley_96930's avatar
vmoseley_96930
Icon for Nimbostratus rankNimbostratus
Jun 05, 2011

Access by reverse dns lookup

Hi,

 

 

I'm currently using a very simple irule on a virtual server for controlling access via a network access APM access profile.

 

 

 

when CLIENT_ACCEPTED {

 

if {not [matchclass [IP::client_addr] equals Subs_IP_ADDR_List]}{

 

reject }

 

}

 

 

 

 

we have a new customer that needs to access but doesn't have static ip addresses - only dynamic dns domain names like

 

 

 

company.dyndns.biz

 

 

 

Which i've added to a data group list.

 

 

 

I've read the articles on RESOLV:lookup and NAME:lookup but could do with a few pointers on where to start.

 

 

 

Thanks,

 

Vaughan

 

application delivery
dev
devops
iRules

3 Replies

  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Jun 05, 2011
    Hi Vaughan,

     

     

    I used NAME::lookup in the example below as there was a bug with reverse lookups and RESOLV::lookup. Now that that bug has been fixed in 10.2.1HF1, you could change it to RESOLV::lookup.

     

     

    http://devcentral.f5.com/wiki/default.aspx/iRules/Block_requests_by_reverse_DNS_record.html

     

     

    Aaron
    • Pete_A's avatar
      Pete_A
      Icon for Altocumulus rankAltocumulus
      Apr 03, 2023

      I know this is over a decade too late - but I've recently had the issue of having a support company with a dynamic DNS record wanting to be able to access the login URL of our website.  We have a list of static IPs in IPS_OF_MANAGEMENT_HOSTS - but they wanted to add their DYNAMIC.DNS.NAME entry as well.

      It may not be pretty - but here's what I did, hopefully it'll help someone (note that I put the calculation as far into the process as possible to minimise the chance of it running):

      when HTTP_REQUEST {
	switch -glob [string tolower [HTTP::host]] {  
        "example.com" {
		    switch -glob [string tolower [HTTP::uri]] {
				"/logonpage*" {
					if { [class match [IP::client_addr] equals IPS_OF_MANAGEMENT_HOSTS] } {
						pool BACKEND_SERVERS
					} else {
                        set IPlookup [RESOLVER::summarize [RESOLVER::name_lookup "/Common/rr" DYNAMIC.DNS.NAME a] ]
                        set match "0"
                        foreach result $IPlookup {
                            if { [IP::client_addr] equals [lindex $result 4] } {
                                set match "1"
                                }
                            }
                        if {$match == 1} {
                            pool BACKEND_SERVERS
                        } else {
						    HTTP::respond 403 content "Access denied"
						    return
                            }
						}
					}
				default {
					pool BACKEND_SERVERS
					}
				}
			}
		}
	}

       Note that you will've had to define your resolvers in TMSH in order to refer to it here.  In theory it'll work where DNS returns multiple entries - although I haven't tested it.

  • LiefZimmerman's avatar
    LiefZimmerman
    Icon for Admin rankAdmin
    Apr 05, 2023

    Pete_A - What is a decade between friends eh? 🙂
    Love it.

    I don't understand the tech enough here but I'm betting that this should be:
    A) marked as the solution and
    B) submitted as a standalone Codeshare item. (we could link to it from this thread too)

    Tagging in JRahm to take a look & confirm.