Forum Discussion
awan_m I don't believe this is possible because the AFM would perform a DNS lookup for the literal DNS record of *.microsoft.com instead of what you most likely want which is any sub-domain of .microsoft.com. I don't know if I would allow that through either if you could because that is a significant amount of sources that could potentially be allowed through depending on DNS resolution. What is the purpose of the VIP that you need to allow any sub-domain of .microsoft.com through?
thanks for the reply - its a specific domain IPs to be able to connect to a VIP that presents an API . the problem with an ip address list is that i will change all the time . i need to resolve the requestors IP to a domain and if its *.XYZ.com the allow it to connect .
- Michael__May 19, 2023Nimbostratus
Hi,
you could try that with an irule, something that way:
when CLIENT_ACCEPTED { set CLIENTIP [IP::client_addr] set PTR "[lindex [RESOLV::lookup @1.1.1.1 -ptr $CLIENTIP] 0]" set PTRreverse "[lindex [RESOLV::lookup @1.1.1.1 -a $PTR] 0]" if {($CLIENTIP eq $PTRreverse) && ($PTR ends_with ".microsoft.com")}{ log local0. "OK - $CLIENTIP - $PTR - $PTRreverse -" } else { log local0. "FAIL - $CLIENTIP - $PTR - $PTRreverse -" reject } }