For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Marco_Lei's avatar
Marco_Lei
Icon for Altostratus rankAltostratus
Dec 05, 2018
Solved

Create iRule condition with matching client IP from multiple IP subnet

I need to create an iRule to check if a DNS query domain name matches a preconfigured list of domain name, AND client IP matches one of following network:

172.18.9.0/24
172.25.10.0/24

The iRule that I thought to be usable is:

when DNS_REQUEST {
set filter_list {
"abctest.example.com" 

}
if  { [lsearch -exact $filter_list [DNS::question name]] ne -1 && {![IP::addr [IP::client_addr] equals 172.18.9.0/24] ||![IP::addr [IP::client_addr] equals 172.25.10.0/24]}} {
    DNS::header rcode NXDOMAIN
    DNS::return
}
}

However, this condition doesn't work. DNS query that is not in above network will still have timeout message, instead of directly receive NXDomain response. I would like to know what I done wrong in my iRule condition, and feasible solution to make this iRule work properly.

application delivery
BIG-IP DNS
iRules
  • Abdessamad1's avatar
    Abdessamad1
    Dec 05, 2018

    I would use data-groups for host and IP matching, it's more elegant. And try to add some logging to the irule to help you see what is going wrong.

     

1 Reply

  • Abdessamad1's avatar
    Abdessamad1
    Icon for Cirrostratus rankCirrostratus
    Dec 05, 2018

    I would use data-groups for host and IP matching, it's more elegant. And try to add some logging to the irule to help you see what is going wrong.