F5 is upgrading its customer support chat feature on My.F5.com. Chat support will be unavailable from 6am-10am PST on 1/20/26. Refer to K000159584 for details.

Forum Discussion

Mark_Fenkner_60's avatar
Mark_Fenkner_60
Icon for Nimbostratus rankNimbostratus
Oct 11, 2011

DNS Blacklisting on GTM

I'm trying to utilize the new iRules feature on the GTM to implement DNS blacklisting. I'd like to use a data group to contain all the blacklist domains, so as a very basic start for testing I tried to do something like the following:

 

 

when DNS_REQUEST {

 

if { [class match [DNS::rrname] equals dns_blacklist_datagroup] } {

 

cname "bad.domain.com"

 

}

 

}

 

 

But the problem is that on the GTM side it doesn't recognize the class functions and on the LTM side it doesn't recognize the DNS functions. Does anyone know if this is possible, to use both the class functions and DNS functions in an iRule?

 

 

I plan to have the GTM in-line between the clients and DNS servers (ie. it will load balance DNS traffic to back-end DNS servers). With that said, I'm not sure where I apply the iRule if I'm successful in getting it to work; on the GTM side, the only place to apply it seems to be on a Wide IP and on the LTM side the DNS functions don't work. Any idea where to place an iRule to operate on all DNS traffic?

 

 

Thanks!

 

 

Mark

 

 

application delivery
dev
devops
iRules

1 Reply

  • bvanlieu's avatar
    bvanlieu
    Icon for Nimbostratus rankNimbostratus
    Dec 29, 2011
    Hey Mark,

     

     

    This may be addressed in V11.1. I quickly tested a few examples on a 11.1 GTM.

     

     

    Hugh O. recently shared a DNS Blacklist solution he worked on which may be more then you need, but you

     

    can likely leverage some of it. Its a good read regardless :)

     

     

    http://devcentral.f5.com/Tutorials/TechTips/tabid/63/articleType/ArticleView/articleId/1086519/v111-DNS-Blackhole-with-iRules.aspx

     

     

    and

     

     

    http://devcentral.f5.com/wiki/iRules.DNS_Blackhole.ashx

     

     

    One thing with these links: it may have been done on an LTM/GTM, where the GUI exposes the LTM irule and Virtual. ON a GTM

     

    standalone I tested with, I used tmsh to add the ltm datagroup, irule, and then associate the rule to the GTM Listener.

     

     

    the cname command seems to be valid only with a GTM listener, so on the LTM side I used DNS::answer. This was a quickie, so

     

    it may need more tweaking:

     

     

    when DNS_REQUEST {

     

    if { [class match [DNS::question name] eq dns_blacklist] } {

     

    DNS::return

     

    DNS::answer clear

     

    DNS::answer insert "[DNS::question name] 30 IN CNAME www.google.com"

     

    }

     

    }

     

     

    - b