Forum Discussion
mobile_support_
Jun 18, 2014Nimbostratus
DNS domain blocking using UDP payload
hi, , we are trying to filter some DNS quueries in our bigIP, but face some problems - running version is 10.1 - only LTM license that means we can not use DNS irules statements, so we though about u...
nitass
Jul 08, 2014Employee
are you using double back slashes in data group?
this is mine.
config
root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm virtual bar
ltm virtual bar {
destination 172.28.24.10:53
ip-protocol udp
mask 255.255.255.255
pool foo
profiles {
udp_gtm_dns { }
}
rules {
qux
}
source 0.0.0.0/0
source-address-translation {
type automap
}
vs-index 58
}
root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm rule qux
ltm rule qux {
when CLIENT_ACCEPTED {
binary scan [UDP::payload] H4@12A*@12H* id dname question
set dname [string tolower [getfield $dname \x00 1]]
if {[class match -- $dname contains blackhole_domain]} {
log local0. "drop"
drop
return
}
log local0. "not drop"
}
}
root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm data-group internal blackhole_domain
ltm data-group internal blackhole_domain {
records {
\\x08doohotok\\x03com { }
}
type string
}
trace
[root@ve11a:Active:In Sync] tmp tcpdump -nni 0.0 -s0 port 53
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on 0.0, link-type EN10MB (Ethernet), capture size 65535 bytes
07:38:00.143874 IP 172.28.24.1.44967 > 172.28.24.10.53: 62524+ A? cmz.www.doohotok.com. (38) in slot1/tmm0 lis=
/var/log/ltm
[root@ve11a:Active:In Sync] tmp cat /var/log/ltm
Jul 8 07:38:00 ve11a info tmm[29362]: Rule /Common/qux : drop
- Mike_72892Jul 08, 2014NimbostratusYes, it looks the same in mine as well: `\\x08doohotok\\x03com { }` `ltm virtual bar { destination x.x.x.x:53 ip-protocol udp mask 255.255.255.255 pool DNS_pool profiles { /Common/udp_gtm_dns { } } rules { /Common/bad_dns_users } ... }`
- nitassJul 08, 2014Employeecan you add logging for client ip ([IP::client_addr]), client port ([UDP::client_port]) and dname ($dname) in the irule? so, we can map packet in tcpdump and log.
Recent Discussions
Related Content
DevCentral Quicklinks
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com
Discover DevCentral Connects