Forum Discussion

mobile_support_'s avatar
mobile_support_
Icon for Nimbostratus rankNimbostratus
Jun 18, 2014

DNS domain blocking using UDP payload

hi, , we are trying to filter some DNS quueries in our bigIP, but face some problems - running version is 10.1 - only LTM license that means we can not use DNS irules statements, so we though about using UDP payload features for that reason we tried the following

 

when CLIENT_ACCEPTED { set payload [UDP::payload] if {[matchclass $payload contains "google"]} { reject } } this is working and it is able to reject DNS queries to google, www.google.com, etc but if we write down $payload contains "www.google.com"]} it is not working, neither for google, nor for google.com we tried to check the payload itself (logging it) and it shows something like blablablawwwgooglecomblablabla, without the dot between google and com any idea? we are interested in filtering www.google.com and not google or google.com (this is just an example, URL is different in life system) thanks a lot in advance

 

application delivery
deployment
devops
dns
iRules
LTM
security
  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Jul 08, 2014

    are you using double back slashes in data group?

    this is mine.

     config

root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm virtual bar
ltm virtual bar {
    destination 172.28.24.10:53
    ip-protocol udp
    mask 255.255.255.255
    pool foo
    profiles {
        udp_gtm_dns { }
    }
    rules {
        qux
    }
    source 0.0.0.0/0
    source-address-translation {
        type automap
    }
    vs-index 58
}
root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm rule qux
ltm rule qux {
    when CLIENT_ACCEPTED  {
  binary scan [UDP::payload] H4@12A*@12H* id dname question
  set dname [string tolower [getfield $dname \x00 1]]
  if {[class match -- $dname contains blackhole_domain]} {
    log local0. "drop"
    drop
    return
  }
  log local0. "not drop"
}
}
root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm data-group internal blackhole_domain
ltm data-group internal blackhole_domain {
    records {
        \\x08doohotok\\x03com { }
    }
    type string
}

 trace

[root@ve11a:Active:In Sync] tmp  tcpdump -nni 0.0 -s0 port 53
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on 0.0, link-type EN10MB (Ethernet), capture size 65535 bytes
07:38:00.143874 IP 172.28.24.1.44967 > 172.28.24.10.53:  62524+ A? cmz.www.doohotok.com. (38) in slot1/tmm0 lis=

 /var/log/ltm

[root@ve11a:Active:In Sync] tmp  cat /var/log/ltm
Jul  8 07:38:00 ve11a info tmm[29362]: Rule /Common/qux : drop
    • Mike_72892's avatar
      Mike_72892
      Icon for Nimbostratus rankNimbostratus
      Jul 08, 2014
      Yes, it looks the same in mine as well: `\\x08doohotok\\x03com { }` `ltm virtual bar { destination x.x.x.x:53 ip-protocol udp mask 255.255.255.255 pool DNS_pool profiles { /Common/udp_gtm_dns { } } rules { /Common/bad_dns_users } ... }`
    • nitass's avatar
      nitass
      Icon for Employee rankEmployee
      Jul 08, 2014
      can you add logging for client ip ([IP::client_addr]), client port ([UDP::client_port]) and dname ($dname) in the irule? so, we can map packet in tcpdump and log.
  • nitass_89166's avatar
    nitass_89166
    Icon for Noctilucent rankNoctilucent
    Jul 08, 2014

    are you using double back slashes in data group?

    this is mine.

     config

root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm virtual bar
ltm virtual bar {
    destination 172.28.24.10:53
    ip-protocol udp
    mask 255.255.255.255
    pool foo
    profiles {
        udp_gtm_dns { }
    }
    rules {
        qux
    }
    source 0.0.0.0/0
    source-address-translation {
        type automap
    }
    vs-index 58
}
root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm rule qux
ltm rule qux {
    when CLIENT_ACCEPTED  {
  binary scan [UDP::payload] H4@12A*@12H* id dname question
  set dname [string tolower [getfield $dname \x00 1]]
  if {[class match -- $dname contains blackhole_domain]} {
    log local0. "drop"
    drop
    return
  }
  log local0. "not drop"
}
}
root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm data-group internal blackhole_domain
ltm data-group internal blackhole_domain {
    records {
        \\x08doohotok\\x03com { }
    }
    type string
}

 trace

[root@ve11a:Active:In Sync] tmp  tcpdump -nni 0.0 -s0 port 53
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on 0.0, link-type EN10MB (Ethernet), capture size 65535 bytes
07:38:00.143874 IP 172.28.24.1.44967 > 172.28.24.10.53:  62524+ A? cmz.www.doohotok.com. (38) in slot1/tmm0 lis=

 /var/log/ltm

[root@ve11a:Active:In Sync] tmp  cat /var/log/ltm
Jul  8 07:38:00 ve11a info tmm[29362]: Rule /Common/qux : drop
    • Mike_72892's avatar
      Mike_72892
      Icon for Nimbostratus rankNimbostratus
      Jul 08, 2014
      Yes, it looks the same in mine as well: `\\x08doohotok\\x03com { }` `ltm virtual bar { destination x.x.x.x:53 ip-protocol udp mask 255.255.255.255 pool DNS_pool profiles { /Common/udp_gtm_dns { } } rules { /Common/bad_dns_users } ... }`
    • nitass_89166's avatar
      nitass_89166
      Icon for Noctilucent rankNoctilucent
      Jul 08, 2014
      can you add logging for client ip ([IP::client_addr]), client port ([UDP::client_port]) and dname ($dname) in the irule? so, we can map packet in tcpdump and log.
  • Mike_72892's avatar
    Mike_72892
    Icon for Nimbostratus rankNimbostratus
    Jul 21, 2014

    I just wanted to post an update. There was a configuration issue relating to having an SNAT with the same IP as the VS. If the query response took longer than the timeout, a SNAT session would be created in the PVA and further packets from the client never fired the iRule. Thanks for all of your help!