Forum Discussion
NimbostratusDNS domain blocking using UDP payload
hi, , we are trying to filter some DNS quueries in our bigIP, but face some problems - running version is 10.1 - only LTM license that means we can not use DNS irules statements, so we though about using UDP payload features for that reason we tried the following
when CLIENT_ACCEPTED { set payload [UDP::payload] if {[matchclass $payload contains "google"]} { reject } } this is working and it is able to reject DNS queries to google, www.google.com, etc but if we write down $payload contains "www.google.com"]} it is not working, neither for google, nor for google.com we tried to check the payload itself (logging it) and it shows something like blablablawwwgooglecomblablabla, without the dot between google and com any idea? we are interested in filtering www.google.com and not google or google.com (this is just an example, URL is different in life system) thanks a lot in advance
24 Replies
Mohamed_LrhaziAltocumulus
I dont know, but maybe some clues in this example: https://clouddocs.f5.com/api/irules/fast_DNS_2.html
Matt_Breedlove_Hi Mohamed,
Generally, "matchclass" is deprecated I believe for 10 and 11.x. It would be class match, but that is specific to datagroups. You are not using datagroups correct?
So your statement "matchclass $payload contains "google" wouldnt really make sense, that just looks like a standard string "if" statement with no datagroup.
Secondly, the CLIENT_ACCEPTED event is only the beginning of the layer 4 session. If you want to process the actual data of the layer 4 session and since this is UDP versus TCP/HTTP you would probably want to use the CLIENT_DATA event to try to process and string match the UDP payload data. There may be some portion of the data available to parse in CLIENT_ACCEPTED but you should really process the data portion of the payload in the CLIENT_DATA event unless someone knows better or there is an exception with UDP versus TCP/HTTP
