For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

dearsanky's avatar
dearsanky
Icon for Nimbostratus rankNimbostratus
Feb 28, 2016

DNS Recursion Desire restriction and Blacklist

Hi, I am writing an iRule to insert answer for blacklist domain, restrict query based on source (defined in Datagroup), Answer all query from everyone coming for Authoritative Answer. Need help to g...
BIG-IP DNS
iRules
security
dearsanky's avatar
dearsanky
Icon for Nimbostratus rankNimbostratus
Mar 01, 2016

Hi Kai, PFB 

when RULE_INIT {
    Set IPV4 address that is returned for Blacklist matches for A records
    set static::blacklist_reply_IPV4 "10.10.10.10"
    Set TTL used for all Blacklist replies
    set static::blacklist_ttl "100" 
} 
    when DNS_REQUEST { 
    set Blacklist_Match 0 
    set Blacklist_Type "" 
    set domain_name [DNS::question name]
    if {[DNS::header "rd"] == 1 } 
        { if { not [class match [IP::client_addr] eq "admin_datagroup" ] } { 
        DNS::drop 
    } elseif { [string tolower [class match $domain_name eq Blacklist_Class]] } { 
    set Blacklist_Match 1 log local0. "request allowed from $domain_name" 
    DNS::return 
    } 
    } 
    when DNS_RESPONSE { 
    if { $Blacklist_Match } 
       { switch [DNS::question type] 
            { "A" { DNS::answer clear DNS::answer insert "[DNS::question name]. $static::blacklist_ttl [DNS::question class] [DNS::question type] $static::blacklist_reply_IPV4" 
            DNS::header ra "1" 
            } 
            default { DNS::last_act reject } }
            } 
            }
Rommel_L_287678's avatar
Rommel_L_287678
Icon for Nimbostratus rankNimbostratus
Sep 16, 2016

hi, as review rhe script, where we will define the variable "admin_datagroup"

 

Thanks