For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

dearsanky's avatar
dearsanky
Icon for Nimbostratus rankNimbostratus
Feb 28, 2016

DNS Recursion Desire restriction and Blacklist

Hi, I am writing an iRule to insert answer for blacklist domain, restrict query based on source (defined in Datagroup), Answer all query from everyone coming for Authoritative Answer. Need help to get this verify with the performance on the BIGIP appliance. iRule is as below: Can anyone suggest on below iRule:

 

when RULE_INIT {

 

Set IPV4 address that is returned for Blacklist matches for A records

set static::blacklist_reply_IPV4 "10.10.10.10"

 

Set TTL used for all Blacklist replies

set static::blacklist_ttl "100" } when DNS_REQUEST { set Blacklist_Match 0 set Blacklist_Type "" set domain_name [DNS::question name]

 

if {[DNS::header "rd"] == 1 } { if { not [class match [IP::client_addr] eq "admin_datagroup" ] } { DNS::drop } elseif { [string tolower [class match $domain_name eq Blacklist_Class]] } { set Blacklist_Match 1 log local0. "request allowed from $domain_name" DNS::return } } when DNS_RESPONSE { if { $Blacklist_Match } { switch [DNS::question type] { "A" { DNS::answer clear DNS::answer insert "[DNS::question name]. $static::blacklist_ttl [DNS::question class] [DNS::question type] $static::blacklist_reply_IPV4" DNS::header ra "1" } default { DNS::last_act reject } }

 

} }

 

BIG-IP DNS
iRules
security

12 Replies

Show More
  • Kai_Wilke's avatar
    Kai_Wilke
    Icon for MVP rankMVP
    Mar 03, 2016
    You'll find a optimized version of your IRule at the bottom of this post... ;-)