Forum Discussion
dearsanky
Nimbostratus
Feb 28, 2016DNS Recursion Desire restriction and Blacklist
Hi, I am writing an iRule to insert answer for blacklist domain, restrict query based on source (defined in Datagroup), Answer all query from everyone coming for Authoritative Answer. Need help to get this verify with the performance on the BIGIP appliance. iRule is as below: Can anyone suggest on below iRule:
when RULE_INIT {
Set IPV4 address that is returned for Blacklist matches for A records
set static::blacklist_reply_IPV4 "10.10.10.10"
Set TTL used for all Blacklist replies
set static::blacklist_ttl "100" } when DNS_REQUEST { set Blacklist_Match 0 set Blacklist_Type "" set domain_name [DNS::question name]
if {[DNS::header "rd"] == 1 } { if { not [class match [IP::client_addr] eq "admin_datagroup" ] } { DNS::drop } elseif { [string tolower [class match $domain_name eq Blacklist_Class]] } { set Blacklist_Match 1 log local0. "request allowed from $domain_name" DNS::return } } when DNS_RESPONSE { if { $Blacklist_Match } { switch [DNS::question type] { "A" { DNS::answer clear DNS::answer insert "[DNS::question name]. $static::blacklist_ttl [DNS::question class] [DNS::question type] $static::blacklist_reply_IPV4" DNS::header ra "1" } default { DNS::last_act reject } }
} }
12 Replies
- You'll find a optimized version of your IRule at the bottom of this post... ;-)
Recent Discussions
Related Content
DevCentral Quicklinks
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com
Discover DevCentral Connects