Forum Discussion
dearsanky
Nimbostratus
NimbostratusDNS Recursion Desire restriction and Blacklist
Hi, I am writing an iRule to insert answer for blacklist domain, restrict query based on source (defined in Datagroup), Answer all query from everyone coming for Authoritative Answer. Need help to get this verify with the performance on the BIGIP appliance. iRule is as below: Can anyone suggest on below iRule:
when RULE_INIT {
Set IPV4 address that is returned for Blacklist matches for A records
set static::blacklist_reply_IPV4 "10.10.10.10"
Set TTL used for all Blacklist replies
set static::blacklist_ttl "100" } when DNS_REQUEST { set Blacklist_Match 0 set Blacklist_Type "" set domain_name [DNS::question name]
if {[DNS::header "rd"] == 1 } { if { not [class match [IP::client_addr] eq "admin_datagroup" ] } { DNS::drop } elseif { [string tolower [class match $domain_name eq Blacklist_Class]] } { set Blacklist_Match 1 log local0. "request allowed from $domain_name" DNS::return } } when DNS_RESPONSE { if { $Blacklist_Match } { switch [DNS::question type] { "A" { DNS::answer clear DNS::answer insert "[DNS::question name]. $static::blacklist_ttl [DNS::question class] [DNS::question type] $static::blacklist_reply_IPV4" DNS::header ra "1" } default { DNS::last_act reject } }
} }
12 Replies
- Kai_Wilke
MVP
Hi Dearsanky, can you please repost your iRule with proper formating (Mark the codeblocks and then push TAB). I tried to format the iRule be myself, but somehow a curly-brace is missing making the iRule invalid. Cheers, Kai 
Teamsecurity_25when RULE_INIT { Set IPV4 address that is returned for Blacklist matches for A records set static::blacklist_reply_IPV4 "10.10.10.10" Set TTL used for all Blacklist replies set static::blacklist_ttl "100" } when DNS_REQUEST { set Blacklist_Match 0 set Blacklist_Type "" set domain_name [DNS::question name] if {[DNS::header "rd"] == 1 } { if { not [class match [IP::client_addr] eq "admin_datagroup" ] } { DNS::drop } elseif { [string tolower [class match $domain_name eq Blacklist_Class]] } { set Blacklist_Match 1 log local0. "request allowed from $domain_name" DNS::return } } when DNS_RESPONSE { if { $Blacklist_Match } { switch [DNS::question type] { "A" { DNS::answer clear DNS::answer insert "[DNS::question name]. $static::blacklist_ttl [DNS::question class] [DNS::question type] $static::blacklist_reply_IPV4" DNS::header ra "1" } default { DNS::last_act reject } } } }- dearsanky
Hi Kai, PFB
when RULE_INIT { Set IPV4 address that is returned for Blacklist matches for A records set static::blacklist_reply_IPV4 "10.10.10.10" Set TTL used for all Blacklist replies set static::blacklist_ttl "100" } when DNS_REQUEST { set Blacklist_Match 0 set Blacklist_Type "" set domain_name [DNS::question name] if {[DNS::header "rd"] == 1 } { if { not [class match [IP::client_addr] eq "admin_datagroup" ] } { DNS::drop } elseif { [string tolower [class match $domain_name eq Blacklist_Class]] } { set Blacklist_Match 1 log local0. "request allowed from $domain_name" DNS::return } } when DNS_RESPONSE { if { $Blacklist_Match } { switch [DNS::question type] { "A" { DNS::answer clear DNS::answer insert "[DNS::question name]. $static::blacklist_ttl [DNS::question class] [DNS::question type] $static::blacklist_reply_IPV4" DNS::header ra "1" } default { DNS::last_act reject } } } }- Rommel_L_287678
hi, as review rhe script, where we will define the variable "admin_datagroup"
Thanks
- dearsankyHi Kai, Please let me know if you've any suggestion on this...thanks
- Kai_WilkeWill respond tomorrow. But right now it seems you can get rid of the DNS_RESPONSE event and sone variables. In addition I've spotted a coding issue in your string tolower syntax. Question: I'm not familiar with the DNS::last_act command. What is the purpose to use this command for those blacklisted commands?
- Kai_Wilke
Hi
the last posted iRule is somewhat invalid (a closing curly brace
is missing and the LF formating is screwed).}I've reconstructed and optimized the logic as best as possible. But because of the missing curly brace, I'm not sure if the iRule still does what you need...
The iRule would block DNS request from client IPs which are not defined in the
datagroup. If the client IPs is in theadmin_datagroup
theadmin_datagroup
gets matched with the[string tolower [DNS::question name]]
datagroup. If the [DNS::question name] is in the blacklist andBlacklist_Class
=[DNS::question type]
then respond withA
. If not$static::blacklist_reply_IPV4
=[DNS::question type]
then useA
to determine the result of the DNS request...DNS::last_act rejectwhen RULE_INIT { Set IPV4 address that is returned for Blacklist matches for A records set static::blacklist_reply_IPV4 "10.10.10.10" Set TTL used for all Blacklist replies set static::blacklist_ttl "100" } when DNS_REQUEST { if { [DNS::header "rd"] == 1 } then { if { not [class match [IP::client_addr] eq "admin_datagroup" ] } then { DNS::drop } elseif { [class match [string tolower [DNS::question name]] eq Blacklist_Class] } then { if { [DNS::question type] eq "A" } then { DNS::answer insert "[DNS::question name]. $static::blacklist_ttl IN A $static::blacklist_reply_IPV4" DNS::header ra "1" } else { DNS::last_act reject } DNS::return } } }Note: I've integrated the DNS_RESPONSE event funtionality to the DNS_REQUEST event, since it doesn't make much sense to resolve the query, if the request parameters are already indicating a intercepted response.
Note: I didn't test the iRule at all. The optimization are purely based on experiences...
Cheers, Kai
- dearsankyDNS::last_act means "Sets the action to perform if no DNS service handles this packet "
- Kai_WilkeThis is what the documentation tells. Do you using such DNS services or do you need to just DNS::drop those requests?
- Kai_WilkeJust checked the outcome of the "DNS::last_act reject" in my demo environment and can confirm the functionality of the optimized iRule syntax. On the first sight "DNS::last_act reject" has basically the same outcome as a "DNS::drop". And both commands will work without any issues using just the DNS_REQUEST event to make it more performant. In the meantime I've also found the origin of your iRule (https://devcentral.f5.com/s/articles/v111-dns-blackhole-with-irules) Well, I still duno why the provided sample code uses the DNS_RESPONSE event, if the DNS request already holds every information to simply intercept and respond the DNS request on behalf of the DNS servers. Cheers, Kai
- dearsankyHi Kai, Thanks for your input.. i need DNS response to customize the DNS answer and redirect the request to some other server. But anyway, my iRule for DNS services is required for as " DNS will work ANS & recursive for ISPs own subscirbers, for external users only respond authoritative and redirect/drop the blacklist domain. I've written on rule but CPU goes high. Can you share some idea on it? Thanks.
