For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

MH1_273408's avatar
MH1_273408
Icon for Nimbostratus rankNimbostratus
Jun 22, 2016

DNS response validation?

Hey All, I've got an environment with two sets of untrusted forests, one of which needs to be able to perform reverse DNS queries to both domains. The tricky part is, they share the same /24 network...
application delivery
BIG-IP DNS
LTM
MH1_273408's avatar
MH1_273408
Icon for Nimbostratus rankNimbostratus
Jun 26, 2016
I'm thinking an iRule is the right way to go here. I'll do something like throw both sets of authoritative servers for that reverse zone in a pool, then when DNS_Response if DNS::ptype =="NXDOMAIN" try next member of pool. Then iterate each member of the pool and if none of them return an answer then return nxdomain to the client. Is that something that is possible? Note that I'm using SNAT auto mapping, since the clients aren't routed through the F5. I'm new to iRules, should the rule begin with DNS_Request then if DNS_Reponse and nested DNS::ptype? Not sure if the rules watch the whole session or not.