Forum Discussion
DNS Whitelist Responses
Does anyone know if an iRule already exists that accomplishes the following:
DNS Request comes in from client If the request matches an entry in a datagroup table the request is allowed to process and is NOT modified If the requested name does not exist in the datagroup table the request is dropped.
The objective here is to not have to stand up a new DNS server and be able to give certain clients access to only the dynamic dns entries they require to function (like say looking up where the IP for that SCOM or SCCM server is)
I've found one that I may be able to modify but just wasn't sure if anyone knew if something like that already existed.
(was thinking this one may be able to be modified to achieve this: https://devcentral.f5.com/wiki/iRules.Pinhole-Pinpoint-DNS.ashx)
when DNS_REQUEST { if { [class match [string tolower [DNS::question name]] equals "dg-allowed-dns-queries"] } { reject } }
- Vernon_97235Historic F5 Account
when CLIENT_ACCEPTED { if { [class match [IP::client_addr] equals "dg-allowed-clients"] } { reject } }
applied to any DNS listeners. It must be a rule created in the ltm space. This can be done even if LTM is not provisioned.
- JWhitesPro_1928CirrostratusThank you. I think I made my question unclear. What I am really trying to do is look up the actual requested DNS record in the table, if it exists as a record I want to allow a response for then we will allow the request to process, otherwise we just drop the request.
- VernonWellsEmployee
when CLIENT_ACCEPTED { if { [class match [IP::client_addr] equals "dg-allowed-clients"] } { reject } }
applied to any DNS listeners. It must be a rule created in the ltm space. This can be done even if LTM is not provisioned.
- JWhitesPro_1928CirrostratusThank you. I think I made my question unclear. What I am really trying to do is look up the actual requested DNS record in the table, if it exists as a record I want to allow a response for then we will allow the request to process, otherwise we just drop the request.
- VernonWellsEmployee
when DNS_REQUEST { if { [class match [string tolower [DNS::question name]] equals "dg-allowed-dns-queries"] } { reject } }
- JWhitesPro_1928CirrostratusI came up with something similar while testing. The above that you posted would reject anything in the list correct? when DNS_REQUEST { if {[class match [string tolower [DNS::question name]] equals "dg-allowed-dns-requests"]} { pool dns_servers log local0. "DNS Request is: [DNS::question name]" }else { discard log local0. "No request match: [DNS::question name]" } } set your dns profile to not use anything (gslb etc) create the datagroup with only the string (no value required)
- Vijay_ECirrusThe iRule provided by Vernon rejects DNS query matching any in the data-group "dg-allowed-dns-queries". Your iRule seems to send traffic to a pool if it matches the data-group "dg-allowed-dns-queries" and rejects the non-matching queries.
- JWhitesPro_1928CirrostratusYep. It's working great. Thanks everyone!
- Vernon_97235Historic F5 Account
when DNS_REQUEST { if { [class match [string tolower [DNS::question name]] equals "dg-allowed-dns-queries"] } { reject } }
- JWhitesPro_1928CirrostratusI came up with something similar while testing. The above that you posted would reject anything in the list correct? when DNS_REQUEST { if {[class match [string tolower [DNS::question name]] equals "dg-allowed-dns-requests"]} { pool dns_servers log local0. "DNS Request is: [DNS::question name]" }else { discard log local0. "No request match: [DNS::question name]" } } set your dns profile to not use anything (gslb etc) create the datagroup with only the string (no value required)
- Vijay_ECirrusThe iRule provided by Vernon rejects DNS query matching any in the data-group "dg-allowed-dns-queries". Your iRule seems to send traffic to a pool if it matches the data-group "dg-allowed-dns-queries" and rejects the non-matching queries.
- JWhitesPro_1928CirrostratusYep. It's working great. Thanks everyone!
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com