For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

JWhitesPro_1928's avatar
JWhitesPro_1928
Icon for Cirrostratus rankCirrostratus
Jun 21, 2016
Solved

DNS Whitelist Responses

Does anyone know if an iRule already exists that accomplishes the following:   DNS Request comes in from client If the request matches an entry in a datagroup table the request is allowed to proce...
AFM
iRules
security
  • Vernon_97235's avatar
    Vernon_97235
    Jun 21, 2016
    when DNS_REQUEST {
    if { [class match [string tolower [DNS::question name]] equals "dg-allowed-dns-queries"] } {
        reject
    }
}
VernonWells's avatar
VernonWells
Icon for Employee rankEmployee
Jun 21, 2016
when CLIENT_ACCEPTED {
    if { [class match [IP::client_addr] equals "dg-allowed-clients"] } {
        reject
    }
}

applied to any DNS listeners. It must be a rule created in the ltm space. This can be done even if LTM is not provisioned.

  • JWhitesPro_1928's avatar
    JWhitesPro_1928
    Icon for Cirrostratus rankCirrostratus
    Jun 21, 2016
    Thank you. I think I made my question unclear. What I am really trying to do is look up the actual requested DNS record in the table, if it exists as a record I want to allow a response for then we will allow the request to process, otherwise we just drop the request.