Forum Discussion

JWhitesPro_1928's avatar
JWhitesPro_1928
Icon for Cirrostratus rankCirrostratus
Jun 21, 2016

DNS Whitelist Responses

Does anyone know if an iRule already exists that accomplishes the following:   DNS Request comes in from client If the request matches an entry in a datagroup table the request is allowed to proce...
AFM
iRules
security
  • Vernon_97235's avatar
    Vernon_97235
    Jun 21, 2016
    when DNS_REQUEST {
    if { [class match [string tolower [DNS::question name]] equals "dg-allowed-dns-queries"] } {
        reject
    }
}
Vernon_97235's avatar
Vernon_97235
Historic F5 Account
Jun 21, 2016
when DNS_REQUEST {
    if { [class match [string tolower [DNS::question name]] equals "dg-allowed-dns-queries"] } {
        reject
    }
}
  • JWhitesPro_1928's avatar
    JWhitesPro_1928
    Icon for Cirrostratus rankCirrostratus
    Jun 21, 2016
    I came up with something similar while testing. The above that you posted would reject anything in the list correct? when DNS_REQUEST { if {[class match [string tolower [DNS::question name]] equals "dg-allowed-dns-requests"]} { pool dns_servers log local0. "DNS Request is: [DNS::question name]" }else { discard log local0. "No request match: [DNS::question name]" } } set your dns profile to not use anything (gslb etc) create the datagroup with only the string (no value required)
  • Vijay_E's avatar
    Vijay_E
    Icon for Cirrus rankCirrus
    Jun 21, 2016
    The iRule provided by Vernon rejects DNS query matching any in the data-group "dg-allowed-dns-queries". Your iRule seems to send traffic to a pool if it matches the data-group "dg-allowed-dns-queries" and rejects the non-matching queries.
  • JWhitesPro_1928's avatar
    JWhitesPro_1928
    Icon for Cirrostratus rankCirrostratus
    Jun 22, 2016
    Yep. It's working great. Thanks everyone!