For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

JWhitesPro_1928's avatar
JWhitesPro_1928
Icon for Cirrostratus rankCirrostratus
Jun 21, 2016
Solved

DNS Whitelist Responses

Does anyone know if an iRule already exists that accomplishes the following:   DNS Request comes in from client If the request matches an entry in a datagroup table the request is allowed to proce...
AFM
iRules
security
  • Vernon_97235's avatar
    Vernon_97235
    Jun 21, 2016
    when DNS_REQUEST {
    if { [class match [string tolower [DNS::question name]] equals "dg-allowed-dns-queries"] } {
        reject
    }
}
VernonWells's avatar
VernonWells
Icon for Employee rankEmployee
Jun 21, 2016
when DNS_REQUEST {
    if { [class match [string tolower [DNS::question name]] equals "dg-allowed-dns-queries"] } {
        reject
    }
}
JWhitesPro_1928's avatar
JWhitesPro_1928
Icon for Cirrostratus rankCirrostratus
Jun 21, 2016
I came up with something similar while testing. The above that you posted would reject anything in the list correct? when DNS_REQUEST { if {[class match [string tolower [DNS::question name]] equals "dg-allowed-dns-requests"]} { pool dns_servers log local0. "DNS Request is: [DNS::question name]" }else { discard log local0. "No request match: [DNS::question name]" } } set your dns profile to not use anything (gslb etc) create the datagroup with only the string (no value required)