For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

gapexx_138014's avatar
gapexx_138014
Icon for Nimbostratus rankNimbostratus
May 09, 2014

f5 GTM as DNS Express and Caching server

Hello.

 

Our costumerwould like to use f5 GTM as DNS Express server for their own zones. Because they are small ISP they would also like to implemtent f5 as cache server and doing recursive lookups. This meens that this would be an open resolver which is not good. Is there a way (maybe with irule) to limit which source IP addresses can query cache part of f5 GMT, so that we would be able to limit recursive querys only for their clients. I cannot find anything in config, f5 is licensed GTM only.

 

application delivery
BIG-IP DNS
deployment
design
devops
iRules
security

9 Replies

  • Eric_St__John's avatar
    Eric_St__John
    Icon for Employee rankEmployee
    May 09, 2014
    You could configure a separate listener for each of the services, and then use an iRule to limit access to the caching resolver. Eric
  • Kevin_K_51432's avatar
    Kevin_K_51432
    Historic F5 Account
    May 09, 2014

    Hi Gapexx, I created a Listener and notice GTM creates a port 53 virtual server. Looking at that virtual server more closely, I see an option for "Source". The help page mentions:

     

    Specifies an IP address or network from which the virtual server will accept traffic. For this setting to work, you must specify a value other than 0.0.0.0/0 or ::/0 (that is, any/0, any6/0). In order to maximize utility of this setting, specify the most specific address prefixes covering all customer addresses and no others.

     

    Is this something you can test?

     

    Kevin

     

    • gapexx_138014's avatar
      gapexx_138014
      Icon for Nimbostratus rankNimbostratus
      May 10, 2014
      I can try to test this in ma lab, but this will also limit traffic to dns express part whiich has to be available to everyone, since f5 is authoritative for those zones
  • Techgeeeg's avatar
    Techgeeeg
    Icon for Nimbostratus rankNimbostratus
    May 10, 2014

    Gapexx you are right... if you modify the things on the VS level it will drop the traffic even from reaching the DNS Express ... you have to play with iRule to achieve what you are looking for...

     

  • gapexx_138014's avatar
    gapexx_138014
    Icon for Nimbostratus rankNimbostratus
    May 11, 2014

    Thanks for your help everybody.

     

    I think I found the solution in irules

     

    when DNS_REQUEST { if { not [class match [IP::client_addr] eq "costumer-range" ] } { DNS::disable cache } }

     

    • A__Stanley_1756's avatar
      A__Stanley_1756
      Icon for Nimbostratus rankNimbostratus
      Aug 07, 2015
      Have you tested this iRule? I would like to do the same thing. Right now my customer is using DNS Express and on-box Bind because the native Bind allows for 'allow-recursion' and 'acl'
    • gapexx_138014's avatar
      gapexx_138014
      Icon for Nimbostratus rankNimbostratus
      Aug 10, 2015
      Hi, Yes I have tested this irule and it is also currently attached in production environment.
  • enordquist_1378's avatar
    enordquist_1378
    Icon for Nimbostratus rankNimbostratus
    Nov 25, 2015

    If you have AFM you can simply apply an ACL on the VIP itself. iRules can accomplish this as well but such a large rule may affect performance.