Forum Discussion
How to block DNS request according to one special domain list ?
Hi,
I am using LTM to LB cache DNS for one SP. By now , customer ask whether we can block the DNS request according to one special list? For example, they want to block :
block list {
*.youtube.com <----- one domain
www.a.com <--- one exactly hostname
*.tudou.com.cn
*.cn <---- one country
....
}
and , this type list may reach nearly 2000-3000 lines
so, I have two questions :
1> do we support dns request function in iRule on LTM now?
2> how to improve performance of the irule , if we need use matchclass to compare 2000 more lines ?
3> is there any good idea to compare this type mixed domain/hostname and even multi-level domain datagroup ?
Thanks.
Raymond
hooleylistCirrostratus
Do you want to block DNS queries from clients through an LTM virtual server? Or is this for HTTP or HTTPS? If HTTP or HTTPS, are you looking for LTM to act as an HTTP proxy?
You can perform DNS resolution from an iRule using RESOLV::lookup
http://devcentral.f5.com/wiki/iRules.resolv__lookup.ashx
You can add the patterns to a datagroup but then you'd need to loop through each element one by one to perform a string match of the pattern against the requested hostname. This will be more resource intensive than matchclass.
You can use 'string match -nocase $pattern $string' to do this:
% string match -nocase *.tudou.com.cn test.tudou.com.cn
1
% string match -nocase *.cn test.example.com.cn
1
% string match -nocase *.cn test.example.com
0
Aaron
Nat_ThirasuttakornEmployee
Hi Raymond, if it is for DNS queries fro mclient through LTM, i think you have at least 2 more options 1) use DNS profile, I am not quite sure dns profile comes with what version of BIG-IP (and perhap with GTM license) anyway, I guess the iRule would be something like.... (I never test it this way so I dont know for sure) when DNS_REQUEST { switch -glob [DNS::rrname] { *.youtube.com - www.a.com - *.tudou.com.cn - *.cn { not sure if UDP::drop work in DNS_REQUEST though... UDP::drop } } }2) if DNS profile is not an option, try the following UDP iRule to make it fast, you may hardcoded dns domain name (as in the way it is encoded in DNS protocol - len followed by name, ...) you can also create script to convert between normal domain format to dns encoded (e.g. from www.a.com to \x03www\x01a\x03com) when CLIENT_DATA { binary scan [UDP::payload] * id dname question set dname [string tolower [getfield $dname \x00 1]] switch -glob $dname { *\x07youtube\x03com - \x03www\x01a\x03com - *\x05tudou\x03com\x02cn - *\x02cn { *.youtube.com www.a.com *.tudou.com.cn *.cn UDP::drop } default { log local0. "does not match, pass it through" } } }Nat- hooleylistIn v11 at least, I think you can create an LTM virtual server with a DNS profile and then use DNS::rrname.
Aaron