Forum Discussion

Raymond_Feng_97's avatar
Historic F5 Account
Sep 08, 2011

How to block DNS request according to one special domain list ?


I am using LTM to LB cache DNS for one SP. By now , customer ask whether we can block the DNS request according to one special list? For example, they want to block :


block list {


* <----- one domain <--- one exactly hostname




*.cn <---- one country








and , this type list may reach nearly 2000-3000 lines


so, I have two questions :


1> do we support dns request function in iRule on LTM now?


2> how to improve performance of the irule , if we need use matchclass to compare 2000 more lines ?


3> is there any good idea to compare this type mixed domain/hostname and even multi-level domain datagroup ?










3 Replies

  • Do you want to block DNS queries from clients through an LTM virtual server? Or is this for HTTP or HTTPS? If HTTP or HTTPS, are you looking for LTM to act as an HTTP proxy?



    You can perform DNS resolution from an iRule using RESOLV::lookup




    You can add the patterns to a datagroup but then you'd need to loop through each element one by one to perform a string match of the pattern against the requested hostname. This will be more resource intensive than matchclass.



    You can use 'string match -nocase $pattern $string' to do this:



    % string match -nocase *





    % string match -nocase *.cn





    % string match -nocase *.cn





    Hi Raymond, if it is for DNS queries fro mclient through LTM, i think you have at least 2 more options 1) use DNS profile, I am not quite sure dns profile comes with what version of BIG-IP (and perhap with GTM license) 
    anyway, I guess the iRule would be something like.... (I never test it this way so I dont know for sure) when DNS_REQUEST {
        switch -glob [DNS::rrname] {
            * -
            * -
            *.cn {
                 not sure if UDP::drop work in DNS_REQUEST though... 
    }2) if DNS profile is not an option, try the following UDP iRule 
    to make it fast, you may hardcoded dns domain name (as in the way it is encoded in DNS protocol - len followed by name, ...) 
    you can also create script to convert between normal domain format to dns encoded 
    (e.g. from to \x03www\x01a\x03com) when CLIENT_DATA {
        binary scan [UDP::payload] * id dname question
        set dname [string tolower [getfield $dname \x00 1]]
        switch -glob $dname {
            *\x07youtube\x03com -
            \x03www\x01a\x03com - 
            *\x05tudou\x03com\x02cn -
            *\x02cn {
            default {
                log local0. "does not match, pass it through"

  • In v11 at least, I think you can create an LTM virtual server with a DNS profile and then use DNS::rrname.