Forum Discussion

Raymond_Feng_97's avatar
Raymond_Feng_97
Historic F5 Account
Sep 08, 2011

How to block DNS request according to one special domain list ?

Hi, I am using LTM to LB cache DNS for one SP. By now , customer ask whether we can block the DNS request according to one special list? For example, they want to block :   block list {  ...
application delivery
dev
devops
iRules
Nat_Thirasuttakorn's avatar
Nat_Thirasuttakorn
Icon for Employee rankEmployee
Sep 08, 2011


Hi Raymond, if it is for DNS queries fro mclient through LTM, i think you have at least 2 more options 1) use DNS profile, I am not quite sure dns profile comes with what version of BIG-IP (and perhap with GTM license) 
anyway, I guess the iRule would be something like.... (I never test it this way so I dont know for sure) when DNS_REQUEST {
    switch -glob [DNS::rrname] {
        *.youtube.com -
        www.a.com -
        *.tudou.com.cn -
        *.cn {
             not sure if UDP::drop work in DNS_REQUEST though... 
            UDP::drop
        }
    }
}2) if DNS profile is not an option, try the following UDP iRule 
to make it fast, you may hardcoded dns domain name (as in the way it is encoded in DNS protocol - len followed by name, ...) 
you can also create script to convert between normal domain format to dns encoded 
(e.g. from www.a.com to \x03www\x01a\x03com) when CLIENT_DATA {
    binary scan [UDP::payload] * id dname question
    set dname [string tolower [getfield $dname \x00 1]]
    switch -glob $dname {
        *\x07youtube\x03com -
        \x03www\x01a\x03com - 
        *\x05tudou\x03com\x02cn -
        *\x02cn {
             *.youtube.com
             www.a.com
             *.tudou.com.cn
             *.cn 
            UDP::drop
        }
        default {
            log local0. "does not match, pass it through"
        }
    }
}Nat