Forum Discussion
Vadym_Chepkov
Nimbostratus
NimbostratusHow to filter private IP space from DNS_RESPONSE
We would like to return 'not found' answer if an "outsider" requested A record with IP from private rfc1918 networks. How one would accomplish that with iRule? I saw some filtering examples available, but nothing that evaluates content of the DNS::Answer and most examples use DNS::drop and I didn't find equivalent of DNS::not_found either.
Thank you,
Vadym
3 Replies
Vadym_ChepkovI started with this :
when DNS_RESPONSE { if { not [class match [IP::client_addr] eq "local_net" ] } { foreach entry [DNS::answer] { if {[DNS::type $entry] eq "A"} { if { [class match [DNS::rdata $entry] eq "private_net"] } { need to return not found here } } } } }
cjuniorNacreous
Hi, you can try to clear and respond a NXDOMAIN code, e.g.:
when DNS_RESPONSE { if { not [class match [IP::client_addr] eq private_net] } { DNS::answer clear DNS::header rcode NXDOMAIN } }- cjunior
OK, sorry.
That was just an quick example. The goal was the NXDOMAIN in the answer.
If you need to clear only internal address to an external response, maybe you can try like this:
when DNS_RESPONSE { if { not [class match [IP::client_addr] eq "local_net"] } { remove internal IP from external answer foreach rr [DNS::answer] { if { [DNS::type $rr] eq "A" } { if { [class match [DNS::rdata $rr] eq private_net] } { DNS::answer remove $rr } } } if query type any remove internal IP from additional external answer foreach rr [DNS::additional] { if { [DNS::type $rr] eq "A" } { if { [class match [DNS::rdata $rr] eq private_net] } { DNS::additional remove $rr } } } if response empty if { [DNS::answer] eq "" } { DNS::header rcode NXDOMAIN } } }Respectfully.
