For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Vadym_Chepkov's avatar
Vadym_Chepkov
Icon for Nimbostratus rankNimbostratus
Jul 13, 2016

How to filter private IP space from DNS_RESPONSE

We would like to return 'not found' answer if an "outsider" requested A record with IP from private rfc1918 networks. How one would accomplish that with iRule? I saw some filtering examples available...
BIG-IP DNS
iRules
security
cjunior's avatar
cjunior
Icon for Nacreous rankNacreous
Jul 13, 2016

OK, sorry.

That was just an quick example. The goal was the NXDOMAIN in the answer.

If you need to clear only internal address to an external response, maybe you can try like this: 

when DNS_RESPONSE {
    if { not [class match [IP::client_addr] eq "local_net"] } {
        remove internal IP from external answer
        foreach rr [DNS::answer] {
            if { [DNS::type $rr] eq "A" } {
                if { [class match [DNS::rdata $rr] eq private_net] } {
                    DNS::answer remove $rr
                }
            }
        }
        if query type any
        remove internal IP from additional external answer
        foreach rr [DNS::additional] {
            if { [DNS::type $rr] eq "A" } {
                if { [class match [DNS::rdata $rr] eq private_net] } {
                    DNS::additional remove $rr
                }
            }
        }
        if response empty
        if { [DNS::answer] eq "" } {
            DNS::header rcode NXDOMAIN
        }
    }
}

Respectfully.