Forum Discussion
NimbostratusIrule Dns request
Hi all
I'm writing a irule for dns request from client , this a irule will base on source ip of client and url to response ip well to client .
pls help me
many thanks
2 Replies
- Kevin_Stewart
Employee
Are you talking about using GTM iRules, or DNS services in LTM to filter DNS responses based on client IP and/or URL? 
hung_105573Hi all
this a irule , base on irule of poster nick name routingloop . My f5 have terminal 3 lines of 3 ISPs different : FPT,VNPT,CMC , this a irule base on source ip of client request dns to response ip correct of line that ( ex: ip address client use line FPT , they will get ip public of FPT).
it working but we want to monitor line ISP, you would like to help me :
if { [class match $fqdn equals site1_whitelist] } {
Client made a DNS request for a Whitelist site.
set Whitelist_Match 1set FakeIPv4 [class match -value $fqdn equals site1_whitelist]
-----> we want monitor line terminal on F5 , if line up then set FakeIPv4 = ip of line UP , else line down then set ip of line other .
DNS::return
}Bellow a Irule
when RULE_INIT {
set static::whitelist_ttl "300"
}when DNS_REQUEST {
set fqdn [DNS::question name]debugging statement see all questions and request details
log -noname local0. "Client: [IP::client_addr] Question:[DNS::question name] Type:[DNS::question type] Class:[DNS::question class] Origin:[DNS::origin]"
Whitelist_Match is used to track when a Query matches the whitelist
Ensure it is always set to 0 or false at beginning of the DNS requestset Whitelist_Match 0
does the client source address exist in site address external data-group
if { [class match [IP::client_addr] equals fpt_address_datagroup] } {
does FQDN exist in our whitelist datagroup for that site.
if { [class match $fqdn equals site1_whitelist] } {Client made a DNS request for a Whitelist site.
set Whitelist_Match 1
set FakeIPv4 [class match -value $fqdn equals site1_whitelist]
DNS::return
}
} elseif { [class match [IP::client_addr] equals vnpt_address_datagroup] } {
does FQDN exist in our whitelist string:value datagroup for that site.
if { [class match $fqdn equals site1_whitelist] } {Client made a DNS request for a Whitelist site.
set Whitelist_Match 1
set FakeIPv4 [class match -value $fqdn equals site2_whitelist]
DNS::return
}} elseif { [class match [IP::client_addr] equals cmc_address_datagroup] } {
does FQDN exist in our whitelist string:value datagroup for that site.
if { [class match $fqdn equals site3_whitelist] } {Client made a DNS request for a Whitelist site.
set Whitelist_Match 1
set FakeIPv4 [class match -value $fqdn equals site3_whitelist]
DNS::return
}
}
}when DNS_RESPONSE {
debugging statement to see all questions and request details
log -noname local0. "Request: $fqdn_name Answer: [DNS::answer] Origin:[DNS::origin] Status: [DNS::header rcode] Flags:RD [DNS::header rd] RA [DNS::header ra]"
if { $Whitelist_Match } {
This DNS request was for a Whitelist FQDN. Take different actions based on the request type.switch [DNS::question type] {
"A" {
Clear out any DNS responses and insert the custom response. RA header = recursive answer
DNS::answer clearDNS::answer insert "$fqdn. $static::whitelist_ttl [DNS::question class] [DNS::question type] $FakeIPv4"
DNS::header ra "1"
whitelist: 10.1.1.1484902 requested foo.com query type: A class IN A-response: 10.1.1.60
log -noname local0. "whitelist: [IP::client_addr][UDP::client_port] requested [DNS::question name]query type: [DNS::question type] class [DNS::question class] A-response: $FakeIPv4"
}
"AAAA" {DNS::last_act reject
}
default {For other record types, e.g. MX, NS, TXT, etc, provide a blank NOERROR response
DNS::last_act reject
rejected: 10.1.1.1484902 requested foo.com query type: A class IN unable to respondlog -noname local0. "rejected onwl1: [IP::client_addr][UDP::client_port] requested $fqdn query type:
[DNS::question type] class [DNS::question class] non whitelisted DNSRR"
}
}
}
}pls help me
many thanks
