Forum Discussion

Deepti_Nayak_26's avatar
Deepti_Nayak_26
Icon for Nimbostratus rankNimbostratus
Jun 06, 2017

Irule for reverse DNS lookup

Hello ,

Currently we have applied Irule for DNS lookup & allowing DNS entries that only ends with a a particular fqdn

for e.g

when DNS_REQUEST { set fqdn [DNS::question name]

          if { !($fqdn ends_with "xxx.org.in")} {
          log localo. "----[DNS::question name] Dropped-----"
          drop

          }

          }

 Now the issue we are facing is when we try to resolve ip address lfor any particular url that ends with this mentioned fqdn ..we are able to resolve a record i.e ip address 
 But when we try to resolve hostname.fqdn for particular IP address we  are not able to resolve the same.We need to make changes in this Irule for reverse dns lookup. Kindly help me to modify it.

 Regards
BIG-IP DNS
iRules
security
  • Ilian_Ivanov's avatar
    Ilian_Ivanov
    Icon for Nimbostratus rankNimbostratus
    Jun 06, 2017

    My best guess is:

    when DNS_REQUEST {
set fqdn [DNS::question name]
if { !($fqdn ends_with "xxx.org.in")} {
log localo. "----[DNS::question name] Dropped-----"
drop
}
}
when DNS_RESPONSE {
set answer [DNS::rrname]
if { !($answer ends_with "xxx.org.in")} {
log localo. "----[DNS::rrname] Dropped-----"
drop
}
}

    You can also try with [DNS::answer] instead of [DNS::rrname].

  • dragonflymr's avatar
    dragonflymr
    Icon for Cirrostratus rankCirrostratus
    Jun 06, 2017

    Hi,

     

    Not sure if I understand correctly - do you need to resolve IP to FQDN instead of FQDN to IP?

     

    If so you need to check DNS query type like [DNS::question type] equals "PTR" and then execute necessary code - I guess you will need check then DNS_RESPONSE event to check if response from DNS server contains domain ending with given domain.

     

    Something like that:

     

    when DNS_RESPONSE {
    if { [DNS::question type] eq "PTR" } {       
        set rrs [DNS::answer]
        foreach rr $rrs {
            if { [DNS::rdata $rr] ends_with "your.domain" } {
                log local0. "----[DNS::rdata $rr] Dropped-----"
                drop seems not be working for response
                drop
                DNS::answer clear
                DNS::answer insert "@ 5 [DNS::question class] TXT Blocked"
                return
            }
        }
    }
}

    Piotr

     

  • dragonflymr's avatar
    dragonflymr
    Icon for Cirrostratus rankCirrostratus
    Jun 07, 2017

    Hi,

     

    If you know subnet used by PTR request in advance just use it in DNS_REQUEST event in similar way as for domain names.

     

    Just test request type before doing comparison, if type A use current code, if type PTR use code comparing IP in request to your IP range.

     

    Piotr