Forum Discussion
Nimbostratusirule to block a domain using UCP payload
Hi, we are trying to filter some DNS quueries in our bigIP, but face some problems - running version is 10.1 - only LTM license
that means we can not use DNS irules statements, so we though about using UDP payload features
for that reason we tried the following
when CLIENT_ACCEPTED { set payload [UDP::payload] if {[matchclass $payload contains "google"]} { reject }
}
this is working and it is able to reject DNS queries to google, www.google.com, etc
but if we write down $payload contains "www.google.com"]}
it is not working, neither for google, nor for google.com
we tried to check the payload itself (logging it) and it shows something like blablablawwwgooglecomblablabla, without the dot between google and com
any idea?
we are interested in filtering www.google.com and not google or google.com (this is just an example, URL is different in life system)
thanks a lot in advance
1 Reply
- The_Bhattman
I ran into the same issue. Here is something that might work.
It was taken from
https://devcentral.f5.com/wiki/iRules.fast_DNS.ashx
when CLIENT_ACCEPTED { binary scan [UDP::payload] H4@12A*@12H* id dname question set dname [string tolower [getfield $dname \x00 1 ] ] switch -glob $dname { "\x03www\x06google\x03com" { log local0. "This matches www.google.com" drop } } }I hope this helps
-=Bhattman=-
