Forum Discussion

kridsana's avatar
kridsana
Icon for Cirrocumulus rankCirrocumulus
May 18, 2022

iRule to drop Public IP access to DNS Wide-ip

We have wide-ip "abc01.example.com" which we want only to access from internal user (private ip)

Do we have iRule to drop only public ip and allow private ip on that wide-ip?

So when nslookup to "abc01.example.com" via public ip, F5 drop
and when nslookup to "abc01.example.com" via private ip, F5 allow

Thank you

  • or can we create DNS pool with no member?
    So I can create Topology LB and check for source IP,,
    If Source IP is Private IP > choose Pool A
    If Source IP is not Private IP > choose Pool B (Which have no member = return no IP)

    I try to create pool with no member but F5 mark status down

    • kridsana's avatar
      kridsana
      Icon for Cirrocumulus rankCirrocumulus

      We can't do just that because we want to block public ip from only specific wide-ip (eg. abc01.example.com)
      but user from public can resolve for abc02.example.com and more.

      I think that we need iRule that check if client IP is private or not and also check if those client access to abc01.example.com or not.
      e.g. 
      if client not eq [private_ip_datagroup] && try to resolve wideip [abc01.example.com]
      drop
      else
      return

      Not sure if there is that irule though