Forum Discussion
Nikoolayy1
MVP
MVPIs there F5 ip intelligence based on domain/FQDN (domain intelligence)?
I ask this question because for example for email security an email can be blocked if the source IP and/or source domain (DNS FQDN) are in a blacklist. From what I read the F5 Ip intelligence provides only a feed for bad IP addresses but there are attackers that use DYNAMIC DNS: DATA EXFILTRATION can change the domain related ip addresses very often and this could a usefull feature if not present at the moment.
Yea! I'm using this codeshare with great sucess!
https://devcentral.f5.com/s/articles/dns-interception-protecting-the-client
this code validates the query FQDN with URL Feed and also can validate the response with IPI.
Bernabe_CrenaEmployee
Yea! I'm using this codeshare with great sucess!
https://devcentral.f5.com/s/articles/dns-interception-protecting-the-client
this code validates the query FQDN with URL Feed and also can validate the response with IPI.
- Nikoolayy1
Aha , so with the SWG URL database I can create data groups and then use them in an iRule including and irule HTTP requests(when HTTP_REQUEST) or for the DNS requests (when DNS_REQUEST ) :)
create ltm data-group internal dns_request_url_categories_dg type string
modify ltm data-group internal dns_request_url_categories_dg records add {"Adult_Content"}
F5 needs to better document this solution as it seems to not be well known.
Also maybe with the SIDEBAND function I can reference also a free URL/FQDN database, using HTTP(S) as the communication protocol, in the iRule and use it in checking the DNS FQDN domains or URLs. Again thanks for the idea.
https://clouddocs.f5.com/api/irules/SIDEBAND.html
No, only bad IP addresses.
- Nikoolayy1
Thanks for the answer.
