Forum Discussion

Jon_Ole_Nome_46's avatar
Jon_Ole_Nome_46
Icon for Nimbostratus rankNimbostratus
Aug 19, 2013

Multi-homed GTM, how to restrict internal/external DNS queries

I have a set of GTMs with 2 active interfaces - 1 DMZ, 1 internal. I also have 2 subdomains allocated to the GTMs, one for internal Wide IPs and one for external Wide IPs. I want to set it up to only...
application delivery
cloud
deployment
design
devops
iRules
security
OTS02's avatar
OTS02
Icon for Cirrus rankCirrus
Aug 23, 2013

I have a similar situation (2 pure GTMs). In my case, the irule works very well. I have set up all of the internal records as WideIPs, then you can apply the irule directly to the WideIP It can also be done using an additional "view" (under Zonerunner view list), but I think that the irule on WIP is simpler and more flexible.

 

In my case, I have an irule that drops everything that does not have an RFC1918 source address. this rule is applied to the internal WIPs.

 

when DNS_REQUEST { if { ([IP::addr [IP::client_addr]/8 equals 10.0.0.0])} { } elseif { ([IP::addr [IP::client_addr]/12 equals 172.16.0.0])} { } elseif { ([IP::addr [IP::client_addr]/16 equals 192.168.0.0])} { } else {log "[IP::client_addr] attempting to query internal dns zone!!!!!" discard } }