For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

mr_evil_116524's avatar
mr_evil_116524
Icon for Nimbostratus rankNimbostratus
Feb 23, 2014

Need help with DNS iRULE

Hello All, I have been asked to create an iRULE which will redirect traffic from specific internal VM to external specific IP/DNS. This is only for outbound. So I had a rule as follows: when ...
Kevin_Stewart's avatar
Kevin_Stewart
Icon for Employee rankEmployee
Feb 24, 2014

So if I understand you correctly, you want to allow or limit outbound access to some specific site, but based on external name resolution, that site's IP information might change and you'd have to keep updating your iRule. If that's a correct assessment, then you might have a few options.

 

First, the DNS_REQUEST iRule you're listing could be used on a GTM, and LTM with DNS services licensed, and if clients were pointing to this VIP for either authoritative (GTM) DNS, or as a load balancing VIP (LTM) for other DNS servers.

 

Now, you could technically perform a RESOLVE::lookup command on each client request to get the current list of IP addresses for a given site, but 1) you'd need to be able to see the Host name in the request, which means you'd need to decrypt and re-encrypt the outbound traffic, and 2) that might add significant load.

 

Perhaps more realistically you could create a monitor script tied to a dummy pool that could periodically check the IP addresses, and then update a local datagroup if they've changed.