Forum Discussion
NimbostratusNeed to use DNS service for allowed IP range.
Hi all,
My customer is the ISP vendor, we have implemented the F5 DNS in his premises. He had given the DNS IP for his customers. Also he need to use DNS service for allowed IP range(their customer IP range). Need to deny all other IP segments.
Can anyone suggested the suitable configuration for the same.
3 Replies
MandragorAltostratus
There are several ways to solve this, depending on which modules are available to you.
If all you have is a BIG-IP DNS you could limit access to the listener by writing an irule that only accepted connections from IP-prefixes defined in a datagroup that you populate with the ranges from your customer, or you could do the same by defining a Packet Filter
- Kevin_Davies
Nacreous
The iRule below shows the various examples of using an iRule to control the traffic. The return command used below exits the event.
when CLIENT_ACCEPTED { # string matching if { [IP::client_addr] starts_with "10.10." } { return } # subnet matching if { [IP::addr [IP::client_addr] equals "10.10.0.0/16" ] } { return } # class matching if { [class match [IP::client_addr] equals my_class_name ] } { return } # where my_class_name is an address class/datagroup with your subnets in it. # nothing matches, reject the traffic reject } 
NISHANT_JOE_RA1The issue is solved by using the above iRule. Thanks Kevin Davies.
Now a new issue, we are getting the NXDOMAIN flood attack... Whether we have any iRule to block those attack..
