For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

dcours_21197's avatar
dcours_21197
Icon for Nimbostratus rankNimbostratus
Oct 03, 2013

Problem using DNS::return in a GTM iRule

Hello,

I'm trying to have a wide IP on my GTM return a NXDOMAIN response if the IP receiving the query is in a specified list. Since I want this to only apply to queries for a given wide IP, I'd like this to be a GTM iRule instead of a LTM iRule. Here's what I came up with:

when DNS_REQUEST {
        set external_ip_addrs { 1.1.1.1 2.2.2.2 3.3.3.3 4.4.4.4 }
        if { [lsearch -exact $external_ip_addrs [IP::local_addr]] >= 0 } {
                 send back a NXDOMAIN
                DNS::answer clear
                DNS::header rcode NXDOMAIN
                DNS::return
        }
}

This gives me the following errors

line 11: [undefined procedure: DNS::answer] [DNS::answer clear]

line 13: [undefined procedure: DNS::return] [DNS::return]

This is on 11.1, although I get a similar error if I try on a 11.4.1 system. Any ideas as to how to use these functions in a GTM iRule, or why they aren't defined for GTM?

application delivery
devops
iRules

1 Reply

  • Mike_61663's avatar
    Mike_61663
    Icon for Cirrus rankCirrus
    Feb 03, 2014

    You'll have to do this as an LTM iRule as those DNS functions don't work as GTM iRules.

     

    GTM iRules can return CNAME and A records utilising the "cname" and "host" commands respectively, but they can't return NXDOMAIN afaik.

     

    If you want to only do this behavior for particular FQDNs (WideIPs) then simply add an additional condition to your iRule logic e.g. if { ([DNS::rrtype] eq "A") and ([DNS::rrname] eq "wideip.domain.com") } {

     

    (just remember - to use this as an LTM iRule, make sure you enable a DNS profile on your GTM listener(s))