I have a GTM which has many zones configured, some of the resource records are in zone runner and some in Wide IPs pointing to LTMs. I want to restrict external (internet) users to only be able to look up records in one zone. Can this be done using an irule on the GTM DNS listener? I was thinking of using 10.0.0.0/8, 172.16.0.0/12 and 192.168.0.0/16 for the range of internal users and the zone name in the irule. Any help appreciated Thanks Richard

Richard, You can just enable the listener on the external VLAN. The default tends to be enabled on all VLANs. Regards Ian

Thanks, however I should have said that I require the internal users to be able to lookup all zones too.

Richard, The question I should have asked first was if both internal and external users are using the same listener for different WideIP/DNS look ups. Ian

Sorry, yes they are on the same listener.

Richard, You can do this with an iRule assigned to the WideIP in question. There is an old thread on devcentral which goes over this topic https://devcentral.f5.com/questions/gtm-irule-to-block-certain-ips-dns-query-of-a-wideip Regards Ian

Restrict GTM to only allow replies for external users to certain zones

10 Replies

Ian_Johnson_162
Historic F5 Account
Aug 05, 2015
Richard,

You can just enable the listener on the external VLAN. The default tends to be enabled on all VLANs.

Regards Ian
- Richard_22613
  Nimbostratus
  Aug 05, 2015
  Thanks, however I should have said that I require the internal users to be able to lookup all zones too.
Ian_Johnson_162
Historic F5 Account
Aug 05, 2015
Richard,

The question I should have asked first was if both internal and external users are using the same listener for different WideIP/DNS look ups.

Ian
- Richard_22613
  Nimbostratus
  Aug 05, 2015
  Sorry, yes they are on the same listener.
Ian_Johnson_162
Historic F5 Account
Aug 05, 2015
Richard,

You can do this with an iRule assigned to the WideIP in question. There is an old thread on devcentral which goes over this topic

https://devcentral.f5.com/questions/gtm-irule-to-block-certain-ips-dns-query-of-a-wideip

Regards Ian
- Richard_22613
  Nimbostratus
  Aug 05, 2015
  Thanks Ian, however I also have A records in zonerunner which I need to prevent being accessed, so the WideIP irule wont help that.
Ian_Johnson_162
Historic F5 Account
Aug 05, 2015
Inside of Zonerunner you can setup views which are basically ACL's. The view can then be assigned to zone and define who has access to that zone.

Ian
- Richard_22613
  Nimbostratus
  Aug 05, 2015
  Perfect, that looks just what I need. I've configured a new view list but dont seem to be able to move a zone from one view list to another in the gui. Can I do this from the CLI editing one of the conf files? Thanks for your help so far ! Richard
- Richard_22613
  Nimbostratus
  Aug 05, 2015
  I think I found it, named.conf file in /var/named/config
- Mohamed_Lrhazi
  Altocumulus
  Aug 07, 2015
  Most likely not what you need o be doing... editing files under /var/... In the GUI try: DNS ›› Zones : Zones ›› zone-name-here. Then: Options. The online help says: Specifies one or more statements that comprise the zone in the named.conf configuration file. Depending on the zone type that you configure, the default statement (or statements) may change. For additional details on the default zone type statements, refer to the Configuration Guide for Global Traffic Management.