Forum Discussion
Craig_13881
Nimbostratus
NimbostratusReturn DNS replies to specific clients
I'm trying to return DNS replies to only a couple of different subnets. If the request comes in from anything else, I'd like to ignore it, or return a bogus response. Trying to get this to work, but I'm sure I'm doing something wrong.
when DNS_REQUEST {
if { [IP::addr [IP::client_addr]/24 equals 10.0.0.0/24] or \
[IP::addr [IP::client_addr]/24 equals 192.168.76.0/24]
} {
pool Good_Pool
} else {
pool Dead_Pool }
}
- The_BhattmanHi Craig,
Are you running this on a LTM with a GTM module?
Bhattman 
Craig_13881Hello. I'm running this on a GTM.
Thanks,
Craig
Ryan_Paras_7933I don't have a GTM to test with :(
But have a look at http://devcentral.f5.com/wiki/iRules.DNS_REQUEST.ashx
I think you want to change IP::client_addr to IP::remote_addr
If that doesn't fix it..... what does your GTM log say?- Ryan_Paras_7933After getting some inspiration from this thread ... http://devcentral.f5.com/Community/GroupDetails/tabid/1082223/asg/50/aft/1177010/showtab/groupforums/Default.aspx
Why not make a region with your IPs you want to allow resolution from, call it GOODIPS, and then try this:
when DNS_REQUEST {
if { [matchregion ldns GOODIPS]}{
pool Good_Pool
}
else{
pool Bad_Pool
}
} - Craig_13881I was originally sent to this thread by F5 support, but that didn't really meet my needs. http://devcentral.f5.com/wiki/iRules.DNS_REQUEST.ashx
I played around with changing remote_addr to client_addr but that didn't help either. I'm going to give the topology records a try.
Is there a way to just drop the traffic or not respond if the "else" condition occurs? - Ryan_Paras_7933if you are looking to just drop traffic, I think you can just not define a default pool and only define a pool within the irule for the good conditional. Does that make sense?
- The_BhattmanHi Craig,
If you look to provide a bogus response from the GTM based on it hitting a specific wide IP then you can do the followingwhen DNS_REQUEST { if { !([IP::addr [IP::client_addr]/24 equals 10.0.0.0/24]) or !([IP::addr [IP::client_addr]/24 equals 192.168.76.0/24]) } { cname www.blahblahblah.com } }
I hope this helps
Bhattman - Craig_13881That looks perfect, but when I test it out, I get www.blahblahblah.com even though the source IP in the packet capture is in the 192.168.76.0/24 range. I should mention that I'm testing this from my workstation, which is asking a Microsoft DNS server, and that DNS server is handing the request off to the GTM. I can see blahblahblah showing up in a Wireshark trace on my PC and I've verify the source IP that hitting the GTM with a TCPdump. I may try just putting the IP address of the DNS server in the iRule as a host entry instead of a subnet and see if I can get it to work. It's like the "if" condition is coming up "true" when it should evaluate to "false".
Here's what I have I added a subnet and a closing brace at the end. (The GTM was barking at me about the closing brace.)when DNS_REQUEST { if { !([IP::addr [IP::client_addr]/24 equals 10.0.0.0/24]) or !([IP::addr [IP::client_addr]/24 equals 192.168.76.0/24]) or !([IP::addr [IP::client_addr]/24 equals 172.16.1.0/24]) } { cname www.blahblahblah.com } } - Craig_13881The iRule below works, I just need to get the syntax correct for the subnets and I'll be good. Going to play around with that some more. 10.0.0.53 is the IP of the internal DNS server making the request to the GTM.
when DNS_REQUEST { if { ![IP::addr [IP::client_addr] equals 10.0.0.53] } { cname www.blahblahblah.com } } - Craig_13881Got it! Had to change the "or" to an "and". I was never all that great with double negatives. 🙂
when DNS_REQUEST { if { !([IP::addr [IP::client_addr]/24 equals 10.0.0.0]) and !([IP::addr [IP::client_addr]/24 equals 172.16.1.0]) } { cname www.blahblahblah.com } } Thanks for you help. This seems to be working perfectly!
