BIG-IP DNS Express - Private Zone Blocker

Problem this snippet solves:

With BIG-IP DNS; you cannot enable/disable configured DNS Express Zones on a per-listener basis. This makes scenarios where a single BIG-IP DNS system has listeners exposed to internal networks with RFC1918 addresses and public Internet networks. DNS Express doesn't support DNS Views, in short.

This iRule allows you to configure a datagroup containing "disabled_zones" and the iRule will validate if the query matches a zone listed in disabled_zones. If it gets a match, it simply returns nothing.

Additionally, the iRule examines all responses and checks that resource records in the response do not contain RFC1918 addresses and if it finds them, it removes those Resource Records. All code in the "DNS_RESPONSE" event can be commented or deleted if this behavior isn't desired.

How to use this snippet:

enable iRule on DNS listener (most likely a listener available only to private network clients) and configure "disabled_zones" data group as shown in example.

Log lines can be deleted or commented out once proper operation of the rule is confirmed and understood or retained for purposes of auditing queries that are dropped/blocked.

Code :

    log "Got request from: [IP::remote_addr] for [DNS::question name]"
    if {[class match [DNS::question name] ends_with disabled_zones]}{
        log "Query for [DNS::question name] is for a disabled zone - Dropping"

    log "Got Response = [DNS::answer]"
    set rrs [DNS::answer]
    set privateresponse 0
    foreach rr $rrs {
        log "DNS Response rr: $rr"
        if {[DNS::type $rr] == "A"}{
            if {[class match [DNS::rdata $rr] equals private_net]}{
                set privateresponse 1
                DNS::answer remove $rr
            log "DNS RR data: [DNS::rdata $rr]"
    if {$privateresponse}{
        log "DNS response contains private addresses"

Tested this on version:

Published Jul 24, 2020
Version 1.0

Was this article helpful?