For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Block requests by reverse DNS record

Problem this snippet solves: This iRule performs a reverse DNS lookup on the client IP address and blocks any which don't match a specific top level domain. This specific example sends an HTTP respo...
Published Mar 16, 2015
Version 1.0
application delivery
devops
iRules
security
John_Beckmann's avatar
John_Beckmann
Icon for Employee rankEmployee
Mar 08, 2016
The bug ( BZ 340659 ) https://support.f5.com/kb/en-us/solutions/public/12000/300/sol12378.html was resolved in 10.2.2, so I am sharing an updated iRule to do this in 11.x ========================================================================== when RULE_INIT { Set debug to 0 for no logging Set debug to 1 to just log blocks Set debug to 2 to log blocks and valid requests set static::debug 1 Ensure this points to your Data Group set static::domain_blacklist_dg "domain_block_blacklist" Set IP for your DNS Server set static::my_dns 192.168.10.1 Set name of VS if using a local Virtual Server set static::my_dns my_dns_vs } when CLIENT_ACCEPTED { set do_lookup 1 set is_blocked 0 set full_domain "" set base_domain "" if { $static::debug > 1 } { log local0. "Connection Accepted from IP_Addr:[IP::remote_addr]" } } when HTTP_REQUEST { if { $static::debug > 1 } { log local0. "Processing Request from IP_Addr:[IP::remote_addr]" log local0. "Do Lookup: $do_lookup Is Blocked: $is_blocked" log local0. "My_DNS: $static::my_dns" } if { $do_lookup } { grab the client base domain reverse lookup of IP Address set full_domain [RESOLV::lookup @$static::my_dns inet -ptr [IP::remote_addr]] grab the base domain (top level plus subdomain) from full_domain set base_domain [join [lrange [split $full_domain .] end-1 end] .] set do_lookup 0 } if { $is_blocked } { if { $static::debug > 0 } { log local0. "IP_Addr:[IP::remote_addr] Reverse_Lookup:$base_domain blacklisted (Already Blocked)" log local0. "Full Domain: $full_domain" } send a TCP reset reject } else { if { [class match $base_domain contains $static::domain_blacklist_dg] } { if { $static::debug > 0 } { log local0. "IP_Addr:[IP::remote_addr] Reverse_Lookup:$base_domain blacklisted (Blocked)" log local0. "Full Domian: $full_domain" } set is_blocked 1 send a TCP reset reject } else { if { $static::debug > 1 } { log local0. "IP_Addr:[IP::remote_addr] Reverse_Lookup:$base_domain $full_domain Accepted" } } } } ==========================================================================