For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

DNS Non-English Domain Name Detection

Problem this snippet solves: This iRule scans domain name in the query section of the DNS message. If it founds character that has value higher than 127 (according to ASCII, printable english charac...
Published Mar 17, 2015
Version 1.0
application delivery
devops
dns
iRules
ep's avatar
ep
Icon for Nimbostratus rankNimbostratus
May 12, 2015
Forgive me if I'm confused, but . . . Wouldn't it be better if this code binary scan [UDP::payload] @3c sflags set rcode [expr $sflags & 0xf] if { $rcode == 0} { said this instead? binary scan [UDP::payload] @2c sflags set qr [expr $sflags & 0x80] if { $qr == 0} { My thought is that @3c selects the 4th byte of the UDP::payload, which is actually the RA, Z, and RCODE. When you & 0xf, you do get 0 if it is a query, but only because a query should always have a 0000 RCODE. Instead, if you select the 3rd byte with @2c, you should get the QR, OPCODE, AA, TC, and RD. A QR of 0 indicates that this is a query, and something we want to inspect. By doing a & 0x80, you should only get a nonzero when it is not a query (128 = 0b10000000). Is there a reason why you prefer looking at the RCODE and not the QR? I've learned a lot by reading this code, thanks! ep