Simple GTM Domain Generation Algorithm dynamic blacklist
Problem this snippet solves:
Simple GTM DGA dynamic blacklist used to reduce load on backend DNS servers. This iRule should be applied to GTM listener.
Here are a list of all the configurable options:
- static::debug - enable/disable verbose logging to /var/log/ltm
- static::timeout - blacklist timeout
- static::threshold - threshold to enable dns blacklisting of a domain
You need to set timeout and threshold according to your needs before enabling this irule.
Code :
when RULE_INIT { set static::debug 0 set static::timeout 60 set static::threshold 10 } when DNS_REQUEST { regexp {([-A-Z,a-z,0-9]+.[-A-Z,a-z,0-9]+)$} [DNS::question name] domain set count [table lookup ddbl_$domain] if { $count >= $static::threshold} { if { $static::debug } { log local0. "\[DDBL\] Dropping question [DNS::question name], $domain is on dynamic dns blacklist" } table timeout ddbl_$domain $static::timeout DNS::drop } } when DNS_RESPONSE { if { [DNS::ptype] == "NXDOMAIN" } { set count [ table incr ddbl_$domain ] table timeout ddbl_$domain $static::timeout if { $static::debug } { log local0. "\[DDBL\] NXDOMAIN HIT [DNS::question name], hitcount is $count, threshold is $static::threshold" } } }
Tested this on version:
11.6Published Jul 21, 2015
Version 1.0rdvn_148212
Nimbostratus
Joined May 04, 2019
rdvn_148212
Nimbostratus
Joined May 04, 2019
No CommentsBe the first to comment