F5 is upgrading its customer support chat feature on My.F5.com. Chat support will be unavailable from 6am-10am PST on 1/20/26. Refer to K000159584 for details.

DNS Non-English Domain Name Detection

Problem this snippet solves: This iRule scans domain name in the query section of the DNS message. If it founds character that has value higher than 127 (according to ASCII, printable english charac...
Published Mar 17, 2015
Version 1.0
application delivery
devops
dns
iRules
ep's avatar
ep
Icon for Nimbostratus rankNimbostratus
May 12, 2015
Forgive me if I'm confused, but . . . Wouldn't it be better if this code binary scan [UDP::payload] @3c sflags set rcode [expr $sflags & 0xf] if { $rcode == 0} { said this instead? binary scan [UDP::payload] @2c sflags set qr [expr $sflags & 0x80] if { $qr == 0} { My thought is that @3c selects the 4th byte of the UDP::payload, which is actually the RA, Z, and RCODE. When you & 0xf, you do get 0 if it is a query, but only because a query should always have a 0000 RCODE. Instead, if you select the 3rd byte with @2c, you should get the QR, OPCODE, AA, TC, and RD. A QR of 0 indicates that this is a query, and something we want to inspect. By doing a & 0x80, you should only get a nonzero when it is not a query (128 = 0b10000000). Is there a reason why you prefer looking at the RCODE and not the QR? I've learned a lot by reading this code, thanks! ep