Here is an iApp that was created to demonstrate f5 as a DNS Security services platform. it has some dependencies (listed below) and some of the exception handling has been removed to simplify the iApp for clarity.
It requires a pre-defined rate shaper called “dns_rate_shape”
It requires a pre-defined security logging profile called “test_security_log”
It requires a pre-defined DNS entry for the device under system>config>device>dns (I used 18.104.22.168 – this is for the IPI database update)
For some reason you can’t define the DNS DoS parameters in the iApp on the initial build. As a work around you, if you run the iApp without it and then reconfigure the iApp to include it, then it works fine
Here are a few things that were just built for the demo.:
The Manual shun of the IP address is pretty basic, I just add the IP entry to a static blacklist table on RULE_INIT…. this is because we plan to rewrite it when we have the IP::intelligence add < IP_addr > < shun_period > that would remove the whole requirement for this static blacklist table. In its current form it just demos that it is possible. If someone needs this now, then it can easily be tidied up in the embedded iRule.
In looking at the section “DNS test query traffic/Generate DNS queries with known bad source IP Addresses” at the bottom of the template, the IPI database changes pretty often so some of the bad IPI addresses hard coded in the iApp might not be bad any more. To get new bad ones before a demo, just throw a 1000 random ones with “Drop Bad Reputation Source IP Addresses” enabled and you will get a few bad ones that you can edit into the template
The Splunk GUI is hard coded to 10.128.10.159:80 as mentioned in the template but it also hard codes the Splunk GUI pool as 10.128.20.252:8000. I can make this definable in the iApp but have been a bit lazy, easy to spot in the template.