cancel
Showing results for 
Search instead for 
Did you mean: 
Login & Join the DevCentral Connects Group to watch the Recorded LiveStream (May 12) on Basic iControl Security - show notes included.
Nat_Thirasutta3
F5 Employee
F5 Employee

Problem this snippet solves:

This iRule replys to query for "www.f5.com" (offload this query from server) and leave other queries as is. It can be applied to DNS security (to provide immediate action), such as, to filter out invalid/bad domain, etc.

Code :

#
# LTM DNS offload sample
# This iRule replys to query for "www.f5.com" (offload this query from server) and leave other queries as is.
# It can be applied to DNS security, such as, to filter out invalid/bad domain, etc.
#
when RULE_INIT  {
    # Header generation (in hexadecimal)
    # qr(1) opcode(0000) AA(1) TC(0) RD(1) RA(1) Z(000) RCODE(0000)
    set ::header "8580"
    # 1 question, 1 answer, 0 NS, 0 Addition
    set ::header "${::header}0001000100000000"
    # Name = www f5 com
    set ::answer "0377777702663503636f6d00"
    # Type = A
    set ::answer "${::answer}0001"
    # Class = IN
    set ::answer "${::answer}0001"
    # TTL = 1 day
    set ::answer "${::answer}00015180"
    # Data length = 4
    set ::answer "${::answer}0004"
    # Address = 65.197.145.23
    set ::answer "${::answer}41c59117"
}
when CLIENT_DATA {
    binary scan [UDP::payload] H4@12A*@12H* id dname question
    set dname [string tolower [getfield $dname \x00 1 ] ]
    switch -glob $dname {
        "\x03www\x02f5\x03com" {
            #log local0. "match www.f5.com"
            set payload [binary format H* ${id}${::header}${question}${::answer} ]
            drop
            UDP::respond $payload
        }
        default {
            #log local0. "does not match"
        }
    }
}
Version history
Last update:
‎17-Mar-2015 13:54
Updated by:
Contributors