NimbostratusWe would like to return 'not found' answer if an "outsider" requested A record with IP from private rfc1918 networks. How one would accomplish that with iRule? I saw some filtering examples available, but nothing that evaluates content of the DNS::Answer and most examples use DNS::drop and I didn't find equivalent of DNS::not_found either.
Thank you,
Vadym
NimbostratusI started with this :
when DNS_RESPONSE {
if { not [class match [IP::client_addr] eq "local_net" ] } {
foreach entry [DNS::answer] {
if {[DNS::type $entry] eq "A"} {
if { [class match [DNS::rdata $entry] eq "private_net"] } {
need to return not found here
}
}
}
}
}
NacreousHi, you can try to clear and respond a NXDOMAIN code, e.g.:
when DNS_RESPONSE {
if { not [class match [IP::client_addr] eq private_net] } {
DNS::answer clear
DNS::header rcode NXDOMAIN
}
}OK, sorry.
That was just an quick example. The goal was the NXDOMAIN in the answer.
If you need to clear only internal address to an external response, maybe you can try like this:
when DNS_RESPONSE {
if { not [class match [IP::client_addr] eq "local_net"] } {
remove internal IP from external answer
foreach rr [DNS::answer] {
if { [DNS::type $rr] eq "A" } {
if { [class match [DNS::rdata $rr] eq private_net] } {
DNS::answer remove $rr
}
}
}
if query type any
remove internal IP from additional external answer
foreach rr [DNS::additional] {
if { [DNS::type $rr] eq "A" } {
if { [class match [DNS::rdata $rr] eq private_net] } {
DNS::additional remove $rr
}
}
}
if response empty
if { [DNS::answer] eq "" } {
DNS::header rcode NXDOMAIN
}
}
}
Respectfully.