CirrocumulusHi
We use F5 DNS and we saw there is many DNS request to us.
for example. we have many spam dns request for www.seo.com which is not exist in our domain name. (it's non-existing domain spam)
Can we have irule to discard only this request for www.seo.com in our listener?
Is this irule work?
when DNS_REQUEST {
if {([string tolower [DNS::question name]] equals "www.seo.com")} {
drop (or DNS::drop)
} else { }
}
CumulonimbusYes, that should do the trick - with the DNS::drop option. The "else" statement is not necessary.
If you want something a bit more flexible, here is an iRule that I'm using to block out a variety of domains (unless from one specific endpoint);
when DNS_REQUEST {
if { [class match [DNS::question name] contains blocked-domains] && [IP::client_addr] ne "10.10.0.30"} {
DNS::drop
}
}
If you create the datagroup called "blocked-domains", you can add any phrase that should NOT be included in the DNS request, such as "www.seo.com" but also "seo" - which will block anything that contains the text "seo".
For this particular domain, if it is indeed a large amount of queries, I would recommend investigating though where the DNS queries are coming from. If it is coming from inside your environment, you may have endpoints that are infected with unwanted software, or if it is coming from external sources, someone may have incorrectly tagged your DNS server as the authoritive party for that domain, or may be routing DNS requests via your systems. Either way, I would probably recommend figuring out where it's coming from.
Hope this helps.