cancel
Showing results for 
Search instead for 
Did you mean: 

Is there F5 ip intelligence based on domain/FQDN (domain intelligence)?

I ask this question because for example for email security an email can be blocked if the source IP and/or source domain (DNS FQDN) are in a blacklist. From what I read the F5 Ip intelligence provides only a feed for bad IP addresses but there are attackers that use DYNAMIC DNS: DATA EXFILTRATION can change the domain related ip addresses very often and this could a usefull feature if not present at the moment.

1 ACCEPTED SOLUTION

Bernabe_Crena
F5 Employee
F5 Employee

Yea! I'm using this codeshare with great sucess!

https://devcentral.f5.com/s/articles/dns-interception-protecting-the-client

this code validates the query FQDN with URL Feed and also can validate the response with IPI.

View solution in original post

4 REPLIES 4

No, only bad IP addresses.

Thanks for the answer.

Bernabe_Crena
F5 Employee
F5 Employee

Yea! I'm using this codeshare with great sucess!

https://devcentral.f5.com/s/articles/dns-interception-protecting-the-client

this code validates the query FQDN with URL Feed and also can validate the response with IPI.

Aha , so with the SWG URL database I can create data groups and then use them in an iRule including and irule HTTP requests(when HTTP_REQUEST) or for the DNS requests (when DNS_REQUEST ) 🙂

 

create ltm data-group internal dns_request_url_categories_dg type string

modify ltm data-group internal dns_request_url_categories_dg records add {"Adult_Content"}

 

 

F5 needs to better document this solution as it seems to not be well known.

 

 

 

 

Also maybe with the SIDEBAND function I can reference also a free URL/FQDN database, using HTTP(S) as the communication protocol, in the iRule and use it in checking the DNS FQDN domains or URLs. Again thanks for the idea.

 

 

https://clouddocs.f5.com/api/irules/SIDEBAND.html

 

https://clouddocs.f5.com/api/irules/HTTP-Super-SIDEBAND-Requestor-Client-Handles-Redirects-Cookies-C...