Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Clear all filters
code share

DNS Blackhole

Problem this snippet solves:

The blackhole requirement is to intercept DNS requests for prohibited FQDNs, not sent those to BIND for recursive look-up, return a DNS response with an A record to an LTM virtual server, and have a LTM virtual server with a second iRule that will log the request and serve a static page. The solution uses an iRule to the listener virtual server. This virtual server processes all GTM/BIND traffic. Incoming requests are matched against an external data group that contains a list of prohibited FQDNs. This data group file can be edited directly in the GUI at System - File Management - Data Group File List (line terminator should be LF only, not CR-LF). Alternately, the file can be edited manually and re-loaded by doing a "tmsh load sys config verify" then "tmsh load sys config". The blackhole iRule will log all requests for prohibited FQDNs and return a DNS response that matches an LTM virtual server. The blackhole iRule only provides valid responses for A records, however all blackhole DNS requests are logged.

How to use this snippet:
  • Create the list of FQDNs for the BIG-IP external data group. Example format is below. File can be stored in /config/Blackhole_Class, although v11.1 provides a method to upload via GUI which is recommended. The second field is the reason why the site was added to the Blackhole class.

    • ".3322.org" := "virus",
      ".3322.com" := "malware",
      ".3322.net" := "phishing",
  • Make the external file accessible

    • On Internal-GTM's GUI, go to System - File Management - Data Group File List - Import.
    • File Name: upload Blackhole_Class file
    • Name: Blackhole_Class
    • File Contents: String
    • Key / Value Pair Separator: :=
  • Create data group as external file:

    • On Internal-GTM's GUI, go to Local Traffic - iRules - Data Group List - Create
    • Name: Blackhole_Class
    • Type: (External File)
    • Path/Filename: Blackhole_Class
    • File Contents: string
    • Access Mode: Read Only
  • Create the Blackhole iRule

    • On Internal-GTM's GUI, go to Local Traffic - iRules - Create.
    • Name: DNS_blackhole (can be renamed)
    • iRule Source is attached below.
  • Apply the Blackhole iRule to the GTM listener virtual server.

    • Go to Local Traffic - Virtual Servers.
    • Click on the Virtual Server created automatically for the GTM listener. Name will be of form: vs_10_1_1_152_53_gtm, where the first 4 numbers are the IP address of the Listener.
    • Go to the resources tab and assign the DNS_Blackhole iRule created above.
  • Create iFile for the Organization's Logo that will be used with the block page.

    • Download a copy of the image to be used
    • Rename file to corp-logo.gif (optional)
    • Go to System - File Management - iFile List - Import
    • Name: corp-logo.gif
    • Go to Local Traffic - iRules - iFile List - Create
    • Name: corp-logo.gif
    • File name:
  • Create iRule to log client requests and send an HTML page to notify customers they have violated the Blackhole. This iRule should be copied from the attached file.

    • Go to Local Traffic - iRules - Create
    • Name: DNS_blackhole_block_page
    • iRule Source attached below.
  • Create virtual server for client requests. The IP address should match the DNS response defined in ::blackhole_reply in the DNS_Blackhole iRule.

    • Go to Local Traffic - Virtual Servers - Create
    • Name: DNS_blackhole_block_page
    • Destination: (update per local requirements)
    • Port: 80
    • HTTP profile: http
    • iRules: DNS_blackhole_block_page