Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Clear all filters
Answers

DNS Recursion Desire restriction and Blacklist

Hi, I am writing an iRule to insert answer for blacklist domain, restrict query based on source (defined in Datagroup), Answer all query from everyone coming for Authoritative Answer. Need help to get this verify with the performance on the BIGIP appliance. iRule is as below: Can anyone suggest on below iRule:

when RULE_INIT {

Set IPV4 address that is returned for Blacklist matches for A records

set static::blacklist_reply_IPV4 "10.10.10.10"

Set TTL used for all Blacklist replies

set static::blacklist_ttl "100" } when DNS_REQUEST { set Blacklist_Match 0 set Blacklist_Type "" set domain_name [DNS::question name]
if {[DNS::header "rd"] == 1 } { if { not [class match [IP::client_addr] eq "admin_datagroup" ] } { DNS::drop } elseif { [string tolower [class match $domain_name eq Blacklist_Class]] } { set Blacklist_Match 1 log local0. "request allowed from $domain_name" DNS::return } } when DNS_RESPONSE { if { $Blacklist_Match } { switch [DNS::question type] { "A" { DNS::answer clear DNS::answer insert "[DNS::question name]. $static::blacklist_ttl [DNS::question class] [DNS::question type] $static::blacklist_reply_IPV4" DNS::header ra "1" } default { DNS::last_act reject } }
} }

0
Rate this Question
Comments on this Question
Comment made 29-Feb-2016 by Kai Wilke 6871
Hi Dearsanky, can you please repost your iRule with proper formating (Mark the codeblocks and then push TAB). I tried to format the iRule be myself, but somehow a curly-brace is missing making the iRule invalid. Cheers, Kai
0
Comment made 01-Mar-2016 by dearsanky 129
Hi Kai, Please let me know if you've any suggestion on this...thanks
0
Comment made 01-Mar-2016 by Kai Wilke 6871
Will respond tomorrow. But right now it seems you can get rid of the DNS_RESPONSE event and sone variables. In addition I've spotted a coding issue in your string tolower syntax. Question: I'm not familiar with the DNS::last_act command. What is the purpose to use this command for those blacklisted commands?
0
Comment made 02-Mar-2016 by dearsanky 129
DNS::last_act means "Sets the action to perform if no DNS service handles this packet "
0
Comment made 02-Mar-2016 by Kai Wilke 6871
This is what the documentation tells. Do you using such DNS services or do you need to just DNS::drop those requests?
0
Comment made 02-Mar-2016 by Kai Wilke 6871
Just checked the outcome of the "DNS::last_act reject" in my demo environment and can confirm the functionality of the optimized iRule syntax. On the first sight "DNS::last_act reject" has basically the same outcome as a "DNS::drop". And both commands will work without any issues using just the DNS_REQUEST event to make it more performant. In the meantime I've also found the origin of your iRule (https://devcentral.f5.com/articles/v111-dns-blackhole-with-irules) Well, I still duno why the provided sample code uses the DNS_RESPONSE event, if the DNS request already holds every information to simply intercept and respond the DNS request on behalf of the DNS servers. Cheers, Kai
0
Comment made 03-Mar-2016 by dearsanky 129
Hi Kai, Thanks for your input.. i need DNS response to customize the DNS answer and redirect the request to some other server. But anyway, my iRule for DNS services is required for as " DNS will work ANS & recursive for ISPs own subscirbers, for external users only respond authoritative and redirect/drop the blacklist domain. I've written on rule but CPU goes high. Can you share some idea on it? Thanks.
0
Comment made 03-Mar-2016 by Kai Wilke 6871
You'll find a optimized version of your IRule at the bottom of this post... ;-)
0

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Hi

the last posted iRule is somewhat invalid (a closing curly brace } is missing and the LF formating is screwed).

I've reconstructed and optimized the logic as best as possible. But because of the missing curly brace, I'm not sure if the iRule still does what you need...

The iRule would block DNS request from client IPs which are not defined in the admin_datagroup datagroup. If the client IPs is in the admin_datagroup the [string tolower [DNS::question name]] gets matched with the Blacklist_Class datagroup. If the [DNS::question name] is in the blacklist and [DNS::question type] = A then respond with $static::blacklist_reply_IPV4. If not [DNS::question type] = A then use DNS::last_act reject to determine the result of the DNS request...

when RULE_INIT {
    #Set IPV4 address that is returned for Blacklist matches for A records
    set static::blacklist_reply_IPV4 "10.10.10.10"
    #Set TTL used for all Blacklist replies
    set static::blacklist_ttl "100" 
} 
when DNS_REQUEST { 
    if { [DNS::header "rd"] == 1 } then { 
        if { not [class match [IP::client_addr] eq "admin_datagroup" ] } then { 
            DNS::drop 
        } elseif { [class match [string tolower [DNS::question name]] eq Blacklist_Class] } then {
            if { [DNS::question type] eq "A" } then {
                DNS::answer insert "[DNS::question name]. $static::blacklist_ttl IN A $static::blacklist_reply_IPV4"
                DNS::header ra "1"
            } else {
                DNS::last_act reject
            }
            DNS::return 
        } 
    } 
}

Note: I've integrated the DNS_RESPONSE event funtionality to the DNS_REQUEST event, since it doesn't make much sense to resolve the query, if the request parameters are already indicating a intercepted response.

Note: I didn't test the iRule at all. The optimization are purely based on experiences...

Cheers, Kai

0
Comments on this Answer
Comment made 02-Mar-2016 by Kai Wilke 6871
Additional note on the functionality of this iRule: The [class match [string tolower [DNS::question name]] eq Blacklist_Class] could be change to a "ends_with" syntax to make the filtering more accurate and to allow wildcard filtering of entire DNS domain names.
0
Comment made 03-Mar-2016 by dearsanky 129
Thanks a lot Kai, but whenever i tried to make it ends_with, it'll block genuine request as well. But one more quick reply need if possible, RD==1, i used to block recursive for the all users but authoritative answer should respond to root and other DNS servers when they are coming for ISP's website or domain. Hope the RD==0 while any DNS come for authoritative zone query..... Thanks
0
Comment made 06-Mar-2016 by Kai Wilke 6871
The success of "ends_with" is somewhat dependent with the layout of your datagroup. If your datagroup is build for exact matches, then stick to them... ;-) I didn't get the point of RD==1/0 can you please elaborate the usecase more detailed? Cheers, Kai
0
Comment made 11-Mar-2016 by dearsanky 129
RD (Recursion Desired) value false (0) or True (1), and i wants some customize rule that will help the same DNS will answer the query of all users of subnet that mentioned in the datagroup and reject others who are coming for recursive query. But at the same time the DNS will serve the Authoritative answer which are hosted there (RD=0). Can it be possible. Thanks
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
when RULE_INIT {
    #Set IPV4 address that is returned for Blacklist matches for A records
    set static::blacklist_reply_IPV4 "10.10.10.10"
    #Set TTL used for all Blacklist replies
    set static::blacklist_ttl "100" 
} 
    when DNS_REQUEST { 
    set Blacklist_Match 0 
    set Blacklist_Type "" 
    set domain_name [DNS::question name]
    if {[DNS::header "rd"] == 1 } 
        { if { not [class match [IP::client_addr] eq "admin_datagroup" ] } { 
        DNS::drop 
    } elseif { [string tolower [class match $domain_name eq Blacklist_Class]] } { 
    set Blacklist_Match 1 log local0. "request allowed from $domain_name" 
    DNS::return 
    } 
    } 
    when DNS_RESPONSE { 
    if { $Blacklist_Match } 
       { switch [DNS::question type] 
            { "A" { DNS::answer clear DNS::answer insert "[DNS::question name]. $static::blacklist_ttl [DNS::question class] [DNS::question type] $static::blacklist_reply_IPV4" 
            DNS::header ra "1" 
            } 
            default { DNS::last_act reject } }
            } 
            }
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Hi Kai, PFB

when RULE_INIT {
    #Set IPV4 address that is returned for Blacklist matches for A records
    set static::blacklist_reply_IPV4 "10.10.10.10"
    #Set TTL used for all Blacklist replies
    set static::blacklist_ttl "100" 
} 
    when DNS_REQUEST { 
    set Blacklist_Match 0 
    set Blacklist_Type "" 
    set domain_name [DNS::question name]
    if {[DNS::header "rd"] == 1 } 
        { if { not [class match [IP::client_addr] eq "admin_datagroup" ] } { 
        DNS::drop 
    } elseif { [string tolower [class match $domain_name eq Blacklist_Class]] } { 
    set Blacklist_Match 1 log local0. "request allowed from $domain_name" 
    DNS::return 
    } 
    } 
    when DNS_RESPONSE { 
    if { $Blacklist_Match } 
       { switch [DNS::question type] 
            { "A" { DNS::answer clear DNS::answer insert "[DNS::question name]. $static::blacklist_ttl [DNS::question class] [DNS::question type] $static::blacklist_reply_IPV4" 
            DNS::header ra "1" 
            } 
            default { DNS::last_act reject } }
            } 
            }
0
Comments on this Answer
Comment made 15-Sep-2016 by Rommel L 1

hi, as review rhe script, where we will define the variable "admin_datagroup"

Thanks

0