irule to block a domain using UCP payload

Question

Hi, we are trying to filter some DNS quueries in our bigIP, but face some problems - running version is 10.1 - only LTM license&nbsp;
that means we can not use DNS irules statements, so we though about using UDP payload features&nbsp;
for that reason we tried the following&nbsp;
when CLIENT_ACCEPTED { set payload [UDP::payload] if {[matchclass $payload contains "google"]} { reject }&nbsp;
}&nbsp;
this is working and it is able to reject DNS queries to google, www.google.com, etc&nbsp;
but if we write down $payload contains "www.google.com"]}&nbsp;
it is not working, neither for google, nor for google.com&nbsp;
we tried to check the payload itself (logging it) and it shows something like blablablawwwgooglecomblablabla, without the dot between google and com&nbsp;
any idea?&nbsp;
we are interested in filtering www.google.com and not google or google.com (this is just an example, URL is different in life system)&nbsp;
thanks a lot in advance&nbsp;

the_bhattman · Answer

I ran into the same issue.  Here is something that might work.
It was taken from 
https://devcentral.f5.com/wiki/iRules.fast_DNS.ashx
when CLIENT_ACCEPTED {
    binary scan [UDP::payload] H4@12A*@12H* id dname question
     set dname [string tolower [getfield $dname \x00 1 ] ]
    switch -glob $dname {
       "\x03www\x06google\x03com" {
          log local0. "This matches www.google.com"
          drop
       }
   }   
}

I hope this helps
-=Bhattman=-

Forum Discussion

irule to block a domain using UCP payload

1 Reply

Recent Discussions

Stable Firmware for F5

BigIP Next - Health Monitors / Template

LDAPS and renegotiation

Need advise to setup a policy on F5

Web acceleration

Related Content

Help with tcp/http payload irule

irule reject request when payload field is null

Enriching AFM with public domain Threat Intelligence

Large payload post requests aren't responding

domain blocking