Forum Discussion

JWhitesPro_1928's avatar
JWhitesPro_1928
Icon for Cirrostratus rankCirrostratus
Jun 21, 2016
Solved

DNS Whitelist Responses

Does anyone know if an iRule already exists that accomplishes the following:

 

DNS Request comes in from client If the request matches an entry in a datagroup table the request is allowed to process and is NOT modified If the requested name does not exist in the datagroup table the request is dropped.

 

The objective here is to not have to stand up a new DNS server and be able to give certain clients access to only the dynamic dns entries they require to function (like say looking up where the IP for that SCOM or SCCM server is)

 

I've found one that I may be able to modify but just wasn't sure if anyone knew if something like that already existed.

 

(was thinking this one may be able to be modified to achieve this: https://devcentral.f5.com/wiki/iRules.Pinhole-Pinpoint-DNS.ashx)

 

AFM
iRules
security
  • Vernon_97235's avatar
    Vernon_97235
    Jun 21, 2016
    when DNS_REQUEST {
    if { [class match [string tolower [DNS::question name]] equals "dg-allowed-dns-queries"] } {
        reject
    }
}

12 Replies

Sort By
  • Vernon_97235's avatar
    Vernon_97235
    Historic F5 Account
    Jun 21, 2016
    when CLIENT_ACCEPTED {
    if { [class match [IP::client_addr] equals "dg-allowed-clients"] } {
        reject
    }
}

    applied to any DNS listeners. It must be a rule created in the ltm space. This can be done even if LTM is not provisioned.

    • JWhitesPro_1928's avatar
      JWhitesPro_1928
      Icon for Cirrostratus rankCirrostratus
      Jun 21, 2016
      Thank you. I think I made my question unclear. What I am really trying to do is look up the actual requested DNS record in the table, if it exists as a record I want to allow a response for then we will allow the request to process, otherwise we just drop the request.
  • VernonWells's avatar
    VernonWells
    Icon for Employee rankEmployee
    Jun 21, 2016
    when CLIENT_ACCEPTED {
    if { [class match [IP::client_addr] equals "dg-allowed-clients"] } {
        reject
    }
}

    applied to any DNS listeners. It must be a rule created in the ltm space. This can be done even if LTM is not provisioned.

    • JWhitesPro_1928's avatar
      JWhitesPro_1928
      Icon for Cirrostratus rankCirrostratus
      Jun 21, 2016
      Thank you. I think I made my question unclear. What I am really trying to do is look up the actual requested DNS record in the table, if it exists as a record I want to allow a response for then we will allow the request to process, otherwise we just drop the request.
  • VernonWells's avatar
    VernonWells
    Icon for Employee rankEmployee
    Jun 21, 2016
    when DNS_REQUEST {
    if { [class match [string tolower [DNS::question name]] equals "dg-allowed-dns-queries"] } {
        reject
    }
}
    • JWhitesPro_1928's avatar
      JWhitesPro_1928
      Icon for Cirrostratus rankCirrostratus
      Jun 21, 2016
      I came up with something similar while testing. The above that you posted would reject anything in the list correct? when DNS_REQUEST { if {[class match [string tolower [DNS::question name]] equals "dg-allowed-dns-requests"]} { pool dns_servers log local0. "DNS Request is: [DNS::question name]" }else { discard log local0. "No request match: [DNS::question name]" } } set your dns profile to not use anything (gslb etc) create the datagroup with only the string (no value required)
    • Vijay_E's avatar
      Vijay_E
      Icon for Cirrus rankCirrus
      Jun 21, 2016
      The iRule provided by Vernon rejects DNS query matching any in the data-group "dg-allowed-dns-queries". Your iRule seems to send traffic to a pool if it matches the data-group "dg-allowed-dns-queries" and rejects the non-matching queries.
  • Vernon_97235's avatar
    Vernon_97235
    Historic F5 Account
    Jun 21, 2016
    when DNS_REQUEST {
    if { [class match [string tolower [DNS::question name]] equals "dg-allowed-dns-queries"] } {
        reject
    }
}
    • JWhitesPro_1928's avatar
      JWhitesPro_1928
      Icon for Cirrostratus rankCirrostratus
      Jun 21, 2016
      I came up with something similar while testing. The above that you posted would reject anything in the list correct? when DNS_REQUEST { if {[class match [string tolower [DNS::question name]] equals "dg-allowed-dns-requests"]} { pool dns_servers log local0. "DNS Request is: [DNS::question name]" }else { discard log local0. "No request match: [DNS::question name]" } } set your dns profile to not use anything (gslb etc) create the datagroup with only the string (no value required)
    • Vijay_E's avatar
      Vijay_E
      Icon for Cirrus rankCirrus
      Jun 21, 2016
      The iRule provided by Vernon rejects DNS query matching any in the data-group "dg-allowed-dns-queries". Your iRule seems to send traffic to a pool if it matches the data-group "dg-allowed-dns-queries" and rejects the non-matching queries.