Forum Discussion

dearsanky's avatar
dearsanky
Icon for Nimbostratus rankNimbostratus
Feb 28, 2016

DNS Recursion Desire restriction and Blacklist

Hi, I am writing an iRule to insert answer for blacklist domain, restrict query based on source (defined in Datagroup), Answer all query from everyone coming for Authoritative Answer. Need help to get this verify with the performance on the BIGIP appliance. iRule is as below: Can anyone suggest on below iRule:

 

when RULE_INIT {

 

Set IPV4 address that is returned for Blacklist matches for A records

set static::blacklist_reply_IPV4 "10.10.10.10"

 

Set TTL used for all Blacklist replies

set static::blacklist_ttl "100" } when DNS_REQUEST { set Blacklist_Match 0 set Blacklist_Type "" set domain_name [DNS::question name]

 

if {[DNS::header "rd"] == 1 } { if { not [class match [IP::client_addr] eq "admin_datagroup" ] } { DNS::drop } elseif { [string tolower [class match $domain_name eq Blacklist_Class]] } { set Blacklist_Match 1 log local0. "request allowed from $domain_name" DNS::return } } when DNS_RESPONSE { if { $Blacklist_Match } { switch [DNS::question type] { "A" { DNS::answer clear DNS::answer insert "[DNS::question name]. $static::blacklist_ttl [DNS::question class] [DNS::question type] $static::blacklist_reply_IPV4" DNS::header ra "1" } default { DNS::last_act reject } }

 

} }

 

12 Replies