hi, , we are trying to filter some DNS quueries in our bigIP, but face some problems - running version is 10.1 - only LTM license that means we can not use DNS irules statements, so we though about using UDP payload features for that reason we tried the following when CLIENT_ACCEPTED { set payload [UDP::payload] if {[matchclass $payload contains "google"]} { reject } } this is working and it is able to reject DNS queries to google, www.google.com, etc but if we write down $payload contains "www.google.com"]} it is not working, neither for google, nor for google.com we tried to check the payload itself (logging it) and it shows something like blablablawwwgooglecomblablabla, without the dot between google and com any idea? we are interested in filtering www.google.com and not google or google.com (this is just an example, URL is different in life system) thanks a lot in advance

I dont know, but maybe some clues in this example: https://clouddocs.f5.com/api/irules/fast_DNS_2.html

Hi Mohamed, Generally, "matchclass" is deprecated I believe for 10 and 11.x. It would be class match, but that is specific to datagroups. You are not using datagroups correct? So your statement "matchclass $payload contains "google" wouldnt really make sense, that just looks like a standard string "if" statement with no datagroup. Secondly, the CLIENT_ACCEPTED event is only the beginning of the layer 4 session. If you want to process the actual data of the layer 4 session and since this is UDP versus TCP/HTTP you would probably want to use the CLIENT_DATA event to try to process and string match the UDP payload data. There may be some portion of the data available to parse in CLIENT_ACCEPTED but you should really process the data portion of the payload in the CLIENT_DATA event unless someone knows better or there is an exception with UDP versus TCP/HTTP

just for reference. if we write down $payload contains "www.google.com"]} it is not working, neither for google, nor for google.com we tried to check the payload itself (logging it) and it shows something like blablablawwwgooglecomblablabla, without the dot between google and com any idea? QNAME is the name the query is about. The format is one octet indicating the length of a label, followed by the label, terminated by a label with 0 length. how can i decipher dns messages? http://stackoverflow.com/questions/13372860/how-can-i-decipher-dns-messages

Good reference. It's a shame that this was necessary when DNS license could make this easier. -=Bhattman=-

DNS domain blocking using UDP payload

nitass

Employee

Jul 08, 2014

are you using double back slashes in data group?

this is mine.

 config

root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm virtual bar
ltm virtual bar {
    destination 172.28.24.10:53
    ip-protocol udp
    mask 255.255.255.255
    pool foo
    profiles {
        udp_gtm_dns { }
    }
    rules {
        qux
    }
    source 0.0.0.0/0
    source-address-translation {
        type automap
    }
    vs-index 58
}
root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm rule qux
ltm rule qux {
    when CLIENT_ACCEPTED  {
  binary scan [UDP::payload] H4@12A*@12H* id dname question
  set dname [string tolower [getfield $dname \x00 1]]
  if {[class match -- $dname contains blackhole_domain]} {
    log local0. "drop"
    drop
    return
  }
  log local0. "not drop"
}
}
root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm data-group internal blackhole_domain
ltm data-group internal blackhole_domain {
    records {
        \\x08doohotok\\x03com { }
    }
    type string
}

 trace

[root@ve11a:Active:In Sync] tmp  tcpdump -nni 0.0 -s0 port 53
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on 0.0, link-type EN10MB (Ethernet), capture size 65535 bytes
07:38:00.143874 IP 172.28.24.1.44967 > 172.28.24.10.53:  62524+ A? cmz.www.doohotok.com. (38) in slot1/tmm0 lis=

 /var/log/ltm

[root@ve11a:Active:In Sync] tmp  cat /var/log/ltm
Jul  8 07:38:00 ve11a info tmm[29362]: Rule /Common/qux : drop

Mike_72892
Nimbostratus
Jul 08, 2014
Yes, it looks the same in mine as well: `\\x08doohotok\\x03com { }` `ltm virtual bar { destination x.x.x.x:53 ip-protocol udp mask 255.255.255.255 pool DNS_pool profiles { /Common/udp_gtm_dns { } } rules { /Common/bad_dns_users } ... }`
nitass
Employee
Jul 08, 2014
can you add logging for client ip ([IP::client_addr]), client port ([UDP::client_port]) and dname ($dname) in the irule? so, we can map packet in tcpdump and log.

nitass_89166

Noctilucent

Jul 08, 2014

are you using double back slashes in data group?

this is mine.

 config

root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm virtual bar
ltm virtual bar {
    destination 172.28.24.10:53
    ip-protocol udp
    mask 255.255.255.255
    pool foo
    profiles {
        udp_gtm_dns { }
    }
    rules {
        qux
    }
    source 0.0.0.0/0
    source-address-translation {
        type automap
    }
    vs-index 58
}
root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm rule qux
ltm rule qux {
    when CLIENT_ACCEPTED  {
  binary scan [UDP::payload] H4@12A*@12H* id dname question
  set dname [string tolower [getfield $dname \x00 1]]
  if {[class match -- $dname contains blackhole_domain]} {
    log local0. "drop"
    drop
    return
  }
  log local0. "not drop"
}
}
root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm data-group internal blackhole_domain
ltm data-group internal blackhole_domain {
    records {
        \\x08doohotok\\x03com { }
    }
    type string
}

 trace

[root@ve11a:Active:In Sync] tmp  tcpdump -nni 0.0 -s0 port 53
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on 0.0, link-type EN10MB (Ethernet), capture size 65535 bytes
07:38:00.143874 IP 172.28.24.1.44967 > 172.28.24.10.53:  62524+ A? cmz.www.doohotok.com. (38) in slot1/tmm0 lis=

 /var/log/ltm

[root@ve11a:Active:In Sync] tmp  cat /var/log/ltm
Jul  8 07:38:00 ve11a info tmm[29362]: Rule /Common/qux : drop

Mike_72892
Nimbostratus
Jul 08, 2014
Yes, it looks the same in mine as well: `\\x08doohotok\\x03com { }` `ltm virtual bar { destination x.x.x.x:53 ip-protocol udp mask 255.255.255.255 pool DNS_pool profiles { /Common/udp_gtm_dns { } } rules { /Common/bad_dns_users } ... }`
nitass_89166
Noctilucent
Jul 08, 2014
can you add logging for client ip ([IP::client_addr]), client port ([UDP::client_port]) and dname ($dname) in the irule? so, we can map packet in tcpdump and log.

Mike_72892
Nimbostratus
Jul 21, 2014
I just wanted to post an update. There was a configuration issue relating to having an SNAT with the same IP as the VS. If the query response took longer than the timeout, a SNAT session would be created in the PVA and further packets from the client never fired the iRule. Thanks for all of your help!
The_Bhattman
Nimbostratus
Jul 21, 2014
Thanks for the follow up.

-=Bhattman=-

Forum Discussion

DNS domain blocking using UDP payload

Recent Discussions

HIGHLY RECOMMENDED LOST CRYPTOCURRENCY RECOVERY SERVICE/ DIGITAL TECH GUARD RECOEVRY

Help with an I-rule rewrite

When adding new GTM(DNS) to the existing group, if software version is not same, what will happen?

Keep encoding when request is handled by irule

Application drop down menus does not work behind F5 APM Portal Access

Related Content

domain blocking

Enriching AFM with public domain Threat Intelligence

Blocking domains

Block IP after a number of ASM Blocks

Block traffic