Options

Need to avoid DNS recursion for External user

ehteshammalik007ehteshammalik007 Member
in ADC - Application Delivery
i have a thunder 3030s and Configured DNS loadbalanceing but facing an issue vip is nat with public ip for external users.for internal user its working fine but we need to avoid the recursion for external users.external user only allowed its domain(example snskies.com).
need a quick response

Comments

  • Options
    jserranojserrano Member ✭✭
    edited August 2017
    Hi,
    There are several ways to achieve this:

    1) You can split dns service into external and internal users, on the external vip you can create an aflex to discard any recursive DNS request:

    when DNS_REQUEST {
    if { [DNS::header rd] } {
      drop
    }

    2) Another alternative is just allowing determined domains contained within a classlist:

    when DNS_REQUEST {
    if { !([CLASS::match [DNS::question name] ends_with DNS-whitelist]) } {
    drop
    }
    }

    *Class-list needs to be defined beforehand as follows:

    class-list DNS-whitelist dns
    dns ends-with snskies.com
    dns ends-with blahblah.com
    !

    3) If, for some reason you prefer to keep internal and external service on a unique vip then you can use an ip classlist containing internal networks and use an aflex like that...this will cost more cpu resources though:

    when DNS_REQUEST {
    if { !(CLASS::match [IP::client_addr] internal_networks) && [DNS::header rd] } {
    drop
    }

    *Class-list needs to be defined beforehand as follows:
    class-list internal_networks ipv4
    172.16.0.0/16
    192.168.1.0/24
    10.0.0.0/8
    !
Sign In or Register to comment.