dnsbl rule

[Deleted User]

Does anyone know if it is possible to apply an aflex rule to MX VIP and query a dns server and look for a specific response prior to allowing the traffic?

F5 has a function that does this in irules.

Bill

[Deleted User]

Hi Lewiswil,
Looking at the doco for aFlex in 2.7.0 I can see both DNS Responce and DNS Request events. You can use DNS::type to check for MX and I think DNS::answer to look for the data you want.

See below

DNS_REQUEST
Triggered when the DNS request packet arrives.

Example:
when DNS_REQUEST {
set len [DNS::len]
log “dns query pkt len = $len”
}

Related Information

Available Commands:
DNS::len, DNS::header, DNS::question, DNS::rr,
DNS::answer, DNS::authority, DNS::additional,
DNS::name, DNS::type, DNS::class, DNS::ttl,
DNS::rdata, DNS::return, DNS::query

DNS_RESPONSE

Triggered when the DNS reply packet arrives.

Example:
when DNS_RESPONSE {
set len [DNS::len]
log “dns query pkt len = $len”
}

Related Information
Available Commands:
DNS::len, DNS::header, DNS::question, DNS::rr,
DNS::answer, DNS::authority, DNS::additional,
DNS::name, DNS::type, DNS::class, DNS::ttl,
DNS::rdata, DNS::return, DNS::query


Thanks
Michael.

[Deleted User]

I guess my question is can something be applied that says. When MX(port 25) packet comes in initiate a call to a dns server and query for the source address. If the response is in the range of 127.0.0.[1-6] block the MX connection. I think I can handle response, but I am having trouble figuring out how to initiate the DNS_REQUEST when the MX session begins.

Thanks,
Bill

[Deleted User]

Hi Bill,
Since your goal is to block the connection all I think you will need is something like the below.

when DNS_RESPONSE {
if { [DNS::answer end_with “MX 127.0.0.[1-6]”] } {
drop
}

Thanks
Michael.