Does anyone know if it is possible to apply an aflex rule to MX VIP and query a dns server and look for a specific response prior to allowing the traffic?
F5 has a function that does this in irules.
Bill
Hi Lewiswil,
Looking at the doco for aFlex in 2.7.0 I can see both DNS Responce and DNS Request events. You can use DNS::type to check for MX and I think DNS::answer to look for the data you want.
See below
DNS_REQUEST
Triggered when the DNS request packet arrives.
Example:
when DNS\_REQUEST \{
set len [DNS::len]
log “dns query pkt len = $len”
}
Related Information
Available Commands:
DNS::len, DNS::header, DNS::question, DNS::rr,
DNS::answer, DNS::authority, DNS::additional,
DNS::name, DNS::type, DNS::class, DNS::ttl,
DNS::rdata, DNS::return, DNS::query
DNS_RESPONSE
Triggered when the DNS reply packet arrives.
Example:
when DNS\_RESPONSE \{
set len [DNS::len]
log “dns query pkt len = $len”
}
Related Information
Available Commands:
DNS::len, DNS::header, DNS::question, DNS::rr,
DNS::answer, DNS::authority, DNS::additional,
DNS::name, DNS::type, DNS::class, DNS::ttl,
DNS::rdata, DNS::return, DNS::query
Thanks
Michael.
I guess my question is can something be applied that says. When MX(port 25) packet comes in initiate a call to a dns server and query for the source address. If the response is in the range of 127.0.0.[1-6] block the MX connection. I think I can handle response, but I am having trouble figuring out how to initiate the DNS_REQUEST when the MX session begins.
Thanks,
Bill
Hi Bill,
Since your goal is to block the connection all I think you will need is something like the below.
when DNS\_RESPONSE \{
if \{ [DNS::answer end\_with “MX 127.0.0.[1-6]”] \} \{
drop
}
Thanks
Michael.