NimbostratusHi,
I'm trying to configure i-rule to accept only A record query and reject all other dns queries in GTM, but below irule gives me an error.
Please suggest any thing if i'm missing here.
when DNS_REQUEST { foreach rr $rrs { if { [DNS::type $rr] not equals "A" } { DNS::drop } } }
Cumulonimbuswhen DNS_REQUEST {
switch [string toupper [DNS::question type]] {
"A" {
return
}
default {
reject
}
}
}
Not much different from yours, but I'd use "switch" to make it easier for future modification, and "reject" to stop the client from resending packets.
And does your DNS server actually support multiple queries in one packet?
[Edit] Added missing closing brace.
NimbostratusOn a side note, ASM module provides protocol security. If you are able to have the ASM module on the same device, you can create a profile that can allow/disallowed certain record types from being queried. It is a good idea to have ASM+GTM to allow for the additional security that is provided through protocol security.
NimbostratusWe've ASM module. Will check the profile configuration for same.
NimbostratusOn a side note, ASM module provides protocol security. If you are able to have the ASM module on the same device, you can create a profile that can allow/disallowed certain record types from being queried. It is a good idea to have ASM+GTM to allow for the additional security that is provided through protocol security.
NimbostratusWe've ASM module. Will check the profile configuration for same.
CumulonimbusWhen deploying GTM, the config guide recommendation is to use self or floating IP for listener.
the goal of this recommendation is to forward non wide IP requests to local Bind hosted on the F5 appliance.
if you don't want these requests to be forwarded to local Bind, you can create a listener on a different IP. it will create a virtual server. if you don't assign a pool to this listener, all requests not matching a wide IP will be dropped silently.