Forum Discussion

Thomas_Leroy's avatar
Thomas_Leroy
Icon for Nimbostratus rankNimbostratus
Mar 16, 2018

Block URL iRule

Hi,

I try to block URL based on the DNS request :

when DNS_REQUEST {if {[class match [DNS::question name] contains "URL_blocking"] } {
 log local0. "website blocked [DNS::question name]"
 DNS::header rcode NXDOMAIN
 DNS::return }}

If I defined le.com and *.le.com :

Query le.com -> returns back NXDOMAIN

Query -> returns back NXDOMAIN

Query google.com -> returns back NXDOMAIN

My question is can I use wildcard into the datagroup ? Is there a better way to achieve this ?

Thanks for your help

4 Replies

  • oguzy's avatar
    oguzy
    Icon for Cirrostratus rankCirrostratus

    Hi Thomas,

     

    According to answers from a similar question stated in the following link iRule Data Group with string and regex , it is not possible to use regex or wildcards in a data group object. However I can not find any formal explanation about it.

     

  • as it is DNS we are talking about how about you only store the domain in the datagroup and replace the "contains" operator with "ends_with" in your iRule. I think this will achieve what you want, right? So in the datagroup you only store the core domain you are after e.g. ".google.com" - this will match "; "play.google.com", "docs.google.com" etc because they all end with ".google.com"!

     

    Your current solution with "contains" will also kind of work.... however "contains" means found anywhere within the string, so it will match "; while "ends_with" is what you probably want with DNS

     

  • as it is DNS we are talking about how about you only store the domain in the datagroup and replace the "contains" operator with "ends_with" in your iRule. I think this will achieve what you want, right? So in the datagroup you only store the core domain you are after e.g. ".google.com" - this will match "; "play.google.com", "docs.google.com" etc because they all end with ".google.com"!

     

    Your current solution with "contains" will also kind of work.... however "contains" means found anywhere within the string, so it will match "; while "ends_with" is what you probably want with DNS

     

  • For those interested, this is the best solution I found :

    when DNS_REQUEST {
    
    set lower [string tolower [DNS::question name]]
    set q_name_label_split [split $lower "."]
    set q_name_label [lindex $q_name_label_split end-1] 
    
    if {[class match $q_name_label equals "URL_blocking"] }{
     log local0. "website blocked [DNS::question name] <$q_name_label> $q_name_label $lower"
     DNS::header rcode NXDOMAIN
     DNS::return
      }  
    }
    

    I split the request and get the domain to compare to my list