Need to avoid DNS recursion for External user

Community Forum Forums Thunder and AX Series Need to avoid DNS recursion for External user

This topic contains 1 reply, has 2 voices, and was last updated by avatar jserrano 3 months ago.

Viewing 2 posts - 1 through 2 (of 2 total)
  • Author
    Posts
  • #12282

    i have a thunder 3030s and Configured DNS loadbalanceing but facing an issue vip is nat with public ip for external users.for internal user its working fine but we need to avoid the recursion for external users.external user only allowed its domain(example snskies.com).
    need a quick response

    #12472
    avatar
    jserrano
    Member

    Hi,
    There are several ways to achieve this:

    1) You can split dns service into external and internal users, on the external vip you can create an aflex to discard any recursive DNS request:

    when DNS_REQUEST {
    if { [DNS::header rd] } {
      drop
    }

    2) Another alternative is just allowing determined domains contained within a classlist:

    when DNS_REQUEST {
    if { !([CLASS::match [DNS::question name] ends_with DNS-whitelist]) } {
    drop
    }
    }

    *Class-list needs to be defined beforehand as follows:

    class-list DNS-whitelist dns
    dns ends-with snskies.com
    dns ends-with blahblah.com
    !

    3) If, for some reason you prefer to keep internal and external service on a unique vip then you can use an ip classlist containing internal networks and use an aflex like that…this will cost more cpu resources though:

    when DNS_REQUEST {
    if { !(CLASS::match [IP::client_addr] internal_networks) && [DNS::header rd] } {
    drop
    }

    *Class-list needs to be defined beforehand as follows:
    class-list internal_networks ipv4
    172.16.0.0/16
    192.168.1.0/24
    10.0.0.0/8
    !

Viewing 2 posts - 1 through 2 (of 2 total)

You must be logged in to reply to this topic.

Comments are closed.