| By Lori MacVittie | Article Rating: |
|
| January 9, 2012 09:15 AM EST | Reads: |
607 |
Generally speaking, blackhole routing is a problem, not a solution. A route to nowhere is not exactly a good thing, after all. But in some cases it’s an approved and even recommended solution, usually implemented as a means to filter out bad packets at the routing level that might be malformed or are otherwise dangerous to pass around inside the data center.
This technique is also used at the DNS layer as a means to prevent responding to queries with known infected or otherwise malicious sites. Generally speaking, DNS does nothing more than act like a phone book; you ask for an address, it gives it to you. That may have been acceptable through the last decade, but it is increasingly undesirable as it often unwittingly serves as part of the distribution network for malware and other malicious intent.
In networking, black holes refer to places in the network where incoming traffic is silently discarded (or "dropped"), without informing the source that the data did not reach its intended recipient.
When examining the topology of the network, the black holes themselves are invisible, and can only be detected by monitoring the lost traffic; hence the name.
What we’d like to do is prevent DNS servers from returning addresses for sites which we know – or are at least pretty darn sure – are infected. While we can’t provide such safeguards for everyone (unless you’re the authoritative server for such sites) we can at least better protect the corporate network and users from such sites by ensuring such queries are not answered with the infected addresses.
Such a solution requires the implementation of a DNS blackhole – a filtering of queries at the DNS level. This can be done using F5 iRules to inspect queries against a list of known bad sites and returning an internal address for those that match. What’s cool about using iRules to perform this function is the ability to leverage external lookups to perform the inspection. Sideband connections were introduced in BIG-IP v11 and these connections allow external, i.e. off device, lookups for solutions like this. Such a solution is similar to the way in which you’d want to look up the IP address and/or domain of the sender during an e-mail exchange, to validate the sender is not on the “bad spammer” lists maintained by a variety of organizations and offered as a service.
Jason Rahm recently detailed this solution as architected by Hugh O’Donnel, complete with iRules, in a DevCentral Tech Tip. You can find a more comprehensive description of the solution as well as the iRules to implement in the tech tip.
v11.1: DNS Blackhole with iRules
Happy (DNS) Routing!
Read the original blog entry...
Published January 9, 2012 Reads 607
Copyright © 2012 SYS-CON Media, Inc. — All Rights Reserved.
Syndicated stories and blog feeds, all rights reserved by the author.
More Stories By Lori MacVittie
Lori MacVittie is responsible for education and evangelism of application services available across F5’s entire product suite. Her role includes authorship of technical materials and participation in a number of community-based forums and industry standards organizations, among other efforts. MacVittie has extensive programming experience as an application architect, as well as network and systems development and administration expertise. Prior to joining F5, MacVittie was an award-winning Senior Technology Editor at Network Computing Magazine, where she conducted product research and evaluation focused on integration with application and network architectures, and authored articles on a variety of topics aimed at IT professionals. Her most recent area of focus included SOA-related products and architectures. She holds a B.S. in Information and Computing Science from the University of Wisconsin at Green Bay, and an M.S. in Computer Science from Nova Southeastern University.
- The Future of Cloud Computing: Industry Predictions for 2012
- HP Puts Activist Shareholder on Board
- Gartner Hype Cycle for Emerging Technologies 2011
- Microsoft’s Second UI Innovation
- Apprenda Upgrades Its .NET Private PaaS
- Big Data Bug Bites GE
- Cloud Computing: A Comparison of Computing Models
- What Motivates Open Standards in the Cloud?
- What to Expect in 2012: Cloud Computing and Open Source Software
- StorSimple Supports OpenStack
- Cloud Expo Takeaways: Cloud Confusion Still Exists
- Ten Hot Trends in Cloud Data for 2012
- The Future of Cloud Computing: Industry Predictions for 2012
- SYS-CON Events Announces Cloud Expo 2012 New York Venue
- HP Puts Activist Shareholder on Board
- 9th Cloud Expo | Speaker Faculty A–Z
- Gartner Hype Cycle for Emerging Technologies 2011
- Cloud Expo Speaker Profile: Greg O'Connor - AppZero
- Ericsson: Leaders to discuss how ICT can shape future education at NEST
- Microsoft’s Second UI Innovation
- Cloud Expo Day 3 Keynote Speaker Profile: Willie Tejada - Akamai
- CloudNOW Interviews: Lauren States, IBM VP of Cloud Computing
- Cloud Expo Day 2 Keynote Speaker Profile: Pete Malcolm - Abiquo
- Cloud Expo Speaker Profile: Jason Lieblich - Exoprise Systems
- The Top 150 Players in Cloud Computing
- Where Are RIA Technologies Headed in 2008?
- FullArmor GPAnywhere Secures Microsoft Application Virtualization Applications Through Group Policy
- SYS-CON's Virtualization Conference & Expo: Themes & Topics
- SYS-CON's Virtualization Journal Opens Its "Readers' Choice Awards" Nominations
- Application Virtualization: Instant Migration to Vista, Fast Delivery, Secure Access, Side-by-Side Deployments
- "Virtualization Is Now a Key Strategic Theme," Says Citrix CTO
- Application Virtualization
- Integration with Windows Vista, Microsoft Excel, and Microsoft Application Virtualization
- Will Microsoft Buy Citrix?
- mValent Extends Automated Application Configuration Management to Virtualization Environments
- Has the Technology Bounceback Begun?






























