Over the next few weeks, we are going to create a series of videos and blogs that explain common tasks in Constellix. This week, we are going to show you how to block an IP address or location using IP Filters.
IP Filters are rules you can apply to DNS records that determine who can access that record. In Constellix, IP Filters funnel segments of traffic based on the location, ASN, subnet, IP protocol, or IP address of your end-users.
There are two ways you can use IP Filters: to send a segment of traffic to a different endpoint or block access.
You can use IP Filters to point a segment of your traffic to a different endpoint, like an IP address or hostname. For example, we have a different website for users in Latin America. We already have a record that points all queries for www.example.com to our web server at 127.1.1.1. We can create an IP Filter for countries in that region, create another www. Record, apply the filter and point that traffic to the web server with the alternate website.
You can also use IP Filters to block a specific location, ASN, or subnet from accessing a system. For example, let’s say we want to block traffic from Singapore. We would follow the same steps in the first example but instead of pointing our second record to a new endpoint we would drop the query traffic.
For this example, we want to funnel traffic from Singapore querying www.example.com to a different web server.
We won’t go into the individual steps, but if you want to learn how to add a record try this.
This is your default record where you want all of your traffic to go (besides what will be indicated in your filter). In this case, that would be our primary web server at 127.1.1.1.
Please note, that we are using example IP addresses and domains. You don’t want to use these when you create your own records.
Save your record, apply the changes, and make a note of the action you just did. For this, we would say “added www. record”.
Open a terminal and run a test directly against your name servers.
dig www.example.com @ns11.constellix.com
You should see it resolve to the IP address or hostname you entered in the previous step. In our case, that would be 127.1.1.1.
In the Advanced menu, click IP Filter. Notice that there is already a filter created called “World (Default)”. This filter is used when end-users don’t match the rules created in a custom IP Filter.
Click the Add New IP Filter button. Create a name for the filter and add the desired rules. In this case, we want to funnel traffic from Singapore so we will click on World/Asia/Singapore and add that to our rule list. Click save.
Creating an IP Filter in Constellix
Go back to Managed DNS / Domains / Your Domain and click the Advanced Settings button. Choose Enable GeoIP Services from the dropdown menu.
How to enable GeoIP services
Open the record we created earlier (www.example.com) by double-clicking the record name. You’ll see a new dropdown field called IP Filter. Choose the World (Default) filter and click Save.
Apply a filter to a record
Now is the fun part. Create a new record of the same type and name. In the IP/Hostname field, you can specify a different endpoint. For this example, we want to point our filtered traffic to our secondary web server at 127.2.2.2. Apply the desired filter.
Filtered record pointing to a different IP address
Save your record, commit your changes, and write a note about what you just did. These notes are really helpful when you are looking at past changes and can also be searched when you are making bulk changes.
Open your terminal and test the record against your name servers. In this example, we will enter:
dig www.example.com @ns11.constellix.com
We should see our primary IP address as the result. If you have a VPS setup, you can run a test virtually from your filtered location.
Let’s say instead of pointing a segment of traffic to a different endpoint, we want to block it all together. Follow steps #1 – #4 and then create a record for the filtered traffic with the same record type and name as our default record.
Choose the desired filter from the IP Filter dropdown menu. Below that, you’ll see a checkbox labeled Drop Query for selected IP Filter. Check the box to “drop” or block all traffic that meets the rules of your chosen filter.
Drop query traffic for filtered list
You will no longer see a field for IP address or hostname below. That’s because this traffic won’t receive a response when they query this record.
Save your record, commit your changes, leave a note, and test.
You can combine IP Filters with the Global Traffic Director (GTD for short). The GTD improves the accuracy of query resolution by answering queries based on the region they originate from. You can apply an IP Filter to traffic exclusively from a specific region.
When you combine IP Filters with the GTD, you can correct errors caused by improper IP allocation.
In this example, we want to create a rule only for users in Asia-Pac and drop traffic coming from Singapore.
In the Advanced Settings menu click Enable Global Traffic Director.
How to enable GTD
You will need to commit your changes to continue.
Once you commit your changes, you’ll notice six new tabs under the Records section. The Default tab will be active and you should see any existing records you have. If you haven’t already, create a default record. For this example, we will create an A record that points www. to 127.1.1.1. Click save and commit your changes.
Go to the desired region tab. You will see the record you created already there with the Source GTD as Default. That means, that there are no region-specific rules created and all queries to www. will resolve to 127.1.1.1.
Override the record to make a region-specific copy by clicking the button. This will create a Default record for this region. Unless you want this region to point to a different endpoint, click save. If not, then change the value in the IP Address / Hostname field.
In the Source GTD column, you should see the region you chose.
Create another record in that region with the same name. Apply the desired IP Filter. In this example, we want to choose the IP Filter that segments traffic from Singapore. We can choose to send this traffic to a different IP address or drop responses altogether. In this case, we want to drop the queries.
Applying a filter to a record
Run a dig against your nameservers for that record. Again, you will need a VPS to test from a specific location.
For our example, we want to see nameservers in Asia-Pac dropping queries from Singapore.