Blog January 17, 2018

IP Blocking in Constellix

Over the next few weeks, we are going to create a series of videos and blogs that explain common tasks in Constellix. This week, we are going to show you how to block an IP address or location using IP Filters.

What are IP Filters

IP Filters are rules you can apply to DNS records that determine who can access that record. In Constellix, IP Filters funnel segments of traffic based on the location, ASN, subnet, IP protocol, or IP address of your end-users.

Use Cases

There are two ways you can use IP Filters: to send a segment of traffic to a different endpoint or block access.

Segment

You can use IP Filters to point a segment of your traffic to a different endpoint, like an IP address or hostname. For example, we have a different website for users in Latin America. We already have a record that points all queries for www.example.com to our web server at 127.1.1.1.  We can create an IP Filter for countries in that region, create another www. Record, apply the filter and point that traffic to the web server with the alternate website.

Block

You can also use IP Filters to block a specific location, ASN, or subnet from accessing a system. For example, let’s say we want to block traffic from Singapore. We would follow the same steps in the first example but instead of pointing our second record to a new endpoint we would drop the query traffic.

How To Use IP Filters

Apply an IP Filter to a Record

For this example, we want to funnel traffic from Singapore querying www.example.com to a different web server.

#1 Create a record that points to the desired location

We won’t go into the individual steps, but if you want to learn how to add a record try this.

This is your default record where you want all of your traffic to go (besides what will be indicated in your filter). In this case, that would be our primary web server at 127.1.1.1.

Please note, that we are using example IP addresses and domains. You don’t want to use these when you create your own records.

Save your record, apply the changes, and make a note of the action you just did. For this, we would say “added www. record”.

#2 Test that your record works

Open a terminal and run a test directly against your name servers.

 dig www.example.com @ns11.constellix.com 

You should see it resolve to the IP address or hostname you entered in the previous step. In our case, that would be 127.1.1.1.

#3 Create an IP Filter

In the Advanced menu, click IP Filter. Notice that there is already a filter created called “World (Default)”. This filter is used when end-users don’t match the rules created in a custom IP Filter.

Click the Add New IP Filter button. Create a name for the filter and add the desired rules. In this case, we want to funnel traffic from Singapore so we will click on World/Asia/Singapore and add that to our rule list. Click save.

Create IP Filter in Constellix

Creating an IP Filter in Constellix

#3 Enable GeoIP Services

Go back to Managed DNS / Domains / Your Domain and click the Advanced Settings button. Choose Enable GeoIP Services from the dropdown menu.

Enabled GeoIP Services in Constellix

How to enable GeoIP services

#4 Apply the Filter to the Record

Open the record we created earlier (www.example.com) by double-clicking the record name. You’ll see a new dropdown field called IP Filter. Choose the World (Default) filter and click Save.

Apply IP Filter to a Record in Constellix

Apply a filter to a record

#5 Create a New Record for Filtered Traffic

Now is the fun part. Create a new record of the same type and name. In the IP/Hostname field, you can specify a different endpoint. For this example, we want to point our filtered traffic to our secondary web server at 127.2.2.2. Apply the desired filter.

Record with IP Filter in Constellix

Filtered record pointing to a different IP address

Save your record, commit your changes, and write a note about what you just did. These notes are really helpful when you are looking at past changes and can also be searched when you are making bulk changes.

#6 Test

Open your terminal and test the record against your name servers. In this example, we will enter:

 dig www.example.com @ns11.constellix.com 

We should see our primary IP address as the result. If you have a VPS setup, you can run a test virtually from your filtered location.

Block Traffic from an IP Addresses or a Location

Let’s say instead of pointing a segment of traffic to a different endpoint, we want to block it all together. Follow steps #1 – #4 and then create a record for the filtered traffic with the same record type and name as our default record.

Choose the desired filter from the IP Filter dropdown menu. Below that, you’ll see a checkbox labeled Drop Query for selected IP Filter. Check the box to “drop” or block all traffic that meets the rules of your chosen filter.

Drop queries with IP Filter

Drop query traffic for filtered list

You will no longer see a field for IP address or hostname below. That’s because this traffic won’t receive a response when they query this record.

Save your record, commit your changes, leave a note, and test.  

Region-Specific IP Filters

You can combine IP Filters with the Global Traffic Director (GTD for short). The GTD improves the accuracy of query resolution by answering queries based on the region they originate from. You can apply an IP Filter to traffic exclusively from a specific region.

When you combine IP Filters with the GTD, you can correct errors caused by improper IP allocation.

In this example, we want to create a rule only for users in Asia-Pac and drop traffic coming from Singapore.

#1 Enable GTD

In the Advanced Settings menu click Enable Global Traffic Director.

Enabled Global Traffic Director in Constellix

How to enable GTD

You will need to commit your changes to continue.

#2 Add Default Record to Region

Once you commit your changes, you’ll notice six new tabs under the Records section. The Default tab will be active and you should see any existing records you have. If you haven’t already, create a default record. For this example, we will create an A record that points www. to 127.1.1.1. Click save and commit your changes.  

Go to the desired region tab. You will see the record you created already there with the Source GTD as Default. That means, that there are no region-specific rules created and all queries to www. will resolve to 127.1.1.1.

Override the record to make a region-specific copy by clicking the  button. This will create a Default record for this region. Unless you want this region to point to a different endpoint, click save. If not, then change the value in the IP Address / Hostname field.

GTD with IP Filters in Constellix

In the Source GTD column, you should see the region you chose.

#3 Add a Record with Desired Filter

Create another record in that region with the same name. Apply the desired IP Filter. In this example, we want to choose the IP Filter that segments traffic from Singapore. We can choose to send this traffic to a different IP address or drop responses altogether. In this case, we want to drop the queries.

How to apply an IP Filter to a DNS record

Applying a filter to a record

#4 Test

Run a dig against your nameservers for that record. Again, you will need a VPS to test from a specific location.

For our example, we want to see nameservers in Asia-Pac dropping queries from Singapore.