Update ACL plugin's README to capture the edge case (#5311)

* Update ACL plugin's README to capture the edge case This PR adds a note in ACL plugin's README to capture the edge case where source ip of the client may be different from the source ip observed by coredns server (in situations such as Source NAT). Signed-off-by: Yong Tang <yong.tang.github@outlook.com> * Update plugin/acl/README.md Co-authored-by: Chris O'Haver <cohaver@infoblox.com> Signed-off-by: Yong Tang <yong.tang.github@outlook.com> * Update plugin/acl/README.md Co-authored-by: Chris O'Haver <cohaver@infoblox.com> Signed-off-by: Yong Tang <yong.tang.github@outlook.com> Co-authored-by: Chris O'Haver <cohaver@infoblox.com>
2022-04-07 12:09:44 -07:00 · 2022-04-07 12:09:44 -07:00 · 882b2d913d
commit 882b2d913d
parent 275c014c5c
1 changed files with 7 additions and 1 deletions
--- a/plugin/acl/README.md
+++ b/plugin/acl/README.md
@ -6,7 +6,13 @@

 ## Description

-With `acl` enabled, users are able to block or filter suspicious DNS queries by configuring IP filter rule sets, i.e. allowing authorized queries to recurse or blocking unauthorized queries.
+With `acl` enabled, users are able to block or filter suspicious DNS queries by configuring IP filter rule sets, i.e. allowing authorized queries or blocking unauthorized queries.
+
+
+When evaluating the rule sets, _acl_ uses the source IP of the TCP/UDP headers of the DNS query received by CoreDNS.
+This source IP will be different than the IP of the client originating the request in cases where the source IP of the request is changed in transit.  For example:
+* if the request passes though an intermediate forwarding DNS server or recursive DNS server before reaching CoreDNS
+* if the request traverses a Source NAT before reaching CoreDNS

 This plugin can be used multiple times per Server Block.