From 882b2d913d28b2f80c4597a16b5043a1a92fb1b8 Mon Sep 17 00:00:00 2001 From: Yong Tang Date: Thu, 7 Apr 2022 12:09:44 -0700 Subject: [PATCH] Update ACL plugin's README to capture the edge case (#5311) * Update ACL plugin's README to capture the edge case This PR adds a note in ACL plugin's README to capture the edge case where source ip of the client may be different from the source ip observed by coredns server (in situations such as Source NAT). Signed-off-by: Yong Tang * Update plugin/acl/README.md Co-authored-by: Chris O'Haver Signed-off-by: Yong Tang * Update plugin/acl/README.md Co-authored-by: Chris O'Haver Signed-off-by: Yong Tang Co-authored-by: Chris O'Haver --- plugin/acl/README.md | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/plugin/acl/README.md b/plugin/acl/README.md index 5103018ef..4b34500e4 100644 --- a/plugin/acl/README.md +++ b/plugin/acl/README.md @@ -6,7 +6,13 @@ ## Description -With `acl` enabled, users are able to block or filter suspicious DNS queries by configuring IP filter rule sets, i.e. allowing authorized queries to recurse or blocking unauthorized queries. +With `acl` enabled, users are able to block or filter suspicious DNS queries by configuring IP filter rule sets, i.e. allowing authorized queries or blocking unauthorized queries. + + +When evaluating the rule sets, _acl_ uses the source IP of the TCP/UDP headers of the DNS query received by CoreDNS. +This source IP will be different than the IP of the client originating the request in cases where the source IP of the request is changed in transit. For example: +* if the request passes though an intermediate forwarding DNS server or recursive DNS server before reaching CoreDNS +* if the request traverses a Source NAT before reaching CoreDNS This plugin can be used multiple times per Server Block.