Both block and filter actions write responses to the client based upon
the source IP address of the UDP packet containing the query. An
attacker spoofing the source IP address to that of their target, can
elicit a response to be sent to the victim host, known as DNS
Reflection. If an attacker is able to elicit a large response from a
relatively small query, with a spoofed source IP address, they are able
to increase the amount of data sent to the victim, known as DNS
Amplification. Scaling this from one to many queries allows an attacker
to perform an effective Denial of Service (DoS) attack against their
target.
Adding the drop action enables CoreDNS to ignore queries of a given
type or network range from being processed and a response written,
where an operator knows ahead of time, should not originate or be
destined to.
Signed-off-by: rsclarke <hey@rsclarke.dev>
Signed-off-by: rsclarke <hey@rsclarke.dev>
* Update ACL plugin's README to capture the edge case
This PR adds a note in ACL plugin's README to capture the edge case
where source ip of the client may be different from the source ip
observed by coredns server (in situations such as Source NAT).
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
* Update plugin/acl/README.md
Co-authored-by: Chris O'Haver <cohaver@infoblox.com>
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
* Update plugin/acl/README.md
Co-authored-by: Chris O'Haver <cohaver@infoblox.com>
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
Co-authored-by: Chris O'Haver <cohaver@infoblox.com>
Currently ACLs only allow for allow and block, however it isn't
always desirable to set the status code to REFUSED. Often times
you want to completely hide the fact that those records even exist.
Adding the ability to acl to filter results makes it significantly
harder for a third party to know that the records are being masked.
Signed-off-by: George Shammas <george@shamm.as>
The subsystem of a metric must be it's plugin name. "dns" is reserved
for the core. Use a const convention to avoid copy-paste mistakes in
naming.
Fix dns64 and acl plugin.
Signed-off-by: Ben Kochie <superq@gmail.com>
Cleanup a variety of metric issues.
* Eliminate department of redundancy "count_total" naming.
* Use the plural of the unit when appropriate. (ex, "requests")
* Remove label names from metric names where appropriate. (ex, "rcode")
* Simplify request metrics by consolidating type label in to the base
request counter.
* Re-generate man pages.
Signed-off-by: Ben Kochie <superq@gmail.com>
Co-authored-by: Ben Kochie <superq@gmail.com>
* Fix acl page
It must have a Name section.
Fixes: https://github.com/coredns/coredns.io/issues/177
Signed-off-by: Miek Gieben <miek@miek.nl>
* generate
Signed-off-by: Miek Gieben <miek@miek.nl>
OWNERS file was padded, remove empty lines. Fix code block in README,
and set codeblock type to 'corefile' without the upper case C.
Signed-off-by: Miek Gieben <miek@miek.nl>
* Add plugin ACL for source ip filtering
Signed-off-by: An Xiao <hac@zju.edu.cn>
* Allow all arguments to be optional and support multiple qtypes in a single policy
Signed-off-by: An Xiao <hac@zju.edu.cn>
* Add newline before third party imports
Signed-off-by: An Xiao <hac@zju.edu.cn>
* Use camel instead of underscore in method name
Signed-off-by: An Xiao <hac@zju.edu.cn>
* Start with an upper case letter in t.Errorf()
Signed-off-by: An Xiao <hac@zju.edu.cn>
* Use the qtype parse logic in miekg/dns
Signed-off-by: An Xiao <hac@zju.edu.cn>
* Use third party trie implementation as the ip filter
Signed-off-by: An Xiao <hac@zju.edu.cn>
* Update based on rdrozhdzh's comment
Signed-off-by: An Xiao <hac@zju.edu.cn>
* Change the type of action to int
Signed-off-by: An Xiao <hac@zju.edu.cn>
* Add IPv6 support
Signed-off-by: An Xiao <hac@zju.edu.cn>
* Update plugin.cfg
Signed-off-by: An Xiao <hac@zju.edu.cn>
* Remove file functionality
Signed-off-by: An Xiao <hac@zju.edu.cn>
* Update
Signed-off-by: Xiao An <hac@zju.edu.cn>
* Update README
Signed-off-by: Xiao An <hac@zju.edu.cn>
* remove comments
Signed-off-by: Xiao An <hac@zju.edu.cn>
* update
Signed-off-by: Xiao An <hac@zju.edu.cn>
* Update dependency
Signed-off-by: Xiao An <hac@zju.edu.cn>
* Update
Signed-off-by: Xiao An <hac@zju.edu.cn>
* Update test
Signed-off-by: Xiao An <hac@zju.edu.cn>
* Add OWNERS
Signed-off-by: Xiao An <hac@zju.edu.cn>
* Refactor shouldBlock and skip useless check
Signed-off-by: Xiao An <hac@zju.edu.cn>
* Introduce ActionNone
Signed-off-by: Xiao An <hac@zju.edu.cn>
* Update label name
Signed-off-by: Xiao An <hac@zju.edu.cn>
* Avoid capitalizing private types
Signed-off-by: Xiao An <hac@zju.edu.cn>
