Both block and filter actions write responses to the client based upon
the source IP address of the UDP packet containing the query. An
attacker spoofing the source IP address to that of their target, can
elicit a response to be sent to the victim host, known as DNS
Reflection. If an attacker is able to elicit a large response from a
relatively small query, with a spoofed source IP address, they are able
to increase the amount of data sent to the victim, known as DNS
Amplification. Scaling this from one to many queries allows an attacker
to perform an effective Denial of Service (DoS) attack against their
target.
Adding the drop action enables CoreDNS to ignore queries of a given
type or network range from being processed and a response written,
where an operator knows ahead of time, should not originate or be
destined to.
Signed-off-by: rsclarke <hey@rsclarke.dev>
Signed-off-by: rsclarke <hey@rsclarke.dev>
* plugin/acl : add support for Extended DNS Errors
Signed-off-by: Ondřej Benkovský <ondrej.benkovsky@jamf.com>
* fixup! plugin/acl : add support for Extended DNS Errors
Signed-off-by: Ondřej Benkovský <ondrej.benkovsky@jamf.com>
* Fixing #5376 by adding a check to parse out Zone information
Signed-off-by: Tintin <samrath.sodi@gmail.com>
* using IndexByte instead of strings.Split()
Signed-off-by: Tintin <samrath.sodi@gmail.com>
* using plugin logger for logging parsing failure
Signed-off-by: Tintin <samrath.sodi@gmail.com>
* using var keywork instead of short declaration operator
Signed-off-by: Tintin <samrath.sodi@gmail.com>
* reordering imports
Signed-off-by: Tintin <samrath.sodi@gmail.com>
Currently ACLs only allow for allow and block, however it isn't
always desirable to set the status code to REFUSED. Often times
you want to completely hide the fact that those records even exist.
Adding the ability to acl to filter results makes it significantly
harder for a third party to know that the records are being masked.
Signed-off-by: George Shammas <george@shamm.as>
* Run gostaticheck
Run gostaticcheck on the codebase and fix almost all flagged items.
Only keep
* coremain/run.go:192:2: var appVersion is unused (U1000)
* plugin/chaos/setup.go:54:3: the surrounding loop is unconditionally terminated (SA4004)
* plugin/etcd/setup.go:103:3: the surrounding loop is unconditionally terminated (SA4004)
* plugin/pkg/replacer/replacer.go:274:13: argument should be pointer-like to avoid allocations (SA6002)
* plugin/route53/setup.go:124:28: session.New is deprecated: Use NewSession functions to create sessions instead. NewSession has the same functionality as New except an error can be returned when the func is called instead of waiting to receive an error until a request is made. (SA1019)
* test/grpc_test.go:25:69: grpc.WithTimeout is deprecated: use DialContext and context.WithTimeout instead. Will be supported throughout 1.x. (SA1019)
The first one isn't true, as this is set via ldflags. The rest is
minor. The deprecation should be fixed at some point; I'll file some
issues.
Signed-off-by: Miek Gieben <miek@miek.nl>
* Make sure to plug in the plugins
import the plugins, that file that did this was removed, put it in the
reload test as this requires an almost complete coredns server.
Signed-off-by: Miek Gieben <miek@miek.nl>
* Add plugin ACL for source ip filtering
Signed-off-by: An Xiao <hac@zju.edu.cn>
* Allow all arguments to be optional and support multiple qtypes in a single policy
Signed-off-by: An Xiao <hac@zju.edu.cn>
* Add newline before third party imports
Signed-off-by: An Xiao <hac@zju.edu.cn>
* Use camel instead of underscore in method name
Signed-off-by: An Xiao <hac@zju.edu.cn>
* Start with an upper case letter in t.Errorf()
Signed-off-by: An Xiao <hac@zju.edu.cn>
* Use the qtype parse logic in miekg/dns
Signed-off-by: An Xiao <hac@zju.edu.cn>
* Use third party trie implementation as the ip filter
Signed-off-by: An Xiao <hac@zju.edu.cn>
* Update based on rdrozhdzh's comment
Signed-off-by: An Xiao <hac@zju.edu.cn>
* Change the type of action to int
Signed-off-by: An Xiao <hac@zju.edu.cn>
* Add IPv6 support
Signed-off-by: An Xiao <hac@zju.edu.cn>
* Update plugin.cfg
Signed-off-by: An Xiao <hac@zju.edu.cn>
* Remove file functionality
Signed-off-by: An Xiao <hac@zju.edu.cn>
* Update
Signed-off-by: Xiao An <hac@zju.edu.cn>
* Update README
Signed-off-by: Xiao An <hac@zju.edu.cn>
* remove comments
Signed-off-by: Xiao An <hac@zju.edu.cn>
* update
Signed-off-by: Xiao An <hac@zju.edu.cn>
* Update dependency
Signed-off-by: Xiao An <hac@zju.edu.cn>
* Update
Signed-off-by: Xiao An <hac@zju.edu.cn>
* Update test
Signed-off-by: Xiao An <hac@zju.edu.cn>
* Add OWNERS
Signed-off-by: Xiao An <hac@zju.edu.cn>
* Refactor shouldBlock and skip useless check
Signed-off-by: Xiao An <hac@zju.edu.cn>
* Introduce ActionNone
Signed-off-by: Xiao An <hac@zju.edu.cn>
* Update label name
Signed-off-by: Xiao An <hac@zju.edu.cn>
* Avoid capitalizing private types
Signed-off-by: Xiao An <hac@zju.edu.cn>
