TrueCloudLab/coredns
16
0
Fork 2
Code Issues Pull requests 2 Projects Releases Packages Wiki Activity Actions
coredns/plugin/acl
History
Exact
rsclarke ead84e1fa8
plugin/acl: adding ability to drop queries (#5722) 
Both block and filter actions write responses to the client based upon
the source IP address of the UDP packet containing the query.  An
attacker spoofing the source IP address to that of their target, can
elicit a response to be sent to the victim host, known as DNS
Reflection.  If an attacker is able to elicit a large response from a
relatively small query, with a spoofed source IP address, they are able
to increase the amount of data sent to the victim, known as DNS
Amplification.  Scaling this from one to many queries allows an attacker
to perform an effective Denial of Service (DoS) attack against their
target.

Adding the drop action enables CoreDNS to ignore queries of a given
type or network range from being processed and a response written,
where an operator knows ahead of time, should not originate or be
destined to.

Signed-off-by: rsclarke <hey@rsclarke.dev>

Signed-off-by: rsclarke <hey@rsclarke.dev>
2022-11-01 10:16:55 +01:00
..
acl.go plugin/acl: adding ability to drop queries (#5722) 2022-11-01 10:16:55 +01:00
acl_test.go plugin/acl: adding ability to drop queries (#5722) 2022-11-01 10:16:55 +01:00
metrics.go plugin/acl: adding ability to drop queries (#5722) 2022-11-01 10:16:55 +01:00
README.md plugin/acl: adding ability to drop queries (#5722) 2022-11-01 10:16:55 +01:00
setup.go plugin/acl: adding ability to drop queries (#5722) 2022-11-01 10:16:55 +01:00
setup_test.go plugin/acl: adding ability to drop queries (#5722) 2022-11-01 10:16:55 +01:00

README.md

acl

Name

acl - enforces access control policies on source ip and prevents unauthorized access to DNS servers.

Description

With acl enabled, users are able to block or filter suspicious DNS queries by configuring IP filter rule sets, i.e. allowing authorized queries or blocking unauthorized queries.

When evaluating the rule sets, acl uses the source IP of the TCP/UDP headers of the DNS query received by CoreDNS. This source IP will be different than the IP of the client originating the request in cases where the source IP of the request is changed in transit. For example:

  • if the request passes though an intermediate forwarding DNS server or recursive DNS server before reaching CoreDNS
  • if the request traverses a Source NAT before reaching CoreDNS

This plugin can be used multiple times per Server Block.

Syntax

acl [ZONES...] {
    ACTION [type QTYPE...] [net SOURCE...]
}
  • ZONES zones it should be authoritative for. If empty, the zones from the configuration block are used.
  • ACTION (allow, block, filter, or drop) defines the way to deal with DNS queries matched by this rule. The default action is allow, which means a DNS query not matched by any rules will be allowed to recurse. The difference between block and filter is that block returns status code of REFUSED while filter returns an empty set NOERROR. drop however returns no response to the client.
  • QTYPE is the query type to match for the requests to be allowed or blocked. Common resource record types are supported. * stands for all record types. The default behavior for an omitted type QTYPE... is to match all kinds of DNS queries (same as type *).
  • SOURCE is the source IP address to match for the requests to be allowed or blocked. Typical CIDR notation and single IP address are supported. * stands for all possible source IP addresses.

Examples

To demonstrate the usage of plugin acl, here we provide some typical examples.

Block all DNS queries with record type A from 192.168.0.0/16:

. {
    acl {
        block type A net 192.168.0.0/16
    }
}

Filter all DNS queries with record type A from 192.168.0.0/16:

. {
    acl {
        filter type A net 192.168.0.0/16
    }
}

Block all DNS queries from 192.168.0.0/16 except for 192.168.1.0/24:

. {
    acl {
        allow net 192.168.1.0/24
        block net 192.168.0.0/16
    }
}

Allow only DNS queries from 192.168.0.0/24 and 192.168.1.0/24:

. {
    acl {
        allow net 192.168.0.0/24 192.168.1.0/24
        block
    }
}

Block all DNS queries from 192.168.1.0/24 towards a.example.org:

example.org {
    acl a.example.org {
        block net 192.168.1.0/24
    }
}

Drop all DNS queries from 192.0.2.0/24:

. {
    acl {
        drop net 192.0.2.0/24
    }
}

Metrics

If monitoring is enabled (via the prometheus plugin) then the following metrics are exported:

  • coredns_acl_blocked_requests_total{server, zone, view} - counter of DNS requests being blocked.

  • coredns_acl_filtered_requests_total{server, zone, view} - counter of DNS requests being filtered.

  • coredns_acl_allowed_requests_total{server, view} - counter of DNS requests being allowed.

  • coredns_acl_dropped_requests_total{server, zone, view} - counter of DNS requests being dropped.

The server and zone labels are explained in the metrics plugin documentation.