Make normalize return multiple "hosts" (= reverse zones) when a non-octet boundary cidr is given. Added pkg/cidr package that holds the cidr calculation routines; felt they didn't really fit dnsutil. This change means the IPNet return parameter isn't needed, the hosts are all correct. The tests that tests this is also removed: TestSplitHostPortReverse The fallout was that zoneAddr _also_ doesn't need the IPNet member, that in turn make it visible that zoneAddr in address.go duplicated a bunch of stuff from register.go; removed/refactored that too. Created a plugin.OriginsFromArgsOrServerBlock to help plugins do the right things, by consuming ZONE arguments; this now expands reverse zones correctly. This is mostly mechanical. Remove the reverse test in plugin/kubernetes which is a copy-paste from a core test (which has since been fixed). Remove MustNormalize as it has no plugin users. This change is not backwards compatible to plugins that have a ZONE argument that they parse in the setup util. All in-tree plugins have been updated. Signed-off-by: Miek Gieben <miek@miek.nl> |
||
---|---|---|
.. | ||
acl.go | ||
acl_test.go | ||
metrics.go | ||
README.md | ||
setup.go | ||
setup_test.go |
acl
Name
acl - enforces access control policies on source ip and prevents unauthorized access to DNS servers.
Description
With acl
enabled, users are able to block or filter suspicious DNS queries by configuring IP filter rule sets, i.e. allowing authorized queries to recurse or blocking unauthorized queries.
This plugin can be used multiple times per Server Block.
Syntax
acl [ZONES...] {
ACTION [type QTYPE...] [net SOURCE...]
}
- ZONES zones it should be authoritative for. If empty, the zones from the configuration block are used.
- ACTION (allow, block, or filter) defines the way to deal with DNS queries matched by this rule. The default action is allow, which means a DNS query not matched by any rules will be allowed to recurse. The difference between block and filter is that block returns status code of REFUSED while filter returns an empty set NOERROR
- QTYPE is the query type to match for the requests to be allowed or blocked. Common resource record types are supported.
*
stands for all record types. The default behavior for an omittedtype QTYPE...
is to match all kinds of DNS queries (same astype *
). - SOURCE is the source IP address to match for the requests to be allowed or blocked. Typical CIDR notation and single IP address are supported.
*
stands for all possible source IP addresses.
Examples
To demonstrate the usage of plugin acl, here we provide some typical examples.
Block all DNS queries with record type A from 192.168.0.0/16:
. {
acl {
block type A net 192.168.0.0/16
}
}
Filter all DNS queries with record type A from 192.168.0.0/16:
. {
acl {
filter type A net 192.168.0.0/16
}
}
Block all DNS queries from 192.168.0.0/16 except for 192.168.1.0/24:
. {
acl {
allow net 192.168.1.0/24
block net 192.168.0.0/16
}
}
Allow only DNS queries from 192.168.0.0/24 and 192.168.1.0/24:
. {
acl {
allow net 192.168.0.0/24 192.168.1.0/24
block
}
}
Block all DNS queries from 192.168.1.0/24 towards a.example.org:
example.org {
acl a.example.org {
block net 192.168.1.0/24
}
}
Metrics
If monitoring is enabled (via the prometheus plugin) then the following metrics are exported:
-
coredns_acl_blocked_requests_total{server, zone}
- counter of DNS requests being blocked. -
coredns_acl_allowed_requests_total{server}
- counter of DNS requests being allowed.
The server
and zone
labels are explained in the metrics plugin documentation.