TrueCloudLab/coredns
16
0
Fork 2
Code Issues Pull requests 3 Projects Releases Packages Wiki Activity Actions
coredns/plugin/acl
History
Miek Gieben dbd1c047cb
Run gostaticheck (#3325) 
* Run gostaticheck

Run gostaticcheck on the codebase and fix almost all flagged items.

Only keep

* coremain/run.go:192:2: var appVersion is unused (U1000)
* plugin/chaos/setup.go:54:3: the surrounding loop is unconditionally terminated (SA4004)
* plugin/etcd/setup.go:103:3: the surrounding loop is unconditionally terminated (SA4004)
* plugin/pkg/replacer/replacer.go:274:13: argument should be pointer-like to avoid allocations (SA6002)
* plugin/route53/setup.go:124:28: session.New is deprecated: Use NewSession functions to create sessions instead. NewSession has the same functionality as New except an error can be returned when the func is called instead of waiting to receive an error until a request is made.  (SA1019)
* test/grpc_test.go:25:69: grpc.WithTimeout is deprecated: use DialContext and context.WithTimeout instead.  Will be supported throughout 1.x.  (SA1019)

The first one isn't true, as this is set via ldflags. The rest is
minor. The deprecation should be fixed at some point; I'll file some
issues.

Signed-off-by: Miek Gieben <miek@miek.nl>

* Make sure to plug in the plugins

import the plugins, that file that did this was removed, put it in the
reload test as this requires an almost complete coredns server.

Signed-off-by: Miek Gieben <miek@miek.nl>
2019-10-01 07:41:29 +01:00
..
acl.go Run gostaticheck (#3325) 2019-10-01 07:41:29 +01:00
acl_test.go plugin: cleanup code based on staticcheck warnings (#3302) 2019-09-25 13:23:43 +01:00
metrics.go Add plugin ACL for source ip filtering (#3103) 2019-09-04 08:43:45 -07:00
OWNERS plugin/acl: whitespace cleanup (#3239) 2019-09-04 19:06:10 -07:00
README.md plugin/acl: whitespace cleanup (#3239) 2019-09-04 19:06:10 -07:00
setup.go all: simply registering plugins (#3287) 2019-09-20 08:02:30 +01:00
setup_test.go Add plugin ACL for source ip filtering (#3103) 2019-09-04 08:43:45 -07:00

README.md

acl

acl - enforces access control policies on source ip and prevents unauthorized access to DNS servers.

Description

With acl enabled, users are able to block suspicous DNS queries by configuring IP filter rule sets, i.e. allowing authorized queries to recurse or blocking unauthorized queries.

This plugin can be used multiple times per Server Block.

Syntax

acl [ZONES...] {
    ACTION [type QTYPE...] [net SOURCE...]
}
  • ZONES zones it should be authoritative for. If empty, the zones from the configuration block are used.
  • ACTION (allow or block) defines the way to deal with DNS queries matched by this rule. The default action is allow, which means a DNS query not matched by any rules will be allowed to recurse.
  • QTYPE is the query type to match for the requests to be allowed or blocked. Common resource record types are supported. * stands for all record types. The default behavior for an omitted type QTYPE... is to match all kinds of DNS queries (same as type *).
  • SOURCE is the source IP address to match for the requests to be allowed or blocked. Typical CIDR notation and single IP address are supported. * stands for all possible source IP addresses.

Examples

To demonstrate the usage of plugin acl, here we provide some typical examples.

Block all DNS queries with record type A from 192.168.0.0/16:

. {
    acl {
        block type A net 192.168.0.0/16
    }
}

Block all DNS queries from 192.168.0.0/16 except for 192.168.1.0/24:

. {
    acl {
        allow net 192.168.1.0/24
        block net 192.168.0.0/16
    }
}

Allow only DNS queries from 192.168.0.0/24 and 192.168.1.0/24:

. {
    acl {
        allow net 192.168.0.0/16 192.168.1.0/24
        block
    }
}

Block all DNS queries from 192.168.1.0/24 towards a.example.org:

example.org {
    acl a.example.org {
        block net 192.168.1.0/24
    }
}