mirror of
https://github.com/coredns/coredns.git
synced 2025-10-31 18:23:13 -04:00
106 lines
2.2 KiB
Groff
106 lines
2.2 KiB
Groff
|
.\" Generated by Mmark Markdown Processer - mmark.miek.nl
|
|||
|
|
.TH "COREDNS-ACL" 7 "September 2019" "CoreDNS" "CoreDNS Plugins"
|
|||
|
|
|
|||
|
|
.PP
|
|||
|
|
\fIacl\fP - enforces access control policies on source ip and prevents unauthorized access to DNS servers.
|
|||
|
|
|
|||
|
|
.SH "DESCRIPTION"
|
|||
|
|
.PP
|
|||
|
|
With \fB\fCacl\fR enabled, users are able to block suspicous DNS queries by configuring IP filter rule sets, i.e. allowing authorized queries to recurse or blocking unauthorized queries.
|
|||
|
|
|
|||
|
|
.PP
|
|||
|
|
This plugin can be used multiple times per Server Block.
|
|||
|
|
|
|||
|
|
.SH "SYNTAX"
|
|||
|
|
.PP
|
|||
|
|
.RS
|
|||
|
|
|
|||
|
|
.nf
|
|||
|
|
acl [ZONES...] {
|
|||
|
|
ACTION [type QTYPE...] [net SOURCE...]
|
|||
|
|
}
|
|||
|
|
|
|||
|
|
.fi
|
|||
|
|
.RE
|
|||
|
|
|
|||
|
|
.IP \(bu 4
|
|||
|
|
\fBZONES\fP zones it should be authoritative for. If empty, the zones from the configuration block are used.
|
|||
|
|
.IP \(bu 4
|
|||
|
|
\fBACTION\fP (\fIallow\fP or \fIblock\fP) defines the way to deal with DNS queries matched by this rule. The default action is \fIallow\fP, which means a DNS query not matched by any rules will be allowed to recurse.
|
|||
|
|
.IP \(bu 4
|
|||
|
|
\fBQTYPE\fP is the query type to match for the requests to be allowed or blocked. Common resource record types are supported. \fB\fC*\fR stands for all record types. The default behavior for an omitted \fB\fCtype QTYPE...\fR is to match all kinds of DNS queries (same as \fB\fCtype *\fR).
|
|||
|
|
.IP \(bu 4
|
|||
|
|
\fBSOURCE\fP is the source IP address to match for the requests to be allowed or blocked. Typical CIDR notation and single IP address are supported. \fB\fC*\fR stands for all possible source IP addresses.
|
|||
|
|
|
|||
|
|
|
|||
|
|
.SH "EXAMPLES"
|
|||
|
|
.PP
|
|||
|
|
To demonstrate the usage of plugin acl, here we provide some typical examples.
|
|||
|
|
|
|||
|
|
.PP
|
|||
|
|
Block all DNS queries with record type A from 192.168.0.0/16:
|
|||
|
|
|
|||
|
|
.PP
|
|||
|
|
.RS
|
|||
|
|
|
|||
|
|
.nf
|
|||
|
|
\&. {
|
|||
|
|
acl {
|
|||
|
|
block type A net 192.168.0.0/16
|
|||
|
|
}
|
|||
|
|
}
|
|||
|
|
|
|||
|
|
.fi
|
|||
|
|
.RE
|
|||
|
|
|
|||
|
|
.PP
|
|||
|
|
Block all DNS queries from 192.168.0.0/16 except for 192.168.1.0/24:
|
|||
|
|
|
|||
|
|
.PP
|
|||
|
|
.RS
|
|||
|
|
|
|||
|
|
.nf
|
|||
|
|
\&. {
|
|||
|
|
acl {
|
|||
|
|
allow net 192.168.1.0/24
|
|||
|
|
block net 192.168.0.0/16
|
|||
|
|
}
|
|||
|
|
}
|
|||
|
|
|
|||
|
|
.fi
|
|||
|
|
.RE
|
|||
|
|
|
|||
|
|
.PP
|
|||
|
|
Allow only DNS queries from 192.168.0.0/24 and 192.168.1.0/24:
|
|||
|
|
|
|||
|
|
.PP
|
|||
|
|
.RS
|
|||
|
|
|
|||
|
|
.nf
|
|||
|
|
\&. {
|
|||
|
|
acl {
|
|||
|
|
allow net 192.168.0.0/16 192.168.1.0/24
|
|||
|
|
block
|
|||
|
|
}
|
|||
|
|
}
|
|||
|
|
|
|||
|
|
.fi
|
|||
|
|
.RE
|
|||
|
|
|
|||
|
|
.PP
|
|||
|
|
Block all DNS queries from 192.168.1.0/24 towards a.example.org:
|
|||
|
|
|
|||
|
|
.PP
|
|||
|
|
.RS
|
|||
|
|
|
|||
|
|
.nf
|
|||
|
|
example.org {
|
|||
|
|
acl a.example.org {
|
|||
|
|
block net 192.168.1.0/24
|
|||
|
|
}
|
|||
|
|
}
|
|||
|
|
|
|||
|
|
.fi
|
|||
|
|
.RE
|
|||
|
|
|