mirror of
https://github.com/coredns/coredns.git
synced 2025-11-01 18:53:43 -04:00
doc: run make -f Makefile.doc (#3314)
add the acl manual page; mechanical change otherwise. Signed-off-by: Miek Gieben <miek@miek.nl>
This commit is contained in:
Miek Gieben
GitHub
105
man/coredns-acl.7
Normal file
105
man/coredns-acl.7
Normal file
@@ -0,0 +1,105 @@
|
||||
.\" Generated by Mmark Markdown Processer - mmark.miek.nl
|
||||
.TH "COREDNS-ACL" 7 "September 2019" "CoreDNS" "CoreDNS Plugins"
|
||||
|
||||
.PP
|
||||
\fIacl\fP - enforces access control policies on source ip and prevents unauthorized access to DNS servers.
|
||||
|
||||
.SH "DESCRIPTION"
|
||||
.PP
|
||||
With \fB\fCacl\fR enabled, users are able to block suspicous DNS queries by configuring IP filter rule sets, i.e. allowing authorized queries to recurse or blocking unauthorized queries.
|
||||
|
||||
.PP
|
||||
This plugin can be used multiple times per Server Block.
|
||||
|
||||
.SH "SYNTAX"
|
||||
.PP
|
||||
.RS
|
||||
|
||||
.nf
|
||||
acl [ZONES...] {
|
||||
ACTION [type QTYPE...] [net SOURCE...]
|
||||
}
|
||||
|
||||
.fi
|
||||
.RE
|
||||
|
||||
.IP \(bu 4
|
||||
\fBZONES\fP zones it should be authoritative for. If empty, the zones from the configuration block are used.
|
||||
.IP \(bu 4
|
||||
\fBACTION\fP (\fIallow\fP or \fIblock\fP) defines the way to deal with DNS queries matched by this rule. The default action is \fIallow\fP, which means a DNS query not matched by any rules will be allowed to recurse.
|
||||
.IP \(bu 4
|
||||
\fBQTYPE\fP is the query type to match for the requests to be allowed or blocked. Common resource record types are supported. \fB\fC*\fR stands for all record types. The default behavior for an omitted \fB\fCtype QTYPE...\fR is to match all kinds of DNS queries (same as \fB\fCtype *\fR).
|
||||
.IP \(bu 4
|
||||
\fBSOURCE\fP is the source IP address to match for the requests to be allowed or blocked. Typical CIDR notation and single IP address are supported. \fB\fC*\fR stands for all possible source IP addresses.
|
||||
|
||||
|
||||
.SH "EXAMPLES"
|
||||
.PP
|
||||
To demonstrate the usage of plugin acl, here we provide some typical examples.
|
||||
|
||||
.PP
|
||||
Block all DNS queries with record type A from 192.168.0.0/16:
|
||||
|
||||
.PP
|
||||
.RS
|
||||
|
||||
.nf
|
||||
\&. {
|
||||
acl {
|
||||
block type A net 192.168.0.0/16
|
||||
}
|
||||
}
|
||||
|
||||
.fi
|
||||
.RE
|
||||
|
||||
.PP
|
||||
Block all DNS queries from 192.168.0.0/16 except for 192.168.1.0/24:
|
||||
|
||||
.PP
|
||||
.RS
|
||||
|
||||
.nf
|
||||
\&. {
|
||||
acl {
|
||||
allow net 192.168.1.0/24
|
||||
block net 192.168.0.0/16
|
||||
}
|
||||
}
|
||||
|
||||
.fi
|
||||
.RE
|
||||
|
||||
.PP
|
||||
Allow only DNS queries from 192.168.0.0/24 and 192.168.1.0/24:
|
||||
|
||||
.PP
|
||||
.RS
|
||||
|
||||
.nf
|
||||
\&. {
|
||||
acl {
|
||||
allow net 192.168.0.0/16 192.168.1.0/24
|
||||
block
|
||||
}
|
||||
}
|
||||
|
||||
.fi
|
||||
.RE
|
||||
|
||||
.PP
|
||||
Block all DNS queries from 192.168.1.0/24 towards a.example.org:
|
||||
|
||||
.PP
|
||||
.RS
|
||||
|
||||
.nf
|
||||
example.org {
|
||||
acl a.example.org {
|
||||
block net 192.168.1.0/24
|
||||
}
|
||||
}
|
||||
|
||||
.fi
|
||||
.RE
|
||||
|
||||
Reference in New Issue
Block a user