plugin/acl: adding ability to drop queries (#5722)

Both block and filter actions write responses to the client based upon the source IP address of the UDP packet containing the query. An attacker spoofing the source IP address to that of their target, can elicit a response to be sent to the victim host, known as DNS Reflection. If an attacker is able to elicit a large response from a relatively small query, with a spoofed source IP address, they are able to increase the amount of data sent to the victim, known as DNS Amplification. Scaling this from one to many queries allows an attacker to perform an effective Denial of Service (DoS) attack against their target. Adding the drop action enables CoreDNS to ignore queries of a given type or network range from being processed and a response written, where an operator knows ahead of time, should not originate or be destined to. Signed-off-by: rsclarke <hey@rsclarke.dev> Signed-off-by: rsclarke <hey@rsclarke.dev>
2025-10-28 08:44:17 -04:00 · 2022-11-01 17:16:55 +08:00
parent faaf2b446e
commit ead84e1fa8
6 changed files with 194 additions and 2 deletions
--- a/plugin/acl/setup_test.go
+++ b/plugin/acl/setup_test.go
@@ -57,6 +57,13 @@ func TestSetup(t *testing.T) {
 			}`,
 			false,
 		},
+		{
+			"Drop 1",
+			`acl {
+				drop type * net 192.168.0.0/16
+			}`,
+			false,
+		},
 		{
 			"fine-grained 1",
 			`acl a.example.org {
@@ -175,6 +182,13 @@ func TestSetup(t *testing.T) {
 			}`,
 			false,
 		},
+		{
+			"Drop 1 IPv6",
+			`acl {
+				drop net 2001:db8:abcd:0012::0/64
+			}`,
+			false,
+		},
 		{
 			"fine-grained 1 IPv6",
 			`acl a.example.org {