Mirrors/coredns
1
0
Fork 0
mirror of https://github.com/coredns/coredns.git synced 2025-10-30 09:43:17 -04:00
Code Issues Packages Projects Releases Wiki Activity
Files
28bddcc6eb2372d7fe92e39d59c3ad71b310d4b5
coredns/man/coredns-acl.7
coredns-auto-go-mod-tidy[bot] 79cd81473b auto make -f Makefile.doc
2021-01-10 10:06:46 +00:00

120 lines
2.7 KiB
Groff
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
.\" Generated by Mmark Markdown Processer - mmark.miek.nl
.TH "COREDNS-ACL" 7 "January 2021" "CoreDNS" "CoreDNS Plugins"
.SH "NAME"
.PP
\fIacl\fP - enforces access control policies on source ip and prevents unauthorized access to DNS servers.
.SH "DESCRIPTION"
.PP
With \fB\fCacl\fR enabled, users are able to block suspicious DNS queries by configuring IP filter rule sets, i.e. allowing authorized queries to recurse or blocking unauthorized queries.
.PP
This plugin can be used multiple times per Server Block.
.SH "SYNTAX"
.PP
.RS
.nf
acl [ZONES...] {
ACTION [type QTYPE...] [net SOURCE...]
}
.fi
.RE
.IP \(bu 4
\fBZONES\fP zones it should be authoritative for. If empty, the zones from the configuration block are used.
.IP \(bu 4
\fBACTION\fP (\fIallow\fP or \fIblock\fP) defines the way to deal with DNS queries matched by this rule. The default action is \fIallow\fP, which means a DNS query not matched by any rules will be allowed to recurse.
.IP \(bu 4
\fBQTYPE\fP is the query type to match for the requests to be allowed or blocked. Common resource record types are supported. \fB\fC*\fR stands for all record types. The default behavior for an omitted \fB\fCtype QTYPE...\fR is to match all kinds of DNS queries (same as \fB\fCtype *\fR).
.IP \(bu 4
\fBSOURCE\fP is the source IP address to match for the requests to be allowed or blocked. Typical CIDR notation and single IP address are supported. \fB\fC*\fR stands for all possible source IP addresses.
.SH "EXAMPLES"
.PP
To demonstrate the usage of plugin acl, here we provide some typical examples.
.PP
Block all DNS queries with record type A from 192.168.0.0/16
.PP
.RS
.nf
\&. {
acl {
block type A net 192.168.0.0/16
}
}
.fi
.RE
.PP
Block all DNS queries from 192.168.0.0/16 except for 192.168.1.0/24:
.PP
.RS
.nf
\&. {
acl {
allow net 192.168.1.0/24
block net 192.168.0.0/16
}
}
.fi
.RE
.PP
Allow only DNS queries from 192.168.0.0/24 and 192.168.1.0/24:
.PP
.RS
.nf
\&. {
acl {
allow net 192.168.0.0/24 192.168.1.0/24
block
}
}
.fi
.RE
.PP
Block all DNS queries from 192.168.1.0/24 towards a.example.org:
.PP
.RS
.nf
example.org {
acl a.example.org {
block net 192.168.1.0/24
}
}
.fi
.RE
.SH "METRICS"
.PP
If monitoring is enabled (via the \fIprometheus\fP plugin) then the following metrics are exported:
.IP \(bu 4
\fB\fCcoredns_acl_blocked_requests_total{server, zone}\fR - counter of DNS requests being blocked.
.IP \(bu 4
\fB\fCcoredns_acl_allowed_requests_total{server}\fR - counter of DNS requests being allowed.
.PP
The \fB\fCserver\fR and \fB\fCzone\fR labels are explained in the \fImetrics\fP plugin documentation.
Reference in New Issue View Git Blame Copy Permalink