mirror of
https://github.com/coredns/coredns.git
synced 2025-11-15 00:12:16 -05:00
79f37a1460
* Add plugin ACL for source ip filtering Signed-off-by: An Xiao <hac@zju.edu.cn> * Allow all arguments to be optional and support multiple qtypes in a single policy Signed-off-by: An Xiao <hac@zju.edu.cn> * Add newline before third party imports Signed-off-by: An Xiao <hac@zju.edu.cn> * Use camel instead of underscore in method name Signed-off-by: An Xiao <hac@zju.edu.cn> * Start with an upper case letter in t.Errorf() Signed-off-by: An Xiao <hac@zju.edu.cn> * Use the qtype parse logic in miekg/dns Signed-off-by: An Xiao <hac@zju.edu.cn> * Use third party trie implementation as the ip filter Signed-off-by: An Xiao <hac@zju.edu.cn> * Update based on rdrozhdzh's comment Signed-off-by: An Xiao <hac@zju.edu.cn> * Change the type of action to int Signed-off-by: An Xiao <hac@zju.edu.cn> * Add IPv6 support Signed-off-by: An Xiao <hac@zju.edu.cn> * Update plugin.cfg Signed-off-by: An Xiao <hac@zju.edu.cn> * Remove file functionality Signed-off-by: An Xiao <hac@zju.edu.cn> * Update Signed-off-by: Xiao An <hac@zju.edu.cn> * Update README Signed-off-by: Xiao An <hac@zju.edu.cn> * remove comments Signed-off-by: Xiao An <hac@zju.edu.cn> * update Signed-off-by: Xiao An <hac@zju.edu.cn> * Update dependency Signed-off-by: Xiao An <hac@zju.edu.cn> * Update Signed-off-by: Xiao An <hac@zju.edu.cn> * Update test Signed-off-by: Xiao An <hac@zju.edu.cn> * Add OWNERS Signed-off-by: Xiao An <hac@zju.edu.cn> * Refactor shouldBlock and skip useless check Signed-off-by: Xiao An <hac@zju.edu.cn> * Introduce ActionNone Signed-off-by: Xiao An <hac@zju.edu.cn> * Update label name Signed-off-by: Xiao An <hac@zju.edu.cn> * Avoid capitalizing private types Signed-off-by: Xiao An <hac@zju.edu.cn>
acl
acl - enforces access control policies on source ip and prevents unauthorized access to DNS servers.
Description
With acl enabled, users are able to block suspicous DNS queries by configuring IP filter rule sets, i.e. allowing authorized queries to recurse or blocking unauthorized queries.
This plugin can be used multiple times per Server Block.
Syntax
acl [ZONES...] {
ACTION [type QTYPE...] [net SOURCE...]
}
- ZONES zones it should be authoritative for. If empty, the zones from the configuration block are used.
- ACTION (allow or block) defines the way to deal with DNS queries matched by this rule. The default action is allow, which means a DNS query not matched by any rules will be allowed to recurse.
- QTYPE is the query type to match for the requests to be allowed or blocked. Common resource record types are supported.
*stands for all record types. The default behavior for an omittedtype QTYPE...is to match all kinds of DNS queries (same astype *). - SOURCE is the source IP address to match for the requests to be allowed or blocked. Typical CIDR notation and single IP address are supported.
*stands for all possible source IP addresses.
Examples
To demonstrate the usage of plugin acl, here we provide some typical examples.
Block all DNS queries with record type A from 192.168.0.0/16:
. {
acl {
block type A net 192.168.0.0/16
}
}
Block all DNS queries from 192.168.0.0/16 except for 192.168.1.0/24:
. {
acl {
allow net 192.168.1.0/24
block net 192.168.0.0/16
}
}
```
Allow only DNS queries from 192.168.0.0/24 and 192.168.1.0/24:
~~~ Corefile
. {
acl {
allow net 192.168.0.0/16 192.168.1.0/24
block
}
}
Block all DNS queries from 192.168.1.0/24 towards a.example.org:
example.org {
acl a.example.org {
block net 192.168.1.0/24
}
}