mirror of
https://github.com/coredns/coredns.git
synced 2025-11-19 18:32:16 -05:00
79f37a1460
* Add plugin ACL for source ip filtering Signed-off-by: An Xiao <hac@zju.edu.cn> * Allow all arguments to be optional and support multiple qtypes in a single policy Signed-off-by: An Xiao <hac@zju.edu.cn> * Add newline before third party imports Signed-off-by: An Xiao <hac@zju.edu.cn> * Use camel instead of underscore in method name Signed-off-by: An Xiao <hac@zju.edu.cn> * Start with an upper case letter in t.Errorf() Signed-off-by: An Xiao <hac@zju.edu.cn> * Use the qtype parse logic in miekg/dns Signed-off-by: An Xiao <hac@zju.edu.cn> * Use third party trie implementation as the ip filter Signed-off-by: An Xiao <hac@zju.edu.cn> * Update based on rdrozhdzh's comment Signed-off-by: An Xiao <hac@zju.edu.cn> * Change the type of action to int Signed-off-by: An Xiao <hac@zju.edu.cn> * Add IPv6 support Signed-off-by: An Xiao <hac@zju.edu.cn> * Update plugin.cfg Signed-off-by: An Xiao <hac@zju.edu.cn> * Remove file functionality Signed-off-by: An Xiao <hac@zju.edu.cn> * Update Signed-off-by: Xiao An <hac@zju.edu.cn> * Update README Signed-off-by: Xiao An <hac@zju.edu.cn> * remove comments Signed-off-by: Xiao An <hac@zju.edu.cn> * update Signed-off-by: Xiao An <hac@zju.edu.cn> * Update dependency Signed-off-by: Xiao An <hac@zju.edu.cn> * Update Signed-off-by: Xiao An <hac@zju.edu.cn> * Update test Signed-off-by: Xiao An <hac@zju.edu.cn> * Add OWNERS Signed-off-by: Xiao An <hac@zju.edu.cn> * Refactor shouldBlock and skip useless check Signed-off-by: Xiao An <hac@zju.edu.cn> * Introduce ActionNone Signed-off-by: Xiao An <hac@zju.edu.cn> * Update label name Signed-off-by: Xiao An <hac@zju.edu.cn> * Avoid capitalizing private types Signed-off-by: Xiao An <hac@zju.edu.cn>
69 lines
1.9 KiB
Markdown
69 lines
1.9 KiB
Markdown
# acl
|
||
|
||
*acl* - enforces access control policies on source ip and prevents unauthorized access to DNS servers.
|
||
|
||
## Description
|
||
|
||
With `acl` enabled, users are able to block suspicous DNS queries by configuring IP filter rule sets, i.e. allowing authorized queries to recurse or blocking unauthorized queries.
|
||
|
||
This plugin can be used multiple times per Server Block.
|
||
|
||
## Syntax
|
||
|
||
```
|
||
acl [ZONES...] {
|
||
ACTION [type QTYPE...] [net SOURCE...]
|
||
}
|
||
```
|
||
|
||
- **ZONES** zones it should be authoritative for. If empty, the zones from the configuration block are used.
|
||
- **ACTION** (*allow* or *block*) defines the way to deal with DNS queries matched by this rule. The default action is *allow*, which means a DNS query not matched by any rules will be allowed to recurse.
|
||
- **QTYPE** is the query type to match for the requests to be allowed or blocked. Common resource record types are supported. `*` stands for all record types. The default behavior for an omitted `type QTYPE...` is to match all kinds of DNS queries (same as `type *`).
|
||
- **SOURCE** is the source IP address to match for the requests to be allowed or blocked. Typical CIDR notation and single IP address are supported. `*` stands for all possible source IP addresses.
|
||
|
||
## Examples
|
||
|
||
To demonstrate the usage of plugin acl, here we provide some typical examples.
|
||
|
||
Block all DNS queries with record type A from 192.168.0.0/16:
|
||
|
||
~~~ Corefile
|
||
. {
|
||
acl {
|
||
block type A net 192.168.0.0/16
|
||
}
|
||
}
|
||
~~~
|
||
|
||
Block all DNS queries from 192.168.0.0/16 except for 192.168.1.0/24:
|
||
|
||
~~~ Corefile
|
||
. {
|
||
acl {
|
||
allow net 192.168.1.0/24
|
||
block net 192.168.0.0/16
|
||
}
|
||
}
|
||
```
|
||
|
||
Allow only DNS queries from 192.168.0.0/24 and 192.168.1.0/24:
|
||
|
||
~~~ Corefile
|
||
. {
|
||
acl {
|
||
allow net 192.168.0.0/16 192.168.1.0/24
|
||
block
|
||
}
|
||
}
|
||
~~~
|
||
|
||
Block all DNS queries from 192.168.1.0/24 towards a.example.org:
|
||
|
||
~~~ Corefile
|
||
example.org {
|
||
acl a.example.org {
|
||
block net 192.168.1.0/24
|
||
}
|
||
}
|
||
~~~
|