acl

package
v1.0.2 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jan 2, 2021 License: Apache-2.0 Imports: 12 Imported by: 0

README

acl

Name

acl - enforces access control policies on source ip and prevents unauthorized access to DNS servers.

Description

With acl enabled, users are able to block suspicious DNS queries by configuring IP filter rule sets, i.e. allowing authorized queries to recurse or blocking unauthorized queries.

This plugin can be used multiple times per Server Block.

Syntax

acl [ZONES...] {
    ACTION [type QTYPE...] [net SOURCE...]
}
  • ZONES zones it should be authoritative for. If empty, the zones from the configuration block are used.
  • ACTION (allow or block) defines the way to deal with DNS queries matched by this rule. The default action is allow, which means a DNS query not matched by any rules will be allowed to recurse.
  • QTYPE is the query type to match for the requests to be allowed or blocked. Common resource record types are supported. * stands for all record types. The default behavior for an omitted type QTYPE... is to match all kinds of DNS queries (same as type *).
  • SOURCE is the source IP address to match for the requests to be allowed or blocked. Typical CIDR notation and single IP address are supported. * stands for all possible source IP addresses.

Examples

To demonstrate the usage of plugin acl, here we provide some typical examples.

Block all DNS queries with record type A from 192.168.0.0/16:

. {
    acl {
        block type A net 192.168.0.0/16
    }
}

Block all DNS queries from 192.168.0.0/16 except for 192.168.1.0/24:

. {
    acl {
        allow net 192.168.1.0/24
        block net 192.168.0.0/16
    }
}

Allow only DNS queries from 192.168.0.0/24 and 192.168.1.0/24:

. {
    acl {
        allow net 192.168.0.0/24 192.168.1.0/24
        block
    }
}

Block all DNS queries from 192.168.1.0/24 towards a.example.org:

example.org {
    acl a.example.org {
        block net 192.168.1.0/24
    }
}

Metrics

If monitoring is enabled (via the prometheus plugin) then the following metrics are exported:

  • coredns_acl_blocked_requests_total{server, zone} - counter of DNS requests being blocked.

  • coredns_acl_allowed_requests_total{server} - counter of DNS requests being allowed.

The server and zone labels are explained in the metrics plugin documentation.

Documentation

Index

Constants

This section is empty.

Variables

View Source
var (
	// RequestBlockCount is the number of DNS requests being blocked.
	RequestBlockCount = promauto.NewCounterVec(prometheus.CounterOpts{
		Namespace: plugin.Namespace,
		Subsystem: pluginName,
		Name:      "blocked_requests_total",
		Help:      "Counter of DNS requests being blocked.",
	}, []string{"server", "zone"})
	// RequestAllowCount is the number of DNS requests being Allowed.
	RequestAllowCount = promauto.NewCounterVec(prometheus.CounterOpts{
		Namespace: plugin.Namespace,
		Subsystem: pluginName,
		Name:      "allowed_requests_total",
		Help:      "Counter of DNS requests being allowed.",
	}, []string{"server"})
)

Functions

This section is empty.

Types

type ACL

type ACL struct {
	Next plugin.Handler

	Rules []rule
}

ACL enforces access control policies on DNS queries.

func (ACL) Name

func (a ACL) Name() string

Name implements the plugin.Handler interface.

func (ACL) ServeDNS

func (a ACL) ServeDNS(ctx context.Context, w dns.ResponseWriter, r *dns.Msg) (int, error)

ServeDNS implements the plugin.Handler interface.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL