README
¶
acl
Name
acl - enforces access control policies
Description
With acl, users are able to block or filter suspicious DNS queries by configuring IP filter rule sets, i.e. allowing authorized queries or blocking unauthorized queries.
When evaluating the rule sets, acl uses the source IP.
Syntax
acl {
ACTION [QTYPE]... [NET]...
}
-
ACTION defines the way to deal with DNS queries matched by this rule. The default action is allow, DNS query not matched by any rules will be allowed to recurse. The difference between block and filter
- allow forward the query to the next handler.
- block stop the query and return a refused response with the extended error (EDE) 'blocked'.
- filter stop the query and returns noerror response with the extended error (EDE) 'filtered'.
- drop stop the query and don't send any reply.
-
QTYPE is the query type to match for the requests to be allowed or blocked. If QTYPE is omitted it matches all types.
-
NET is the source IP address to match for the requests to be allowed or blocked. Typical CIDR notation and single IP addresses are supported.
Examples
To demonstrate the usage of acl, here we provide some typical examples.
Block all DNS queries with record type A from 192.168.0.0/16:
. {
acl {
block A 192.168.0.0/16
}
}
Filter all DNS queries with record type A from 192.168.0.0/16:
. {
acl {
filter A 192.168.0.0/16
}
}
Block all DNS queries from 192.168.0.0/16 except for 192.168.1.0/24:
. {
acl {
allow 192.168.1.0/24
block 192.168.0.0/16
}
}
Allow only DNS queries from 192.168.0.0/24 and 192.168.1.0/24:
. {
acl {
allow 192.168.0.0/24 192.168.1.0/24
block
}
}
Block all DNS queries from 192.168.1.0/24 towards a.example.org:
a.example.org {
acl {
block 192.168.1.0/24
}
}
Drop all DNS queries from 192.0.2.0/24:
. {
acl {
drop 192.0.2.0/24
}
}
Metrics
If monitoring is enabled (via the metrics handler) then the following metrics are exported:
atomdns_acl_blocked_requests_total{zone, network, family}- counter of DNS requests being blocked.atomdns_acl_filtered_requests_total{zone, network, family}- counter of DNS requests being filtered.atomdns_acl_allowed_requests_total{zone, network, family}- counter of DNS requests being allowed.atomdns_acl_dropped_requests_total{zone, network, family}- counter of DNS requests being dropped.
The zone,network and family labels are explained in the metrics handler documentation.
Bugs
acl should also check TSIG and other signed messages.
Documentation
¶
Index ¶
Constants ¶
This section is empty.
Variables ¶
var ( RequestsBlock = promauto.NewCounterVec(prometheus.CounterOpts{ Namespace: metrics.Namespace, Subsystem: subsystem, Name: "blocked_requests_total", Help: "Counter of DNS requests being blocked.", }, []string{"zone", "network", "family"}) RequestsFilter = promauto.NewCounterVec(prometheus.CounterOpts{ Namespace: metrics.Namespace, Subsystem: subsystem, Name: "filtered_requests_total", Help: "Counter of DNS requests being filtered.", }, []string{"zone", "network", "family"}) RequestsAllow = promauto.NewCounterVec(prometheus.CounterOpts{ Namespace: metrics.Namespace, Subsystem: subsystem, Name: "allowed_requests_total", Help: "Counter of DNS requests being allowed.", }, []string{"zone", "network", "family"}) RequestsDrop = promauto.NewCounterVec(prometheus.CounterOpts{ Namespace: metrics.Namespace, Subsystem: subsystem, Name: "dropped_requests_total", Help: "Counter of DNS requests being dropped.", }, []string{"zone", "network", "family"}) )
Functions ¶
Types ¶
type Acl ¶
type Acl struct {
Rules []rule
}
Acl enforces access control policies on DNS queries.
func (*Acl) HandlerFunc ¶
func (a *Acl) HandlerFunc(next dns.HandlerFunc) dns.HandlerFunc
Source Files