[dnsdist] Exclude domains with dynBlockRulesGroup ?
Remi Gacogne
remi.gacogne at powerdns.com
Wed Jul 12 11:16:10 UTC 2023
Hi Denis,
On 12/07/2023 12:24, Denis MACHARD via dnsdist wrote:
> How to exclude some domains with the dynamic block feature
> (dynBlockRulesGroup),
> Is it possible ? The documentation is not clear on this, if anyone has
> an example.
We should document this more clearly, there are two types of rules in a
DBRG:
- setQueryRate, setRCodeRate, setRCodeRatio, setQTypeRate and
setResponseByteRate work by looking at the queries and responses present
in the ring buffers grouped by client IP, so they can decide to apply an
action on a given IP. Therefore the excludeRange, includeRange
directives apply to these rules to allowlist and denylist some IPs/ranges.
- setSuffixMatchRule and setSuffixMatchRuleFFI work by looking at the
responses present in the ring buffers grouped by subdomains, so they can
decide to apply an action on a given domain or subdomain. Therefore the
excludeDomains directive apply to these rules to prevent a domain and
its children from being blocked.
So you cannot exclude an IP or a range from
setSuffixMatchRule/setSuffixMatchRuleFFI, and neither can you exclude a
domain from the other rules.
I hope that helps!
Best regards,
--
Remi Gacogne
PowerDNS.COM BV - https://www.powerdns.com/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.powerdns.com/pipermail/dnsdist/attachments/20230712/00256287/attachment.sig>
More information about the dnsdist
mailing list