[dnsdist] Rules and Whitelisting

Alejandro Adroher Mellado alejandro.adroher at omniaccess.com
Fri Jul 1 13:52:10 UTC 2016

Great! I've been tested and works like I expected

Thanks Remi.

-----Original Message-----
From: dnsdist [mailto:dnsdist-bounces at mailman.powerdns.com] On Behalf Of Remi Gacogne
Sent: jueves, 30 de junio de 2016 12:07
To: dnsdist at mailman.powerdns.com
Subject: Re: [dnsdist] Rules and Whitelisting


On 06/30/2016 10:57 AM, Alejandro Adroher Mellado wrote:

> As my whitelist is on dnsdist config file and if I am understanding 
> you well, maybe having the rule you wrote, forced to be on the top of 
> the rules list, is the solution I need. Using topRule() or
> mvRule(from,to)

Yes, that would be an option.

> Or even better, create this rule directly on the config file so we 
> will have always on top1.


> So, the allow action you propose for the whitelist, can invalidate a 
> forward to abuse pool action (or another), meanwhile the allow action 
> over the whitelist continues to be in the top of the list.

I'm not sure I understand that sentence correctly. If you have something

addAction(NetmaskGroupRule(whitelisted), AllowAction()) addPoolRule(IP1, "abuse") addPoolRule(IP2, "abuse")

Addresses in the "whitelisted" ranges will never be routed to the abuse pool, because as soon as the NetmaskGroupRule(whitelisted) rule matches, the AllowAction() is executed, the rule processing stops and the query is forwarded to a server.

A less efficient option would be to change the rules your script adds from:

addPoolRule({"'$1'"}, "abuse")


addPoolRule(AndRule{{"'$1'"}, NotRule(NetmaskGroupRule(whitelisted))},

But of course the NotRule(NetmaskGroupRule(whitelisted)) part would then be evaluated multiple times, which is silly.

More information about the dnsdist mailing list