[dnsdist] Rules and Whitelisting

Alejandro Adroher Mellado alejandro.adroher at omniaccess.com
Thu Jun 30 08:57:57 UTC 2016

Morning all, thanks Remi.

The rules I'm creating from the script are like :   dnsdist -e 'addPoolRule({"'$1'"}, "abuse")'
where ({"'$1'"} is the SERVFAILED domain logged on the powerdns log.

As my whitelist is on dnsdist config file and if I am understanding you well, maybe having the rule you wrote, forced to be on the top of the rules list, is the solution I need. Using topRule() or mvRule(from,to)

Or even better, create this rule directly on the config file so we will have always on top1.

So, the allow action you propose for the whitelist, can invalidate a forward to abuse pool action (or another), meanwhile the allow action over the whitelist continues to be in the top of the list. 

I'm right ?

Thank you for your quick reply.


-----Original Message-----
From: dnsdist [mailto:dnsdist-bounces at mailman.powerdns.com] On Behalf Of Remi Gacogne
Sent: miércoles, 29 de junio de 2016 9:43
To: dnsdist at mailman.powerdns.com
Subject: Re: [dnsdist] Rules and Whitelisting

Hi Alejandro,

On 06/29/2016 09:20 AM, Alejandro Adroher Mellado wrote:
> Now, I’m looking for how to prevent that those rules do not affect the 
> queries coming from these whitelisted IPs.

It depends on how exactly are written those rules, but you could add a new rule before those to explicitly allow queries coming from the whitelisted IPs:

addAction(NetmaskGroupRule(whitelisted), AllowAction())

Please be aware that this rule will stop the subsequent rules from being processed when it matches, so you might need to reorder your rules accordingly.

Best regards,

Remi Gacogne
PowerDNS.COM BV - https://www.powerdns.com/

More information about the dnsdist mailing list