[dnsdist] Rules and Whitelisting

Remi Gacogne remi.gacogne at powerdns.com
Thu Jun 30 10:06:47 UTC 2016


On 06/30/2016 10:57 AM, Alejandro Adroher Mellado wrote:

> As my whitelist is on dnsdist config file and if I am understanding
> you well, maybe having the rule you wrote, forced to be on the top of
> the rules list, is the solution I need. Using topRule() or
> mvRule(from,to)

Yes, that would be an option.

> Or even better, create this rule directly on the config file so we
> will have always on top1.


> So, the allow action you propose for the whitelist, can invalidate a
> forward to abuse pool action (or another), meanwhile the allow action
> over the whitelist continues to be in the top of the list.

I'm not sure I understand that sentence correctly. If you have something

addAction(NetmaskGroupRule(whitelisted), AllowAction())
addPoolRule(IP1, "abuse")
addPoolRule(IP2, "abuse")

Addresses in the "whitelisted" ranges will never be routed to the abuse
pool, because as soon as the NetmaskGroupRule(whitelisted) rule matches,
the AllowAction() is executed, the rule processing stops and the query
is forwarded to a server.

A less efficient option would be to change the rules your script adds from:

addPoolRule({"'$1'"}, "abuse")


addPoolRule(AndRule{{"'$1'"}, NotRule(NetmaskGroupRule(whitelisted))},

But of course the NotRule(NetmaskGroupRule(whitelisted)) part would then
be evaluated multiple times, which is silly.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.powerdns.com/pipermail/dnsdist/attachments/20160630/b6945200/attachment.sig>

More information about the dnsdist mailing list