[dnsdist] ACL logging

Remi Gacogne remi.gacogne at powerdns.com
Thu May 4 07:38:17 UTC 2017


Hi,

On 05/03/2017 07:16 PM, Nico wrote:
> we have a large ACL list and have two questions.
> 
> 1- what is more efficient, iptables or dnsdist ACL?

iptables is probably more efficient since the filtering occurs in the
kernel, while dnsdist's ACL are applied in userspace. The answer might
be different when using dnsdist's eBPF filtering, but it's a bit more
complicated to use at the moment.

> 2- in the case of the ACL we see a large number of acl drops, there is
> any way to log

You could start dnsdist in verbose mode with -v, but be aware that if
you get a lot of traffic that might not be usable.
In verbose mode, ACL drop logs something like:

Query from 192.0.2.1 dropped because of ACL

Best regards,

-- 
Remi Gacogne
PowerDNS.COM BV - https://www.powerdns.com/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.powerdns.com/pipermail/dnsdist/attachments/20170504/a613f9ba/attachment.sig>


More information about the dnsdist mailing list