[dnsdist] drop reverse lookups
Remi Gacogne
remi.gacogne at powerdns.com
Fri Aug 3 15:34:03 UTC 2018
On 08/03/2018 05:26 PM, Jonathan Reed wrote:
> Thanks, and what about for entire CIDR blocks? Is there a shorthand for
> entire *.10.in-addr space?
>
>> addAction("10.0.0.0/8 <http://10.0.0.0/8>", DropAction())
>> showRules()
> # Matches Rule Action
> 0 0 Src: 10.0.0.0/8 <http://10.0.0.0/8>
> drop
>
> Here it wants to match the source of the query, but I'm interested in
> blocking the destination lookup.
>
> I tried this but it does not block the request.
>
>> addAction('*.10.in-addr.arpa', DropAction())
>> showRules()
> # Matches Rule Action
> 0 0 qname==*.10.in-addr.arpa. drop
By default the first parameter passed to addAction() will be converted
to a NetmaskGroupRule() or a SuffixMatchNodeRule(), so in your case a
SuffixMatchNodeRule() because it can't be converted to a valid Netmask.
So addAction('10.in-addr.arpa', DropAction()) will match everything
under 10.in-addr.arpa, which I believe is what you want.
If you had be looking to match only the exact 10.in-addr.arpa name, you
would have needed to use QNameRule("10.in-addr.arpa") instead.
Best regards,
--
Remi Gacogne
PowerDNS.COM BV - https://www.powerdns.com/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.powerdns.com/pipermail/dnsdist/attachments/20180803/f4a313c9/attachment.sig>
More information about the dnsdist
mailing list