[dnsdist] pool selection without implicit accept
Pieter Lexis
pieter.lexis at powerdns.com
Fri Jul 12 10:58:03 UTC 2019
Hi Klaus,
On 7/12/19 10:34 AM, Klaus Darilion wrote:
> I have a ruleset with severals whitelist (AllowAction) and ratelimit
> (MaxQPSRule+DropAction).
>
> Now, independent of these rules I would like to use different backend
> pools. But now I have a problem as PoolAction() immediately forwards the
> request and my blacklist/whitelist rules are not handled anymore.
>
> Moving the pool selection after the black/whitelist also does not work
> as the whiteliste sends immediately to the default pool.
>
> Hence, I suggest a PoolAction() without implicit AllowAction, for
> example PoolActionSetOnly() or PoolActionContinue() to set the pool for
> a request but continue in the rules processing.
Perhaps the AndRule[1] operator could help here?
```
rule1 = MaxQPSRule(...)
rule2 = SomeOtherRule()
addAction(AndRule{rule1, rule2}, PoolAction(...))
```
We use this in our own setups:
```
allowed_axfr_addresses_rule = makeRule({'192.0.2.1', '2001:DB8::1'})
-- Deny AXFR from anything but the allowed addresses
addAction(
AndRule({
OrRule({
QTypeRule(DNSQType.AXFR),
QTypeRule(DNSQType.IXFR),
}),
NotRule(allowed_axfr_addresses_rule)
}),
RCodeAction(DNSRCode.REFUSED)
)
```
This way, with the rules correctly ordered, you should be able to
achieve your goal. If you could provide the mailinglist with your
current config and a description of what exactly you're trying to do, we
could be able to judge if what you're asking for is indeed a new feature
that could be implemented.
Cheers,
Pieter
1 - https://dnsdist.org/rules-actions.html#AndRule
--
Pieter Lexis
PowerDNS.COM BV -- https://www.powerdns.com
More information about the dnsdist
mailing list