[dnsdist] pool selection without implicit accept

Pieter Lexis pieter.lexis at powerdns.com
Fri Jul 12 10:58:03 UTC 2019


Hi Klaus,

On 7/12/19 10:34 AM, Klaus Darilion wrote:
> I have a ruleset with severals whitelist (AllowAction) and ratelimit
> (MaxQPSRule+DropAction).
> 
> Now, independent of these rules I would like to use different backend
> pools. But now I have a problem as PoolAction() immediately forwards the
> request and my blacklist/whitelist rules are not handled anymore.
> 
> Moving the pool selection after the black/whitelist also does not work
> as the whiteliste sends immediately to the default pool.
> 
> Hence, I suggest a PoolAction() without implicit AllowAction, for
> example PoolActionSetOnly() or PoolActionContinue() to set the pool for
> a request but continue in the rules processing.

Perhaps the AndRule[1] operator could help here?

```
rule1 = MaxQPSRule(...)
rule2 = SomeOtherRule()

addAction(AndRule{rule1, rule2}, PoolAction(...))
```

We use this in our own setups:

```
allowed_axfr_addresses_rule = makeRule({'192.0.2.1', '2001:DB8::1'})
-- Deny AXFR from anything but the allowed addresses
addAction(
  AndRule({
    OrRule({
      QTypeRule(DNSQType.AXFR),
      QTypeRule(DNSQType.IXFR),
    }),
    NotRule(allowed_axfr_addresses_rule)
  }),
  RCodeAction(DNSRCode.REFUSED)
)

```

This way, with the rules correctly ordered, you should be able to
achieve your goal. If you could provide the mailinglist with your
current config and a description of what exactly you're trying to do, we
could be able to judge if what you're asking for is indeed a new feature
that could be implemented.

Cheers,

Pieter

1 - https://dnsdist.org/rules-actions.html#AndRule

-- 
Pieter Lexis
PowerDNS.COM BV -- https://www.powerdns.com


More information about the dnsdist mailing list