[dnsdist] dnsdist Action dependant on source IP and queried domain

Jacob Bunk Nielsen jbn at one.com
Thu Feb 27 08:34:16 UTC 2020 

On 27/02/2020 09.13, Jochen Demmer via dnsdist wrote:
> you're saying I can use one dnsdist instance bound to different IPs for
> all DNS traffic no matter if it's recursive or authoritative and even at
> the same time for my protected authoritative domains?

Yes, you can do stuff like:

addLocal('1.1.1.1',{})

addLocal('2.2.2.2',{})

addLocal('3.3.3.3',{})

external_auth_dns_ips = newNMG()
external_auth_dns_ips:addMask('1.1.1.1/32')

external_recursive_dns_ips = newNMG()
external_recursive_dns_ips:addMask('2.2.2.2/32')

internal_dns_ips = newNMG()
internal_dns_ips:addMask('3.3.3.3/32')

internal_network = newNMG()

internal_network:addMask('10.0.0.0/8')

internal_network:addMask('192.168.0.0/16')

addAction(NetmaskGroupRule(external_auth_dns_ips, false), 
PoolAction('auth_pool'))

addAction(NetmaskGroupRule(external_recursive_dns_ips, false), 
PoolAction('recursive_pool'))

addAction(AndRule({NetmaskGroupRule(internal_dns_ips, false), 
NetmaskGroupRule(internal_network)}), PoolAction('internal_auth_pool'))

Then you of course want to create relevant backends using newServer() 
and probably add a bit of caching as well.

But as always, there's more than one way to do it :-)

> Since there are several thousand domains we host for our customers and a
> few protected ones I would have to keep dnsdinst informed about all of
> those, right? This is not something I would like to do manually of
> course. Without the dnsdist knowing how could it decide where to
> redirect the query or even to deny the request in the first place?
>
> Can someone please give a short example of how such an Action could look
> like?
> I've tried something like this but this is obviously not enough.
>
> addAction(RegexRule(".internal\\.domain\\.net$"), PoolAction("privatezone"))
That's why I suggest setting it up on a separate IP. You can even put it 
in a separate dnsdist instance if you prefer to keep things completely 
separate, but the above (untested) config would also just solve this for 
you.
> But this would need a second selector which would be this NMG thing. How
> can I combine that?
> I also made a small matrix on what shall be done which which requests.
> See attached image.
You can make explicit rules to return REFUSED replies in the cases where 
you want that.

Best regards,

Jacob

More information about the dnsdist mailing list