[dnsdist] Allow Notify Rule for multiple IPs

Rene Bakkum / True rene.bakkum at true.nl
Tue May 19 13:55:37 UTC 2020


Quite new in using dnsdist, but using powerdns authoritive server for a
while. But with a redesign we put dnsdist (1.5.0-rc2) in front of the
nameservers. Working fine, but we have some issues with the notify.
Which is working fine if I use 1 IP in the ruleset, but I can't figure
out how to get it working with 2 IPs. Most likely my inexperience with
the config, but can't find a good example. So I hope someone can help me

I've added the following:
  > addAction(AndRule({OpcodeRule(DNSOpcode.Notify),
NotRule(makeRule(""))}), RCodeAction(DNSRCode.REFUSED))

  > showRules()
#     Matches Rule Action
0     0 (opcode==4) && (!(Src: set rcode 5

It's working fine. It blocks requests that not have source and allows notifies from that block.
However if I want to add a second IP / range, I can't seem to get it to
work. I've added the '' between the IPs otherwise it will just ignore
the rest behind the comma in the rule. But from this point it is 
blocking all the notify I've sent even from the IPs that are listed in 
the rules.

  > addAction(AndRule({OpcodeRule(DNSOpcode.Notify),

  > showRules()
#    Matches Rule Action
0    0 (opcode==4) && (!(qname in
'',''.)) set rcode 5

I noticed the difference in `qname` and `Src:`, but I have no idea how
to make this work with both set. I tried options like creating an ACL,
which I found in an example, but this gives me syntax errors:

notifyACLs={"", ""}
NotRule(makeRule(notifyACLs))}), RCodeAction(DNSRCode.REFUSED))

So most likely I am missing something obvious, but hope someone can help
me on the way.

Kind regards,
- Rene

More information about the dnsdist mailing list