[dnsdist] block reverse records ipv6 for internal domains
prochazka at cortex.cz
prochazka at cortex.cz
Tue Sep 29 12:52:33 UTC 2020
Hi,
i have ACL set as this on dnsdist 1.3.3 (debian10) in front of the
public facing powerdns auth:
-- acl
src_ip = newNMG()
src_ip:addMask('::1')
src_ip:addMask('127.0.0.1')
src_ip:addMask('192.168.0.0/16')
src_ip:addMask('PublicIP4/22')
src_ip:addMask('PublicIP6/29')
internal_domains = newSuffixMatchNode()
internal_domains:add(newDNSName('sub1.domain.tld'))
internal_domains:add(newDNSName('sub2.domain.tld'))
internal_domains:add(newDNSName('192.in-addr.arpa'))
-- from dnsdist 1.4 use RCode.NXDOMAIN
addAction(AndRule({NotRule(NetmaskGroupRule(cortex_src_ip)),SuffixMatchNodeRule(internal_domains)}),RCodeAction(dnsdist.NXDOMAIN))
Results from public ips outside of src_ip:
dig sub1.domain.tld -> NXDOMAIN
dig -x 192.168.x.x -> NXDOMAIN
dig aaaa sub1.domaint.tld -> NXDOMAIN
dig -x ipv6 -> NOERROR, returns PTR record for this ipv6
How to block reverse query for ipv6 in case of internal subdomains? I
want to evade having every ipv6 reverse zone in internal_domains. Using
"addResponseAction(AndRule({NotRule(NetmaskGroupRule(cortex_src_ip)),SuffixMatchNodeRule(internal_domains)}),DropResponseAction())"
doesn't work.
Thank you.
MP
More information about the dnsdist
mailing list