[dnsdist] block reverse records ipv6 for internal domains

Remi Gacogne remi.gacogne at powerdns.com
Tue Sep 29 13:15:59 UTC 2020


Hi,

On 9/29/20 2:52 PM, prochazka--- via dnsdist wrote:
> How to block reverse query for ipv6 in case of internal subdomains? I
> want to evade having every ipv6 reverse zone in internal_domains. Using
> "addResponseAction(AndRule({NotRule(NetmaskGroupRule(cortex_src_ip)),SuffixMatchNodeRule(internal_domains)}),DropResponseAction())"
> doesn't work.

If you know the IPv6 range that you want to block you can use
SuffixMatchNodeRule():

addAction(SuffixMatchNodeRule("8.b.d.0.1.0.0.2.ip6.arpa."), DropAction())

However if you want to block based on the presence of a domain in the
response, I'm afraid this can't be done with dnsdist. It doesn't know
how to parse responses.

Hope that helps,
-- 
Remi Gacogne
PowerDNS.COM BV - https://www.powerdns.com/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.powerdns.com/pipermail/dnsdist/attachments/20200929/6af8c5c1/attachment.sig>


More information about the dnsdist mailing list