[dnsdist] attempting to spoof a couple records

Pieter Lexis pieter.lexis at powerdns.com
Tue Feb 16 16:06:08 UTC 2021 

Hi Frank,

On 2/16/21 4:09 PM, Frank Even via dnsdist wrote:
> I've inherited an Unbound environment that has a few "local-zone"
> records configured, and am now fronting with dnsdist and need dnsdist
> to spoof those records and respond appropriately.
> 
> I've managed to make it happen for all traffic, but I can't seem to
> get any syntax right for an "AndRule" to get it to work for only
> certain source subnets.
> 
> I seem to be unable to properly decipher the documentation here.
> Below is what I'm really trying to accomplish (all IPs are made up),
> but I'm having issues getting it to work properly limited to a single
> subnet.
> 
>     access-control-view: 127.0.0.0/8 internal
>     access-control-view: 10.1.0.0/24 internal
>     access-control-view: 10.5.0.0/24 internal
> 
>     view:
>         name: "internal"
>         local-zone: "int.domain"                 typetransparent
>         local-data: "name.int.domain            IN A 10.7.7.7"
>         local-data: "name.int.domain            IN AAAA"   # <----
> (this is actually in the config, I can't seem to find any Ubound
> documentation that makes sense of that though, seems like it could be
> invalid, there are no IPv6 nets in the access-control-view lists -
> does actually appear to be invalid on testing on the inherited
> system...throws a weird error on a query).
> 
> Just for a single IP I've tried something like this to no avail:
> addAction(AndRule({"10.5.5.5/32"}, {"name.int.domain",
> SpoofAction("10.7.7.7")}))

This syntax looks indeed wrong, also, AndRule can't natively switch
between different sorts of rules. This works:

addAction(AndRule{makeRule("10.5.5.5/32"), makeRule("name.int.domain")},
SpoofAction("10.7.7.7"))

If you want to match the name exactly (the rule above matches the name
and all names under it) use:

addAction(AndRule{makeRule("10.5.5.5/32"),
QNameRule("name.int.domain")}, SpoofAction("10.7.7.7"))

However, it looks like your usecase is better served with a NetmaskGroup:

nmg = newNMG()
nmg:addMask("127.0.0.0/8")
nmg:addMask("10.1.0.0/24")
nmg:addMask("10.5.0.0/24")
addAction(AndRule{NetmaskGroupRule(nmg), QNameRule("name.int.domain")},
SpoofAction("10.7.7.7", "2001:db8::1"))

This'll lead to showRules showing this:

0           0 (Src: 10.1.0.0/24, 10.5.0.0/24, 127.0.0.0/8) &&
(qname==name.int.domain.) spoof in 10.7.7.7 2001:db8::1

Hope this helps!

Cheers,

Pieter

P.S. For spoofing v6, the syntax is SpoofAction("192.0.2.1",
"2001:db8::1") until version 1.6. In 1.6 is is SpoofAction({"192.0.2.1",
"2001:db8::1"}).

-- 
Pieter Lexis
PowerDNS.COM BV -- https://www.powerdns.com

More information about the dnsdist mailing list