[dnsdist] attempting to spoof a couple records

Frank Even lists+powerdns.com at elitists.org
Wed Feb 17 12:21:34 UTC 2021 

It helps a ton.  Exactly what I needed.  Thanks!

On Tue, Feb 16, 2021 at 9:06 AM Pieter Lexis via dnsdist
<dnsdist at mailman.powerdns.com> wrote:
>
> Hi Frank,
>
> On 2/16/21 4:09 PM, Frank Even via dnsdist wrote:
> > I've inherited an Unbound environment that has a few "local-zone"
> > records configured, and am now fronting with dnsdist and need dnsdist
> > to spoof those records and respond appropriately.
> >
> > I've managed to make it happen for all traffic, but I can't seem to
> > get any syntax right for an "AndRule" to get it to work for only
> > certain source subnets.
> >
> > I seem to be unable to properly decipher the documentation here.
> > Below is what I'm really trying to accomplish (all IPs are made up),
> > but I'm having issues getting it to work properly limited to a single
> > subnet.
> >
> >     access-control-view: 127.0.0.0/8 internal
> >     access-control-view: 10.1.0.0/24 internal
> >     access-control-view: 10.5.0.0/24 internal
> >
> >     view:
> >         name: "internal"
> >         local-zone: "int.domain"                 typetransparent
> >         local-data: "name.int.domain            IN A 10.7.7.7"
> >         local-data: "name.int.domain            IN AAAA"   # <----
> > (this is actually in the config, I can't seem to find any Ubound
> > documentation that makes sense of that though, seems like it could be
> > invalid, there are no IPv6 nets in the access-control-view lists -
> > does actually appear to be invalid on testing on the inherited
> > system...throws a weird error on a query).
> >
> > Just for a single IP I've tried something like this to no avail:
> > addAction(AndRule({"10.5.5.5/32"}, {"name.int.domain",
> > SpoofAction("10.7.7.7")}))
>
> This syntax looks indeed wrong, also, AndRule can't natively switch
> between different sorts of rules. This works:
>
> addAction(AndRule{makeRule("10.5.5.5/32"), makeRule("name.int.domain")},
> SpoofAction("10.7.7.7"))
>
> If you want to match the name exactly (the rule above matches the name
> and all names under it) use:
>
> addAction(AndRule{makeRule("10.5.5.5/32"),
> QNameRule("name.int.domain")}, SpoofAction("10.7.7.7"))
>
> However, it looks like your usecase is better served with a NetmaskGroup:
>
> nmg = newNMG()
> nmg:addMask("127.0.0.0/8")
> nmg:addMask("10.1.0.0/24")
> nmg:addMask("10.5.0.0/24")
> addAction(AndRule{NetmaskGroupRule(nmg), QNameRule("name.int.domain")},
> SpoofAction("10.7.7.7", "2001:db8::1"))
>
> This'll lead to showRules showing this:
>
> 0           0 (Src: 10.1.0.0/24, 10.5.0.0/24, 127.0.0.0/8) &&
> (qname==name.int.domain.) spoof in 10.7.7.7 2001:db8::1
>
> Hope this helps!
>
> Cheers,
>
> Pieter
>
> P.S. For spoofing v6, the syntax is SpoofAction("192.0.2.1",
> "2001:db8::1") until version 1.6. In 1.6 is is SpoofAction({"192.0.2.1",
> "2001:db8::1"}).
>
> --
> Pieter Lexis
> PowerDNS.COM BV -- https://www.powerdns.com
> _______________________________________________
> dnsdist mailing list
> dnsdist at mailman.powerdns.com
> https://mailman.powerdns.com/mailman/listinfo/dnsdist

More information about the dnsdist mailing list