[dnsdist] Negate Selector for NetmaskGroupRule
Pieter Lexis
pieter.lexis at powerdns.com
Wed Feb 24 12:17:43 UTC 2021
Hi Jochen,
On 2/24/21 12:51 PM, Jochen Demmer via dnsdist wrote:
> In order to achieve that the list (about a year ago) suggested to use
> something like this:
>
> trustedNMG:addMask("1.2.3.4/32")
> trustedNMG:addMask("2a00:fe10:33:102::/64")
> addAction(AndRule({NetmaskGroupRule(trustedNMG),RegexRule(".intern\\.mydomain\\.net$")}),
> PoolAction("specificpool"))
> Yet there is only one pool currently, which is my powerdns backend which
> contains all zones.
>
> Can I instead make a rule that sends something like NXDOMAIN for
> everybody except the Source IPs given above?
> I would need something like a negation, but can't find anything alike in
> the documentation:
>
> addAction(AndRule({NetmaskGroupRule(!trustedNMG),RegexRule(".intern\\.mydomain\\.net$")}),
> |SetNegativeAndSOAAction|(/nxd)/
> note the exclamation mark.
You can use NotRule[1] for that, like this:
NotRule(NetmaskGroupRule(trustedNMG)
I can also recommend using makeRule[2] to create a suffix-matching
selector (it is way faster than a regex in this usecase).
So your rule would become:
addAction(AndRule{NotRule(NetmaskGroupRule(trustedNMG)),
makeRule("intern.mydomain.net")}, SetNegativeAndSOAAction([...])
Please keep in mind that SetNegativeAndSOAAction is renamed to
NegativeAndSOAAction in the upcoming 1.6 release.
Hope this helps!
Cheers,
Pieter
1 - https://dnsdist.org/rules-actions.html#NotRule
2 - https://dnsdist.org/rules-actions.html#makeRule
--
Pieter Lexis
PowerDNS.COM BV -- https://www.powerdns.com
More information about the dnsdist
mailing list