[dnsdist] Negate Selector for NetmaskGroupRule

Jochen Demmer jdemmer at relaix.net
Thu May 27 08:24:25 UTC 2021 

Thank you for that anwser Pieter,

I ended up with this:
addAction(AndRule{NotRule(NetmaskGroupRule(TrustedIntern)),makeRule({"intern.mydomain.net", "3.2.1.0.0.0.0.0.0.e.f.0.4.3.2.1.ip6.arpa"})}, RCodeAction(DNSRCode.NXDOMAIN))

I wasn't able to figure out the right syntax of NegativeAndSOAAction that's why I went with DNSRCode.
Then again we needed an exception for letsencrypt because we're using DNS challenge for internel domain names, so I came up with this:
addAction(AndRule{NotRule(NetmaskGroupRule(TrustedIntern)),NotRule(RegexRule("_acme-challenge.")),makeRule({"intern.mydomain.net", "3.2.1.0.0.0.0.0.0.e.f.0.4.3.2.1.ip6.arpa"})}, RCodeAction(DNSRCode.NXDOMAIN))

If I understand things correctly every single DNS query will trigger RegexRule, makeRule and NetmaskGroupRule check. Will this slow things down? If so, is there a better approach?

Thank you
Jochen Demmer


----- Ursprüngliche Mail -----
Von: "dnsdist" <dnsdist at mailman.powerdns.com>
An: "dnsdist" <dnsdist at mailman.powerdns.com>
Gesendet: Mittwoch, 24. Februar 2021 13:17:43
Betreff: Re: [dnsdist] Negate Selector for NetmaskGroupRule

Hi Jochen,

On 2/24/21 12:51 PM, Jochen Demmer via dnsdist wrote:
> In order to achieve that the list (about a year ago) suggested to use
> something like this:
> 
> trustedNMG:addMask("1.2.3.4/32")
> trustedNMG:addMask("2a00:fe10:33:102::/64")
> addAction(AndRule({NetmaskGroupRule(trustedNMG),RegexRule(".intern\\.mydomain\\.net$")}),
> PoolAction("specificpool"))
> Yet there is only one pool currently, which is my powerdns backend which
> contains all zones.
> 
> Can I instead make a rule that sends something like NXDOMAIN for
> everybody except the Source IPs given above?
> I would need something like a negation, but can't find anything alike in
> the documentation:
> 
> addAction(AndRule({NetmaskGroupRule(!trustedNMG),RegexRule(".intern\\.mydomain\\.net$")}),
> |SetNegativeAndSOAAction|(/nxd)/
> note the exclamation mark.

You can use NotRule[1] for that, like this:

    NotRule(NetmaskGroupRule(trustedNMG)

I can also recommend using makeRule[2] to create a suffix-matching
selector (it is way faster than a regex in this usecase).

So your rule would become:

addAction(AndRule{NotRule(NetmaskGroupRule(trustedNMG)),
makeRule("intern.mydomain.net")}, SetNegativeAndSOAAction([...])

Please keep in mind that SetNegativeAndSOAAction is renamed to
NegativeAndSOAAction in the upcoming 1.6 release.

Hope this helps!

Cheers,

Pieter

1 - https://dnsdist.org/rules-actions.html#NotRule
2 - https://dnsdist.org/rules-actions.html#makeRule


-- 
Pieter Lexis
PowerDNS.COM BV -- https://www.powerdns.com
_______________________________________________
dnsdist mailing list
dnsdist at mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/dnsdist

More information about the dnsdist mailing list