[dnsdist] Negate Selector for NetmaskGroupRule

Remi Gacogne remi.gacogne at powerdns.com
Mon May 31 10:22:58 UTC 2021

Hi Jochen,

On 5/27/21 10:24 AM, Jochen Demmer via dnsdist wrote:
> I wasn't able to figure out the right syntax of NegativeAndSOAAction 
> that's why I went with DNSRCode.

What is it that you could not figure out, so we can improve the 
documentation? You have an example in our regression tests, in the
TestAdvancedNegativeAndSOA class [1].

> If I understand things correctly every single DNS query will trigger 
> RegexRule, makeRule and NetmaskGroupRule check. Will this slow
> things down? If so, is there a better approach?

Rules that are part of a "AndRule" are lazily evaluated in order, so we 
will only evaluate the regex and makeRule ones if the NetmaskGroupRule 
did not match. I guess in your case most queries will not match any of 
the rules, though, but NetmaskGroupRule and makeRule (which internally 
does a SuffixMatchRule match) are very fast, so I would move the regex 
rule last and focus on making the regular expression fast :)


Best regards,
Remi Gacogne
PowerDNS.COM BV - https://www.powerdns.com/

More information about the dnsdist mailing list