惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

The GitHub Blog
The GitHub Blog
K
Kaspersky official blog
Stack Overflow Blog
Stack Overflow Blog
Blog — PlanetScale
Blog — PlanetScale
Recorded Future
Recorded Future
Engineering at Meta
Engineering at Meta
U
Unit 42
D
Docker
I
InfoQ
D
DataBreaches.Net
Google DeepMind News
Google DeepMind News
N
Netflix TechBlog - Medium
C
Check Point Blog
The Cloudflare Blog
美团技术团队
V
Vulnerabilities – Threatpost
博客园_首页
T
Threat Research - Cisco Blogs
Google DeepMind News
Google DeepMind News
Attack and Defense Labs
Attack and Defense Labs
A
Arctic Wolf
IT之家
IT之家
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
T
Troy Hunt's Blog
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
人人都是产品经理
人人都是产品经理
C
Cyber Attacks, Cyber Crime and Cyber Security
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
Security Archives - TechRepublic
Security Archives - TechRepublic
S
Schneier on Security
Apple Machine Learning Research
Apple Machine Learning Research
MyScale Blog
MyScale Blog
P
Privacy International News Feed
云风的 BLOG
云风的 BLOG
Recent Commits to openclaw:main
Recent Commits to openclaw:main
T
The Blog of Author Tim Ferriss
GbyAI
GbyAI
The Last Watchdog
The Last Watchdog
D
Darknet – Hacking Tools, Hacker News & Cyber Security
aimingoo的专栏
aimingoo的专栏
P
Proofpoint News Feed
The Register - Security
The Register - Security
博客园 - 三生石上(FineUI控件)
Forbes - Security
Forbes - Security
NISL@THU
NISL@THU
Y
Y Combinator Blog
T
Threatpost
Microsoft Azure Blog
Microsoft Azure Blog
L
Lohrmann on Cybersecurity

plugin on CoreDNS: DNS and Service Discovery

kubernetes log proxyproto rewrite forward clouddns errors grpc_server https https3 template docker auto geoip multisocket nomad dnstap import view ready etcd header loadbalance bind grpc file prometheus quic timeouts kubeforward JSON gslb autopath dnssec root tls fanout k8s_cache bufsize k8s_external reload gathersrv meship meshname multicluster cache recursor health trace tsig k8s_event redis route53 dns64 transfer finalize kubenodes ebpf rrl secondary mysql warnlist loop minimal sign azure git local any cancel debug erratic metadata nsid pprof alternate k8s_dns_chaos records k8s_gateway hosts netbox mdns wgsd alias chaos whoami lighthouse ens idetcd gravwell amazondns kubernetai redisc unbound on dump pdsql ipin demo example
acl
2023-02-08 · via plugin on CoreDNS: DNS and Service Discovery

Description

With acl enabled, users are able to block or filter suspicious DNS queries by configuring IP filter rule sets, i.e. allowing authorized queries or blocking unauthorized queries.

When evaluating the rule sets, acl uses the source IP of the TCP/UDP headers of the DNS query received by CoreDNS. This source IP will be different than the IP of the client originating the request in cases where the source IP of the request is changed in transit. For example:

  • if the request passes though an intermediate forwarding DNS server or recursive DNS server before reaching CoreDNS
  • if the request traverses a Source NAT before reaching CoreDNS

This plugin can be used multiple times per Server Block.

Syntax

acl [ZONES...] {
    ACTION [type QTYPE...] [net SOURCE...]
}
  • ZONES zones it should be authoritative for. If empty, the zones from the configuration block are used.
  • ACTION (allow, block, filter, or drop) defines the way to deal with DNS queries matched by this rule. The default action is allow, which means a DNS query not matched by any rules will be allowed to recurse. The difference between block and filter is that block returns status code of REFUSED while filter returns an empty set NOERROR. drop however returns no response to the client.
  • QTYPE is the query type to match for the requests to be allowed or blocked. Common resource record types are supported. * stands for all record types. The default behavior for an omitted type QTYPE... is to match all kinds of DNS queries (same as type *).
  • SOURCE is the source IP address to match for the requests to be allowed or blocked. Typical CIDR notation and single IP address are supported. * stands for all possible source IP addresses.

Examples

To demonstrate the usage of plugin acl, here we provide some typical examples.

Block all DNS queries with record type A from 192.168.0.0/16:

. {
    acl {
        block type A net 192.168.0.0/16
    }
}

Filter all DNS queries with record type A from 192.168.0.0/16:

. {
    acl {
        filter type A net 192.168.0.0/16
    }
}

Block all DNS queries from 192.168.0.0/16 except for 192.168.1.0/24:

. {
    acl {
        allow net 192.168.1.0/24
        block net 192.168.0.0/16
    }
}

Allow only DNS queries from 192.168.0.0/24 and 192.168.1.0/24:

. {
    acl {
        allow net 192.168.0.0/24 192.168.1.0/24
        block
    }
}

Block all DNS queries from 192.168.1.0/24 towards a.example.org:

example.org {
    acl a.example.org {
        block net 192.168.1.0/24
    }
}

Drop all DNS queries from 192.0.2.0/24:

. {
    acl {
        drop net 192.0.2.0/24
    }
}

Metrics

If monitoring is enabled (via the prometheus plugin) then the following metrics are exported:

  • coredns_acl_blocked_requests_total{server, zone, view} - counter of DNS requests being blocked.

  • coredns_acl_filtered_requests_total{server, zone, view} - counter of DNS requests being filtered.

  • coredns_acl_allowed_requests_total{server, view} - counter of DNS requests being allowed.

  • coredns_acl_dropped_requests_total{server, zone, view} - counter of DNS requests being dropped.

The server and zone labels are explained in the metrics plugin documentation.