Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages

  
 
  

home | help 
COREDNS-ACL(7)			CoreDNS	Plugins			COREDNS-ACL(7)

NAME
       acl  - enforces access control policies on source ip and	prevents unau-
       thorized	access to DNS servers.

DESCRIPTION
       With acl	enabled, users are able	to  block  or  filter  suspicious  DNS
       queries	by  configuring	 IP filter rule	sets, i.e. allowing authorized
       queries to recurse or blocking unauthorized queries.

       This plugin can be used multiple	times per Server Block.

SYNTAX
	      acl [ZONES...] {
		  ACTION [type QTYPE...] [net SOURCE...]
	      }

          ZONES zones it should be authoritative for.	If  empty,  the	 zones
	   from	the configuration block	are used.

          ACTION  (allow,  block, or filter) defines the way to deal with DNS
	   queries matched by this rule. The default action  is	 allow,	 which
	   means  a  DNS query not matched by any rules	will be	allowed	to re-
	   curse. The difference between block and filter is  that  block  re-
	   turns  status code of REFUSED while filter returns an empty set NO-
	   ERROR

          QTYPE is the	query type to match for	the requests to	be allowed  or
	   blocked.  Common  resource record types are supported. * stands for
	   all record types. The default behavior for an omitted type QTYPE...
	   is to match all kinds of DNS	queries	(same as type *).

          SOURCE is the source	IP address to match for	the requests to	be al-
	   lowed or blocked. Typical CIDR notation and single IP  address  are
	   supported. *	stands for all possible	source IP addresses.

EXAMPLES
       To  demonstrate	the  usage of plugin acl, here we provide some typical
       examples.

       Block all DNS queries with record type A	from 192.168.0.0/16

	      .	{
		  acl {
		      block type A net 192.168.0.0/16
		  }
	      }

       Filter all DNS queries with record type A from 192.168.0.0/16

	      .	{
		  acl {
		      filter type A net	192.168.0.0/16
		  }
	      }

       Block all DNS queries from 192.168.0.0/16 except	for 192.168.1.0/24:

	      .	{
		  acl {
		      allow net	192.168.1.0/24
		      block net	192.168.0.0/16
		  }
	      }

       Allow only DNS queries from 192.168.0.0/24 and 192.168.1.0/24:

	      .	{
		  acl {
		      allow net	192.168.0.0/24 192.168.1.0/24
		      block
		  }
	      }

       Block all DNS queries from 192.168.1.0/24 towards a.example.org:

	      example.org {
		  acl a.example.org {
		      block net	192.168.1.0/24
		  }
	      }

METRICS
       If monitoring is	enabled	(via the prometheus plugin) then the following
       metrics are exported:

          coredns_acl_blocked_requests_total{server, zone} - counter  of  DNS
	   requests being blocked.

          coredns_acl_allowed_requests_total{server}  -  counter  of  DNS re-
	   quests being	allowed.

       The server and zone labels are explained	in the metrics plugin documen-
       tation.

CoreDNS				  March	2021			COREDNS-ACL(7)

Want to link to this manual page? Use this URL:
<https://man.freebsd.org/cgi/man.cgi?query=coredns-acl&sektion=7&manpath=FreeBSD+Ports+14.3.quarterly>

home | help