How to make coredns not to answer to some queries #27
-
|
Hello you all. I would like to have my coredns implementation not answering under certain circumstances. For that I saw the external plugin: https://github.com/coredns/policy and I used it, and I was able for instance to drop all queries of type A (client receives timeout) and the like: firewall query { but any policy on responses does not work: firewall response { or even: firewall response { They do response with NXDOMAIN. Any ideas are welcome and thanks in advance. -- Mario LG |
Beta Was this translation helpful? Give feedback.
Replies: 2 comments 2 replies
-
|
Using the firewall plugin enables both Specifying a permissive query rule should enable a response-only based policy. For example ... I'll look into defaulting queries to |
Beta Was this translation helpful? Give feedback.
-
|
Thank you so much for your answer. I didn't get the point of configuring both directions to have it working, but it makes sense (so maybe clarify it in README is a good approach) After playing a bit with the conf I was able to make it work as I expected. |
Beta Was this translation helpful? Give feedback.
-
|
This conversation needs to move to the appropriate repo, so others can find
it there.
I'll try clicking buttons
…On Thu, 11 Mar 2021, 20:02 chrisohaver, ***@***.***> wrote:
Using the firewall plugin enables both query *and* response processing.
query processing defaults to the block action if no rules are defined.
Therefore if no query rules are defined, all queries coming through will
get blocked before a response is determined.
Specifying a permissive query rule should enable a response-only based
policy. For example ...
. {
firewall query {
allow true
}
firewall response {
drop true
}
forward . 8.8.8.8
}
I'll look into defaulting queries to allow and possible repercussions of
changing that, but for now I'll update the README with an example to make
this more clear.
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
<https://github.com/coredns/coredns/discussions/4515#discussioncomment-470934>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AACWIWY5KCFAQ2BKJCD5QXLTDEAUBANCNFSM4ZAP2CWQ>
.
|
Beta Was this translation helpful? Give feedback.
-
|
I enabled discussions in coredns/policy and transfered it. |
Beta Was this translation helpful? Give feedback.
Using the firewall plugin enables both
queryandresponseprocessing.queryprocessing defaults to theblockaction if no rules are defined. Therefore if noqueryrules are defined, all queries coming through will get blocked before a response is determined.Specifying a permissive query rule should enable a response-only based policy. For example ...
I'll look into defaulting queries to
allowand possible repercussions of changing that, but for now I'll update the README with an example to make this more clear.