diff options
| author |  George Shammas <georgyo@gmail.com>
| 2021-02-01 09:52:23 -0500 |
|---|---|---|
| committer |  GitHub <noreply@github.com>
| 2021-02-01 06:52:23 -0800 |
| commit | 117a389e40832cdbee69bd9daa04ca35611082ff (patch) | |
| tree | 93303c8a557e3118aa529a5742053a1a9a47cb05 /plugin/acl/acl.go | |
| parent | d289b4ea2623dcd0dd13ab7ed88ab764a7408f91 (diff) | |
| download | coredns-117a389e40832cdbee69bd9daa04ca35611082ff.tar.gz coredns-117a389e40832cdbee69bd9daa04ca35611082ff.tar.zst coredns-117a389e40832cdbee69bd9daa04ca35611082ff.zip | |
plugin/acl: add the ability to filter records (#4389)
Currently ACLs only allow for allow and block, however it isn't
always desirable to set the status code to REFUSED. Often times
you want to completely hide the fact that those records even exist.
Adding the ability to acl to filter results makes it significantly
harder for a third party to know that the records are being masked.
Signed-off-by: George Shammas <george@shamm.as>
Diffstat (limited to 'plugin/acl/acl.go')
| -rw-r--r-- | plugin/acl/acl.go | 11 |
1 files changed, 11 insertions, 0 deletions
diff --git a/plugin/acl/acl.go b/plugin/acl/acl.go index ce7b041cb..e684dc42c 100644 --- a/plugin/acl/acl.go +++ b/plugin/acl/acl.go @@ -45,6 +45,8 @@ const ( actionAllow // actionBlock blocks unauthorized queries towards protected DNS zones. actionBlock + // actionFilter returns empty sets for queries towards protected DNS zones. + actionFilter ) // ServeDNS implements the plugin.Handler interface. @@ -73,7 +75,16 @@ RulesCheckLoop: { break RulesCheckLoop } + case actionFilter: + { + m := new(dns.Msg) + m.SetRcode(r, dns.RcodeSuccess) + w.WriteMsg(m) + RequestFilterCount.WithLabelValues(metrics.WithServer(ctx), zone).Inc() + return dns.RcodeSuccess, nil + } } + } RequestAllowCount.WithLabelValues(metrics.WithServer(ctx)).Inc() |