plugin/acl: add the ability to filter records (#4389)

Currently ACLs only allow for allow and block, however it isn't
always desirable to set the status code to REFUSED. Often times
you want to completely hide the fact that those records even exist.

Adding the ability to acl to filter results makes it significantly
harder for a third party to know that the records are being masked.

Signed-off-by: George Shammas <george@shamm.as>

1 files changed, 28 insertions, 0 deletions

diff --git a/plugin/acl/acl_test.go b/plugin/acl/acl_test.go
index bf0c6f6f7..4c6df95e5 100644
--- a/plugin/acl/acl_test.go
+++ b/plugin/acl/acl_test.go
@@ -146,6 +146,34 @@ func TestACLServeDNS(t *testing.T) {
 			false,
 		},
 		{
+			"Filter 1 FILTERED",
+			`acl example.org {
+				filter type A net 192.168.0.0/16
+			}`,
+			[]string{},
+			args{
+				"www.example.org.",
+				"192.168.0.2",
+				dns.TypeA,
+			},
+			dns.RcodeSuccess,
+			false,
+		},
+		{
+			"Filter 1 ALLOWED",
+			`acl example.org {
+				filter type A net 192.168.0.0/16
+			}`,
+			[]string{},
+			args{
+				"www.example.org.",
+				"192.167.0.2",
+				dns.TypeA,
+			},
+			dns.RcodeSuccess,
+			false,
+		},
+		{
 			"Whitelist 1 ALLOWED",
 			`acl example.org {
 				allow net 192.168.0.0/16