Update ACL plugin's README to capture the edge case (#5311)

* Update ACL plugin's README to capture the edge case

This PR adds a note in ACL plugin's README to capture the edge case
where source ip of the client may be different from the source ip
observed by coredns server (in situations such as Source NAT).

Signed-off-by: Yong Tang <yong.tang.github@outlook.com>

* Update plugin/acl/README.md

Co-authored-by: Chris O'Haver <cohaver@infoblox.com>
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>

* Update plugin/acl/README.md

Co-authored-by: Chris O'Haver <cohaver@infoblox.com>
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>

Co-authored-by: Chris O'Haver <cohaver@infoblox.com>

1 files changed, 7 insertions, 1 deletions

diff --git a/plugin/acl/README.md b/plugin/acl/README.md
index 5103018ef..4b34500e4 100644
--- a/plugin/acl/README.md
+++ b/plugin/acl/README.md
@@ -6,7 +6,13 @@
 
 ## Description
 
-With `acl` enabled, users are able to block or filter suspicious DNS queries by configuring IP filter rule sets, i.e. allowing authorized queries to recurse or blocking unauthorized queries.
+With `acl` enabled, users are able to block or filter suspicious DNS queries by configuring IP filter rule sets, i.e. allowing authorized queries or blocking unauthorized queries.
+
+
+When evaluating the rule sets, _acl_ uses the source IP of the TCP/UDP headers of the DNS query received by CoreDNS.
+This source IP will be different than the IP of the client originating the request in cases where the source IP of the request is changed in transit.  For example:
+* if the request passes though an intermediate forwarding DNS server or recursive DNS server before reaching CoreDNS
+* if the request traverses a Source NAT before reaching CoreDNS
 
 This plugin can be used multiple times per Server Block.