aboutsummaryrefslogtreecommitdiff
path: root/plugin/kubernetes/xfr.go
diff options
context:
space:
mode:
Diffstat (limited to 'plugin/kubernetes/xfr.go')
-rw-r--r--plugin/kubernetes/xfr.go24
1 files changed, 24 insertions, 0 deletions
diff --git a/plugin/kubernetes/xfr.go b/plugin/kubernetes/xfr.go
index eaf554c6a..c15831276 100644
--- a/plugin/kubernetes/xfr.go
+++ b/plugin/kubernetes/xfr.go
@@ -25,6 +25,10 @@ func (k *Kubernetes) MinTTL(state request.Request) uint32 { return 30 }
// Transfer implements the Transferer interface.
func (k *Kubernetes) Transfer(ctx context.Context, state request.Request) (int, error) {
+ if !k.transferAllowed(state) {
+ return dns.RcodeRefused, nil
+ }
+
// Get all services.
rrs := make(chan dns.RR)
go k.transfer(rrs, state.Zone)
@@ -71,6 +75,26 @@ func (k *Kubernetes) Transfer(ctx context.Context, state request.Request) (int,
return dns.RcodeSuccess, nil
}
+// transferAllowed checks if incoming request for transferring the zone is allowed according to the ACLs.
+// Note: This is copied from zone.transferAllowed, but should eventually be factored into a common transfer pkg.
+func (k *Kubernetes) transferAllowed(state request.Request) bool {
+ for _, t := range k.TransferTo {
+ if t == "*" {
+ return true
+ }
+ // If remote IP matches we accept.
+ remote := state.IP()
+ to, _, err := net.SplitHostPort(t)
+ if err != nil {
+ continue
+ }
+ if to == remote {
+ return true
+ }
+ }
+ return false
+}
+
func (k *Kubernetes) transfer(c chan dns.RR, zone string) {
defer close(c)
generated by cgit v1.2.3 (git 2.39.1) at 2025-08-05 00:49:27 +0000