Views and ACLs

Thepolicy module implements policies for global query matching, e.g. solves “how to react to certain query”.This module combines it with query source matching, e.g. “who asked the query”. This allows you to create personalized blacklists, filters and ACLs.

There are two identification mechanisms:

  • addr- identifies the client based on his subnet
  • tsig- identifies the client based on a TSIG key name (only for testing purposes, TSIG signature is not verified!)

View module allows you to combine query source information withpolicy rules.

view:addr('10.0.0.1',policy.suffix(policy.TC,policy.todnames({'example.com'})))

This example will force given client to TCP for names inexample.com subtree.You can combine view selectors withRPZ to create personalized filters for example.

Warning

Beware that cache is shared byall requests. For example, it is safeto refuse answer based on who asks the resolver, but trying to servedifferent data to different clients will result in unexpected behavior.Setups likesplit-horizon which depend on isolated DNS cachesare explicitly not supported.

Example configuration

-- Load modulesmodules={'view'}-- Whitelist queries identified by TSIG keyview:tsig('\5mykey',policy.all(policy.PASS))-- Block local IPv4 clients (ACL like)view:addr('127.0.0.1',policy.all(policy.DENY))-- Block local IPv6 clients (ACL like)view:addr('::1',policy.all(policy.DENY))-- Drop queries with suffix match for remote clientview:addr('10.0.0.0/8',policy.suffix(policy.DROP,policy.todnames({'xxx'})))-- RPZ for subset of clientsview:addr('192.168.1.0/24',policy.rpz(policy.PASS,'whitelist.rpz'))-- Do not try this - it will pollute cache and surprise you!-- view:addr('10.0.0.0/8', policy.all(policy.FORWARD('2001:DB8::1')))-- Drop everything that hasn't matchedview:addr('0.0.0.0/0',policy.all(policy.DROP))

Rule order

The current implementation is best understood as three separate rule chains:vanillapolicy.add,view:tsig andview:addr.For each request the rules in these chains get tried one by one until anon-chain policy action gets executed.

By defaultpolicy module acts beforeview module due topolicy being loaded by default. If you want to intermingle universal rules withview:addr, you may simply wrap the universal policy rules in view closure like this:

view:addr('0.0.0.0/0',policy.<rule>)-- andview:addr('::0/0',policy.<rule>)

Properties

view:addr(subnet, rule)
Parameters:
  • subnet – client subnet, i.e.10.0.0.1
  • rule – added rule, i.e.policy.pattern(policy.DENY,'[0-9]+\2cz')

Apply rule to clients in given subnet.

view:tsig(key, rule)
Parameters:
  • key – client TSIG key domain name, i.e.\5mykey
  • rule – added rule, i.e.policy.pattern(policy.DENY,'[0-9]+\2cz')

Apply rule to clients with given TSIG key.

Warning

This just selects rule based on the key name, it doesn’t verify the key or signature yet.