Skip to content
Permalink
Branch: master
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
134 lines (110 sloc) 5.41 KB
-- view "internal"
newServer({address="127.0.0.1:40000", pool="auth_internal"})
newServer({address="127.0.0.1:40001", pool="resolver_internal"})
pc = newPacketCache(100000)
getPool("resolver_internal"):setCache(pc)
match_clients_internal = newNMG()
match_clients_internal:addMask("10.0.0.0/8")
match_destinations_internal = newNMG()
match_destinations_internal:addMask("0.0.0.0/0")
match_destinations_internal:addMask("::0/0")
allow_query_internal = newNMG()
allow_query_internal:addMask("0.0.0.0/0")
allow_query_internal:addMask("::0/0")
allow_recursion_internal = newNMG()
authdomains_internal = newSuffixMatchNode()
allow_transfer_internal = {}
authdomains_internal:add(newDNSName("internal.example.com."))
allow_transfer_internal["internal.example.com."] = newNMG()
allow_transfer_internal["internal.example.com."]:addMask("10.1.1.1")
function xfr_query_internal(dq)
if(dq.qtype == dnsdist.AXFR or dq.qtype == dnsdist.IXFR)
then
a = allow_transfer_internal[string.lower(dq.qname:toString())]
if(match_clients_internal:match(dq.remoteaddr) and a:match(dq.remoteaddr))
then
return DNSAction.Pool, "auth_internal"
end
end
return DNSAction.None, ""
end
addAction(AndRule({NetmaskGroupRule(match_clients_internal), NotRule(NetmaskGroupRule(allow_query_internal))}), RCodeAction(5))
addAction(AndRule({NetmaskGroupRule(match_clients_internal), NotRule(QTypeRule(dnsdist.AXFR)), NotRule(QTypeRule(dnsdist.IXFR)), SuffixMatchNodeRule(authdomains_internal)}), PoolAction("auth_internal"))
addAction(AndRule({NetmaskGroupRule(match_clients_internal), NotRule(QTypeRule(dnsdist.AXFR)), NotRule(QTypeRule(dnsdist.IXFR)), NetmaskGroupRule(allow_recursion_internal)}), PoolAction("resolver_internal"))
addLuaAction(".", xfr_query_internal)
addAction(NetmaskGroupRule(match_clients_internal), RCodeAction(5))
-- view "external"
newServer({address="127.0.0.1:40002", pool="auth_external"})
newServer({address="127.0.0.1:40003", pool="resolver_external"})
pc = newPacketCache(100000)
getPool("resolver_external"):setCache(pc)
match_clients_external = newNMG()
match_clients_external:addMask("0.0.0.0/0")
match_clients_external:addMask("::/0")
match_destinations_external = newNMG()
match_destinations_external:addMask("0.0.0.0/0")
match_destinations_external:addMask("::0/0")
allow_query_external = newNMG()
allow_query_external:addMask("0.0.0.0/0")
allow_query_external:addMask("::0/0")
allow_recursion_external = newNMG()
authdomains_external = newSuffixMatchNode()
allow_transfer_external = {}
authdomains_external:add(newDNSName("example.com."))
allow_transfer_external["example.com."] = newNMG()
function xfr_query_external(dq)
if(dq.qtype == dnsdist.AXFR or dq.qtype == dnsdist.IXFR)
then
a = allow_transfer_external[string.lower(dq.qname:toString())]
if(match_clients_external:match(dq.remoteaddr) and a:match(dq.remoteaddr))
then
return DNSAction.Pool, "auth_external"
end
end
return DNSAction.None, ""
end
addAction(AndRule({NetmaskGroupRule(match_clients_external), NotRule(NetmaskGroupRule(allow_query_external))}), RCodeAction(5))
addAction(AndRule({NetmaskGroupRule(match_clients_external), NotRule(QTypeRule(dnsdist.AXFR)), NotRule(QTypeRule(dnsdist.IXFR)), SuffixMatchNodeRule(authdomains_external)}), PoolAction("auth_external"))
addAction(AndRule({NetmaskGroupRule(match_clients_external), NotRule(QTypeRule(dnsdist.AXFR)), NotRule(QTypeRule(dnsdist.IXFR)), NetmaskGroupRule(allow_recursion_external)}), PoolAction("resolver_external"))
addLuaAction(".", xfr_query_external)
addAction(NetmaskGroupRule(match_clients_external), RCodeAction(5))
-- view "_default"
newServer({address="127.0.0.1:40004", pool="auth__default"})
newServer({address="127.0.0.1:40005", pool="resolver__default"})
pc = newPacketCache(100000)
getPool("resolver__default"):setCache(pc)
match_clients__default = newNMG()
match_clients__default:addMask("0.0.0.0/0")
match_clients__default:addMask("::0/0")
match_destinations__default = newNMG()
match_destinations__default:addMask("0.0.0.0/0")
match_destinations__default:addMask("::0/0")
allow_query__default = newNMG()
allow_query__default:addMask("0.0.0.0/0")
allow_query__default:addMask("::0/0")
allow_recursion__default = newNMG()
authdomains__default = newSuffixMatchNode()
allow_transfer__default = {}
function xfr_query__default(dq)
if(dq.qtype == dnsdist.AXFR or dq.qtype == dnsdist.IXFR)
then
a = allow_transfer__default[string.lower(dq.qname:toString())]
if(match_clients__default:match(dq.remoteaddr) and a:match(dq.remoteaddr))
then
return DNSAction.Pool, "auth__default"
end
end
return DNSAction.None, ""
end
addAction(AndRule({NotRule(NetmaskGroupRule(allow_query__default))}), RCodeAction(5))
addAction(AndRule({NotRule(QTypeRule(dnsdist.AXFR)), NotRule(QTypeRule(dnsdist.IXFR)), SuffixMatchNodeRule(authdomains__default)}), PoolAction("auth__default"))
addAction(AndRule({NotRule(QTypeRule(dnsdist.AXFR)), NotRule(QTypeRule(dnsdist.IXFR)), NetmaskGroupRule(allow_recursion__default)}), PoolAction("resolver__default"))
addLuaAction(".", xfr_query__default)
addAction(NetmaskGroupRule(match_clients__default), RCodeAction(5))
addAction(AllRule(), RCodeAction(5))
setACL({})
addACL("0.0.0.0/0")
addACL("::0/0")
controlSocket("127.0.0.1")
addLocal("0.0.0.0:53")
addLocal("[::]:53")
You can’t perform that action at this time.