pdns
pdns copied to clipboard
PowerDNS
DNSdist: DNSAction.Pool from setSuffixMatchRule(FFI)
- Program: dnsdist
- Issue type: Feature request
Short description
Allow SuffixMatchRule() and SuffixMatchRuleFFI() to specify a Pool action so some (abusive) users can be sent to a separate pool of servers.
Usecase
SuffixMatchRules are an efficient way of identifying abusive users of a DNS service. In some cases you just want to drop their queries, like the default, but sometimes you want to answer queries even for abusive users, and for that purpose it would be helpful to be able to send those queries to an abuse pool of servers.
Description
Please make it possible to specify DNSAction.Pool (and some pool - I guess we could even live with a hard coded pool name if that makes things easier) as action for SuffixMatchRules and SuffixMatchRulesFFI. Previously also discussed in https://mailman.powerdns.com/pipermail/dnsdist/2022-April/001217.html
I really want to implement this! I did not manage to squeeze it for 1.9.0 but it will be in 1.10 for sure, and perhaps in 1.9.1 if the change is simple enough.
Thinking about this a bit more, also in the context of https://github.com/PowerDNS/pdns/issues/13750, I'm pondering a slightly different solution: adding a new action for dynamic block which would set a tag, like SetTagAction1 does. That way we can look at the tag during the processing of the regular rules, and use all the existing actions, incuding PoolAction. Any thoughts?
It's more elegant and user friendly to separate the identification of these queries from the rule based decision of what to do with them, so sounds perfect to me.