summaryrefslogtreecommitdiffstats
path: root/modules/view/README.rst
blob: 3fa043a0128b3cba9a3d5c0da54d3599c413fca9 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
.. _mod-view:

Views and ACLs
--------------

The :ref:`policy <mod-policy>` module implements policies for global query matching, e.g. solves "how to react to certain query".
This module combines it with query source matching, e.g. "who asked the query". This allows you to create personalized blacklists, filters and ACLs.

There are two identification mechanisms:

* ``addr``
  - identifies the client based on his subnet
* ``tsig``
  - identifies the client based on a TSIG key name (only for testing purposes, TSIG signature is not verified!)

View module allows you to combine query source information with :ref:`policy <mod-policy>` rules.

.. code-block:: lua

	view:addr('10.0.0.1', policy.suffix(policy.TC, policy.todnames({'example.com'})))

This example will force given client to TCP for names in ``example.com`` subtree.
You can combine view selectors with RPZ_ to create personalized filters for example.

.. warning::

	Beware that cache is shared by *all* requests.  For example, it is safe
	to refuse answer based on who asks the resolver, but trying to serve
	different data to different clients will result in unexpected behavior.
	Setups like **split-horizon** which depend on isolated DNS caches
        are explicitly not supported.


Example configuration
^^^^^^^^^^^^^^^^^^^^^

.. code-block:: lua

	-- Load modules
	modules = { 'view' }
	-- Whitelist queries identified by TSIG key
	view:tsig('\5mykey', policy.all(policy.PASS))
	-- Block local clients (ACL like)
	view:addr('127.0.0.1', policy.all(policy.DENY))
	-- Drop queries with suffix match for remote client
	view:addr('10.0.0.0/8', policy.suffix(policy.DROP, policy.todnames({'xxx'})))
	-- RPZ for subset of clients
	view:addr('192.168.1.0/24', policy.rpz(policy.PASS, 'whitelist.rpz'))
	-- Do not try this - it will pollute cache and surprise you!
	-- view:addr('10.0.0.0/8', policy.all(policy.FORWARD('2001:DB8::1')))
	-- Drop everything that hasn't matched
	view:addr('0.0.0.0/0', policy.all(policy.DROP))


Rule order
^^^^^^^^^^

The current implementation is best understood as three separate rule chains:
vanilla ``policy.add``, ``view:tsig`` and ``view:addr``.
For each request the rules in these chains get tried one by one until a :ref:`non-chain policy action <mod-policy-actions>` gets executed.

By default :ref:`policy module <mod-policy>` acts before ``view`` module due to ``policy`` being loaded by default. If you want to intermingle universal rules with ``view:addr``, you may simply wrap the universal policy rules in view closure like this:

.. code-block:: lua

    view:addr('0.0.0.0/0', policy.<rule>) -- and
    view:addr('::0/0',     policy.<rule>)


Properties
^^^^^^^^^^

.. function:: view:addr(subnet, rule)

  :param subnet: client subnet, i.e. ``10.0.0.1``
  :param rule: added rule, i.e. ``policy.pattern(policy.DENY, '[0-9]+\2cz')``
  
  Apply rule to clients in given subnet.

.. function:: view:tsig(key, rule)

  :param key: client TSIG key domain name, i.e. ``\5mykey``
  :param rule: added rule, i.e. ``policy.pattern(policy.DENY, '[0-9]+\2cz')``
  
  Apply rule to clients with given TSIG key.

  .. warning:: This just selects rule based on the key name, it doesn't verify the key or signature yet.

.. _RPZ: https://dnsrpz.info/