4 dnsdist works in essence like any other loadbalancer:
6 It receives packets on one or several addresses it listens on, and determines whether it will process this packet based on the :doc:`advanced/acl`. Should the packet be processed, dnsdist attempts to match any of the configured rules in order and when one matches, the associated action is performed.
8 These rule and action combinations are considered policies.
16 - Turned into an answer directly
17 - Forwarded to a downstream server
18 - Modified and forwarded to a downstream and be modified back
21 This decision can be taken at different times during the forwarding process.
26 Rules for traffic exceeding QPS limits
27 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
29 Traffic that exceeds a QPS limit, in total or per IP (subnet) can be matched by a rule.
33 addAction(MaxQPSIPRule(5, 32, 48), DelayAction(100))
35 This measures traffic per IPv4 address and per /48 of IPv6, and if traffic for such an address (range) exceeds 5 qps, it gets delayed by 100ms.
39 addAction(MaxQPSIPRule(5), NoRecurseAction())
41 This strips the Recursion Desired (RD) bit from any traffic per IPv4 or IPv6 /64 that exceeds 5 qps.
42 This means any those traffic bins is allowed to make a recursor do 'work' for only 5 qps.
44 If this is not enough, try::
46 addAction(MaxQPSIPRule(5), DropAction())
50 addAction(MaxQPSIPRule(5), TCAction())
52 This will respectively drop traffic exceeding that 5 QPS limit per IP or range, or return it with TC=1, forcing clients to fall back to TCP.
54 To turn this per IP or range limit into a global limit, use ``NotRule(MaxQPSRule(5000))`` instead of :func:`MaxQPSIPRule`.
59 :func:`RegexRule` matches a regular expression on the query name, and it works like this::
61 addAction(RegexRule("[0-9]{5,}"), DelayAction(750)) -- milliseconds
62 addAction(RegexRule("[0-9]{4,}\\.example$"), DropAction())
64 This delays any query for a domain name with 5 or more consecutive digits in it.
65 The second rule drops anything with more than 4 consecutive digits within a .example domain.
67 Note that the query name is presented without a trailing dot to the regex.
68 The regex is applied case insensitively.
70 Alternatively, if compiled in, :func:`RE2Rule` provides similar functionality, but against libre2.
75 :program:`dnsdist` contains several functions that make it easier to add actions and rules.
77 .. function:: addAnyTCRule()
81 Set the TC-bit (truncate) on ANY queries received over UDP, forcing a retry over TCP.
82 This function is deprecated as of 1.2.0 and will be removed in 1.3.0. This is equivalent to doing::
84 addAction(AndRule({QTypeRule(dnsdist.ANY), TCPRule(false)}), TCAction())
86 .. function:: addDelay(DNSrule, delay)
90 Delay the query for ``delay`` milliseconds before sending to a backend.
91 This function is deprecated as of 1.2.0 and will be removed in 1.3.0, please use instead:
93 addAction(DNSRule, DelayAction(delay))
95 :param DNSRule: The DNSRule to match traffic
96 :param int delay: The delay time in milliseconds.
98 .. function:: addDisableValidationRule(DNSrule)
100 .. deprecated:: 1.2.0
102 Set the CD (Checking Disabled) flag to 1 for all queries matching the DNSRule.
103 This function is deprecated as of 1.2.0 and will be removed in 1.3.0. Please use the :func:`DisableValidationAction` action instead.
105 .. function:: addDomainBlock(domain)
107 .. deprecated:: 1.2.0
109 Drop all queries for ``domain`` and all names below it.
110 Deprecated as of 1.2.0 and will be removed in 1.3.0, please use instead:
112 addAction(domain, DropAction())
114 :param string domain: The domain name to block
116 .. function:: addDomainSpoof(domain, IPv4[, IPv6])
117 addDomainSpoof(domain, {IP[,...]})
119 .. deprecated:: 1.2.0
121 Generate answers for A/AAAA/ANY queries.
122 This function is deprecated as of 1.2.0 and will be removed in 1.3.0, please use:
124 addAction(domain, SpoofAction({IP[,...]}))
128 addAction(domain, SpoofAction(IPv4[, IPv6]))
130 :param string domain: Domain name to spoof for
131 :param string IPv4: IPv4 address to spoof in the reply
132 :param string IPv6: IPv6 address to spoof in the reply
133 :param string IP: IP address to spoof in the reply
135 .. function:: addDomainCNAMESpoof(domain, cname)
137 .. deprecated:: 1.2.0
139 Generate CNAME answers for queries. This function is deprecated as of 1.2.0 and will be removed in 1.3.0, in favor of using:
141 addAction(domain, SpoofCNAMEAction(cname))
143 :param string domain: Domain name to spoof for
144 :param string cname: Domain name to add CNAME to
146 .. function:: addLuaAction(DNSrule, function [, options])
148 .. versionchanged:: 1.3.0
149 Added the optional parameter ``options``.
151 .. versionchanged:: 1.3.0
152 The second argument returned by the ``function`` can be omitted. For earlier releases, simply return an empty string.
154 Invoke a Lua function that accepts a :class:`DNSQuestion`.
155 This function works similar to using :func:`LuaAction`.
156 The ``function`` should return both a :ref:`DNSAction` and its argument `rule`. The `rule` is used as an argument
157 of the following :ref:`DNSAction`: `DNSAction.Spoof`, `DNSAction.Pool` and `DNSAction.Delay`.
158 If the Lua code fails, ServFail is returned.
160 :param DNSRule: match queries based on this rule
161 :param string function: the name of a Lua function
162 :param table options: A table with key: value pairs with options.
166 * ``uuid``: string - UUID to assign to the new rule. By default a random UUID is generated for each rule.
171 if(dq.qtype==dnsdist.NAPTR)
173 return DNSAction.Pool, "abuse" -- send to abuse pool
175 return DNSAction.None, "" -- no action
176 -- return DNSAction.None -- as of dnsdist version 1.3.0
180 addLuaAction(AllRule(), luarule)
182 .. function:: addLuaResponseAction(DNSrule, function [, options])
184 .. versionchanged:: 1.3.0
185 Added the optional parameter ``options``.
187 .. versionchanged:: 1.3.0
188 The second argument returned by the ``function`` can be omitted. For earlier releases, simply return an empty string.
190 Invoke a Lua function that accepts a :class:`DNSResponse`.
191 This function works similar to using :func:`LuaResponseAction`.
192 The ``function`` should return both a :ref:`DNSResponseAction` and its argument `rule`. The `rule` is used as an argument
193 of the `DNSResponseAction.Delay`.
194 If the Lua code fails, ServFail is returned.
196 :param DNSRule: match queries based on this rule
197 :param string function: the name of a Lua function
198 :param table options: A table with key: value pairs with options.
202 * ``uuid``: string - UUID to assign to the new rule. By default a random UUID is generated for each rule.
204 .. function:: addNoRecurseRule(DNSrule)
206 .. deprecated:: 1.2.0
208 Clear the RD flag for all queries matching the rule.
209 This function is deprecated as of 1.2.0 and will be removed in 1.3.0, please use:
211 addAction(DNSRule, NoRecurseAction())
213 :param DNSRule: match queries based on this rule
215 .. function:: addPoolRule(DNSRule, pool)
217 .. deprecated:: 1.2.0
219 Send queries matching the first argument to the pool ``pool``.
222 addPoolRule("example.com", "myPool")
224 This function is deprecated as of 1.2.0 and will be removed in 1.3.0, this is equivalent to::
226 addAction("example.com", PoolAction("myPool"))
228 :param DNSRule: match queries based on this rule
229 :param string pool: The name of the pool to send the queries to
231 .. function:: addQPSLimit(DNSrule, limit)
233 .. deprecated:: 1.2.0
235 Limit queries matching the DNSRule to ``limit`` queries per second.
236 All queries over the limit are dropped.
237 This function is deprecated as of 1.2.0 and will be removed in 1.3.0, please use:
239 addAction(DNSRule, QPSAction(limit))
241 :param DNSRule: match queries based on this rule
242 :param int limit: QPS limit for this rule
244 .. function:: addQPSPoolRule(DNSRule, limit, pool)
246 .. deprecated:: 1.2.0
248 Send at most ``limit`` queries/s for this pool, letting the subsequent rules apply otherwise.
249 This function is deprecated as of 1.2.0 and will be removed in 1.3.0, as it is only a convience function for the following syntax::
251 addAction("192.0.2.0/24", QPSPoolAction(15, "myPool")
253 :param DNSRule: match queries based on this rule
254 :param int limit: QPS limit for this rule
255 :param string pool: The name of the pool to send the queries to
261 Active Rules can be shown with :func:`showRules` and removed with :func:`rmRule`::
263 > addAction("h4xorbooter.xyz.", QPSAction(10))
264 > addAction({"130.161.0.0/16", "145.14.0.0/16"} , QPSAction(20))
265 > addAction({"nl.", "be."}, QPSAction(1))
267 # Matches Rule Action
268 0 0 h4xorbooter.xyz. qps limit to 10
269 1 0 130.161.0.0/16, 145.14.0.0/16 qps limit to 20
270 2 0 nl., be. qps limit to 1
272 For Rules related to the incoming query:
274 .. function:: addAction(DNSrule, action [, options])
276 .. versionchanged:: 1.3.0
277 Added the optional parameter ``options``.
279 Add a Rule and Action to the existing rules.
281 :param DNSrule rule: A DNSRule, e.g. an :func:`AllRule` or a compounded bunch of rules using e.g. :func:`AndRule`
282 :param action: The action to take
283 :param table options: A table with key: value pairs with options.
287 * ``uuid``: string - UUID to assign to the new rule. By default a random UUID is generated for each rule.
289 .. function:: clearRules()
291 Remove all current rules.
293 .. function:: getAction(n) -> Action
295 Returns the Action associated with rule ``n``.
297 :param int n: The rule number
299 .. function:: mvRule(from, to)
301 Move rule ``from`` to a position where it is in front of ``to``.
302 ``to`` can be one larger than the largest rule, in which case the rule will be moved to the last position.
304 :param int from: Rule number to move
305 :param int to: Location to more the Rule to
307 .. function:: newRuleAction(rule, action[, options])
309 .. versionchanged:: 1.3.0
310 Added the optional parameter ``options``.
312 Return a pair of DNS Rule and DNS Action, to be used with :func:`setRules`.
314 :param Rule rule: A `Rule <#traffic-matching>`_
315 :param Action action: The `Action <#actions>`_ to apply to the matched traffic
316 :param table options: A table with key: value pairs with options.
320 * ``uuid``: string - UUID to assign to the new rule. By default a random UUID is generated for each rule.
322 .. function:: setRules(rules)
324 Replace the current rules with the supplied list of pairs of DNS Rules and DNS Actions (see :func:`newRuleAction`)
326 :param [RuleAction] rules: A list of RuleActions
328 .. function:: showRules([options])
330 .. versionchanged:: 1.3.0
331 ``options`` optional parameter added
333 Show all defined rules for queries, optionally displaying their UUIDs.
335 :param table options: A table with key: value pairs with display options.
339 * ``showUUIDs=false``: bool - Whether to display the UUIDs, defaults to false.
340 * ``truncateRuleWidth=-1``: int - Truncate rules output to ``truncateRuleWidth`` size. Defaults to ``-1`` to display the full rule.
342 .. function:: topRule()
344 Move the last rule to the first position.
346 .. function:: rmRule(id)
348 .. versionchanged:: 1.3.0
349 ``id`` can now be an UUID.
353 :param int id: The UUID of the rule to remove if ``id`` is an UUID, its position otherwise
355 For Rules related to responses:
357 .. function:: addResponseAction(DNSRule, action [, options])
359 .. versionchanged:: 1.3.0
360 Added the optional parameter ``options``.
362 Add a Rule and Action for responses to the existing rules.
364 :param DNSRule: A DNSRule, e.g. an :func:`AllRule` or a compounded bunch of rules using e.g. :func:`AndRule`
365 :param action: The action to take
366 :param table options: A table with key: value pairs with options.
370 * ``uuid``: string - UUID to assign to the new rule. By default a random UUID is generated for each rule.
372 .. function:: mvResponseRule(from, to)
374 Move response rule ``from`` to a position where it is in front of ``to``.
375 ``to`` can be one larger than the largest rule, in which case the rule will be moved to the last position.
377 :param int from: Rule number to move
378 :param int to: Location to more the Rule to
380 .. function:: rmResponseRule(id)
382 .. versionchanged:: 1.3.0
383 ``id`` can now be an UUID.
385 Remove response rule ``id``.
387 :param int id: The UUID of the rule to remove if ``id`` is an UUID, its position otherwise
389 .. function:: showResponseRules([options])
391 .. versionchanged:: 1.3.0
392 ``options`` optional parameter added
394 Show all defined response rules, optionally displaying their UUIDs.
396 :param table options: A table with key: value pairs with display options.
400 * ``showUUIDs=false``: bool - Whether to display the UUIDs, defaults to false.
401 * ``truncateRuleWidth=-1``: int - Truncate rules output to ``truncateRuleWidth`` size. Defaults to ``-1`` to display the full rule.
403 .. function:: topResponseRule()
405 Move the last response rule to the first position.
407 Functions for manipulating Cache Hit Respone Rules:
409 .. function:: addCacheHitResponseAction(DNSRule, action [, options])
411 .. versionadded:: 1.2.0
413 .. versionchanged:: 1.3.0
414 Added the optional parameter ``options``.
416 Add a Rule and ResponseAction for Cache Hits to the existing rules.
418 :param DNSRule: A DNSRule, e.g. an :func:`AllRule` or a compounded bunch of rules using e.g. :func:`AndRule`
419 :param action: The action to take
420 :param table options: A table with key: value pairs with options.
424 * ``uuid``: string - UUID to assign to the new rule. By default a random UUID is generated for each rule.
426 .. function:: mvCacheHitResponseRule(from, to)
428 .. versionadded:: 1.2.0
430 Move cache hit response rule ``from`` to a position where it is in front of ``to``.
431 ``to`` can be one larger than the largest rule, in which case the rule will be moved to the last position.
433 :param int from: Rule number to move
434 :param int to: Location to more the Rule to
436 .. function:: rmCacheHitResponseRule(id)
438 .. versionadded:: 1.2.0
440 .. versionchanged:: 1.3.0
441 ``id`` can now be an UUID.
443 :param int id: The UUID of the rule to remove if ``id`` is an UUID, its position otherwise
445 .. function:: showCacheHitResponseRules([options])
447 .. versionadded:: 1.2.0
449 .. versionchanged:: 1.3.0
450 ``options`` optional parameter added
452 Show all defined cache hit response rules, optionally displaying their UUIDs.
454 :param table options: A table with key: value pairs with display options.
458 * ``showUUIDs=false``: bool - Whether to display the UUIDs, defaults to false.
459 * ``truncateRuleWidth=-1``: int - Truncate rules output to ``truncateRuleWidth`` size. Defaults to ``-1`` to display the full rule.
461 .. function:: topCacheHitResponseRule()
463 .. versionadded:: 1.2.0
465 Move the last cache hit response rule to the first position.
467 Functions for manipulating Self-Answered Response Rules:
469 .. function:: addSelfAnsweredResponseAction(DNSRule, action [, options])
471 .. versionadded:: 1.3.0
473 Add a Rule and Action for Self-Answered queries to the existing rules.
475 :param DNSRule: A DNSRule, e.g. an :func:`AllRule` or a compounded bunch of rules using e.g. :func:`AndRule`
476 :param action: The action to take
478 .. function:: mvSelfAnsweredResponseRule(from, to)
480 .. versionadded:: 1.3.0
482 Move self answered response rule ``from`` to a position where it is in front of ``to``.
483 ``to`` can be one larger than the largest rule, in which case the rule will be moved to the last position.
485 :param int from: Rule number to move
486 :param int to: Location to more the Rule to
488 .. function:: rmSelfAnsweredResponseRule(id)
490 .. versionadded:: 1.3.0
492 Remove self answered response rule ``id``.
494 :param int id: The UUID of the rule to remove if ``id`` is an UUID, its position otherwise
496 .. function:: showSelfAnsweredResponseRules([options])
498 .. versionadded:: 1.3.0
500 Show all defined self answered response rules, optionally displaying their UUIDs.
502 :param table options: A table with key: value pairs with display options.
506 * ``showUUIDs=false``: bool - Whether to display the UUIDs, defaults to false.
507 * ``truncateRuleWidth=-1``: int - Truncate rules output to ``truncateRuleWidth`` size. Defaults to ``-1`` to display the full rule.
509 .. function:: topSelfAnsweredResponseRule()
511 .. versionadded:: 1.3.0
513 Move the last self answered response rule to the first position.
515 Function for pool related rules
517 .. function:: PoolAvailableRule(poolname)
519 .. versionadded:: 1.3.3
521 Check whether a pool has any servers available to handle queries
523 :param string poolname: Pool to check
527 Matching Packets (Selectors)
528 ----------------------------
530 Packets can be matched by selectors, called a ``DNSRule``.
531 These ``DNSRule``\ s be one of the following items:
533 * A string that is either a domain name or netmask
534 * A list of strings that are either domain names or netmasks
536 * A list of :class:`DNSName`\ s
537 * A (compounded) ``Rule``
539 .. versionadded:: 1.2.0
540 A DNSRule can also be a :class:`DNSName` or a list of these
542 .. function:: AllRule()
546 .. function:: DNSSECRule()
548 Matches queries with the DO flag set
550 .. function:: DSTPortRule(port)
552 Matches questions received to the destination port.
554 :param int port: Match destination port.
556 .. function:: EDNSOptionRule(optcode)
558 .. versionadded:: 1.4.0
560 Matches queries or responses with the specified EDNS option present.
561 ``optcode`` is specified as an integer, or a constant such as `EDNSOptionCode.ECS`.
563 .. function:: EDNSVersionRule(version)
565 .. versionadded:: 1.4.0
567 Matches queries or responses with an OPT record whose EDNS version is greater than the specified EDNS version.
569 :param int version: The EDNS version to match on
571 .. function:: ERCodeRule(rcode)
573 Matches queries or responses with the specified ``rcode``.
574 ``rcode`` can be specified as an integer or as one of the built-in :ref:`DNSRCode`.
575 The full 16bit RCode will be matched. If no EDNS OPT RR is present, the upper 12 bits are treated as 0.
577 :param int rcode: The RCODE to match on
579 .. function:: MaxQPSIPRule(qps[, v4Mask[, v6Mask[, burst[, expiration[, cleanupDelay[, scanFraction]]]]]])
580 .. versionchanged:: 1.3.1
581 Added the optional parameters ``expiration``, ``cleanupDelay`` and ``scanFraction``.
583 Matches traffic for a subnet specified by ``v4Mask`` or ``v6Mask`` exceeding ``qps`` queries per second up to ``burst`` allowed.
584 This rule keeps track of QPS by netmask or source IP. This state is cleaned up regularly if ``cleanupDelay`` is greater than zero,
585 removing existing netmasks or IP addresses that have not been seen in the last ``expiration`` seconds.
587 :param int qps: The number of queries per second allowed, above this number traffic is matched
588 :param int v4Mask: The IPv4 netmask to match on. Default is 32 (the whole address)
589 :param int v6Mask: The IPv6 netmask to match on. Default is 64
590 :param int burst: The number of burstable queries per second allowed. Default is same as qps
591 :param int expiration: How long to keep netmask or IP addresses after they have last been seen, in seconds. Default is 300
592 :param int cleanupDelay: The number of seconds between two cleanups. Default is 60
593 :param int scanFraction: The maximum fraction of the store to scan for expired entries, for example 5 would scan at most 20% of it. Default is 10 so 10%
595 .. function:: MaxQPSRule(qps)
597 Matches traffic **not** exceeding this qps limit. If e.g. this is set to 50, starting at the 51st query of the current second traffic stops being matched.
598 This can be used to enforce a global QPS limit.
600 :param int qps: The number of queries per second allowed, above this number the traffic is **not** matched anymore
602 .. function:: NetmaskGroupRule(nmg[, src])
604 Matches traffic from/to the network range specified in ``nmg``.
606 Set the ``src`` parameter to false to match ``nmg`` against destination address instead of source address.
607 This can be used to differentiate between clients
609 :param NetMaskGroup nmg: The NetMaskGroup to match on
610 :param bool src: Whether to match source or destination address of the packet. Defaults to true (matches source)
612 .. function:: OpcodeRule(code)
614 Matches queries with opcode ``code``.
615 ``code`` can be directly specified as an integer, or one of the :ref:`built-in DNSOpcodes <DNSOpcode>`.
617 :param int code: The opcode to match
619 .. function:: ProbaRule(probability)
621 .. versionadded:: 1.3.0
623 Matches queries with a given probability. 1.0 means "always"
625 :param double probability: Probability of a match
627 .. function:: QClassRule(qclass)
629 Matches queries with the specified ``qclass``.
630 ``class`` can be specified as an integer or as one of the built-in :ref:`DNSQClass`.
632 :param int qclass: The Query Class to match on
634 .. function:: QNameRule(qname)
636 .. versionadded:: 1.2.0
638 Matches queries with the specified qname exactly.
640 :param string qname: Qname to match
642 .. function:: QNameLabelsCountRule(min, max)
644 Matches if the qname has less than ``min`` or more than ``max`` labels.
646 :param int min: Minimum number of labels
647 :param int max: Maximum nimber of labels
649 .. function:: QNameWireLengthRule(min, max)
651 Matches if the qname's length on the wire is less than ``min`` or more than ``max`` bytes.
653 :param int min: Minimum number of bytes
654 :param int max: Maximum nimber of bytes
656 .. function:: QTypeRule(qtype)
658 Matches queries with the specified ``qtype``
659 ``qtype`` may be specified as an integer or as one of the built-in QTypes.
660 For instance ``dnsdist.A``, ``dnsdist.TXT`` and ``dnsdist.ANY``.
662 :param int qtype: The QType to match on
664 .. function:: RCodeRule(rcode)
666 Matches queries or responses with the specified ``rcode``.
667 ``rcode`` can be specified as an integer or as one of the built-in :ref:`DNSRCode`.
668 Only the non-extended RCode is matched (lower 4bits).
670 :param int rcode: The RCODE to match on
672 .. function:: RDRule()
674 .. versionadded:: 1.2.0
676 Matches queries with the RD flag set.
678 .. function:: RegexRule(regex)
680 Matches the query name against the ``regex``.
684 addAction(RegexRule("[0-9]{5,}"), DelayAction(750)) -- milliseconds
685 addAction(RegexRule("[0-9]{4,}\\.example$"), DropAction())
687 This delays any query for a domain name with 5 or more consecutive digits in it.
688 The second rule drops anything with more than 4 consecutive digits within a .EXAMPLE domain.
690 Note that the query name is presented without a trailing dot to the regex.
691 The regex is applied case insensitively.
693 :param string regex: A regular expression to match the traffic on
695 .. function:: RecordsCountRule(section, minCount, maxCount)
697 Matches if there is at least ``minCount`` and at most ``maxCount`` records in the section ``section``.
698 ``section`` can be specified as an integer or as a :ref:`DNSSection`.
700 :param int section: The section to match on
701 :param int minCount: The minimum number of entries
702 :param int maxCount: The maximum number of entries
704 .. function:: RecordsTypeCountRule(section, qtype, minCount, maxCount)
706 Matches if there is at least ``minCount`` and at most ``maxCount`` records of type ``type`` in the section ``section``.
707 ``section`` can be specified as an integer or as a ref:`DNSSection`.
708 ``qtype`` may be specified as an integer or as one of the built-in QTypes, for instance ``dnsdist.A`` or ``dnsdist.TXT``.
710 :param int section: The section to match on
711 :param int qtype: The QTYPE to match on
712 :param int minCount: The minimum number of entries
713 :param int maxCount: The maximum number of entries
715 .. function:: RE2Rule(regex)
717 Matches the query name against the supplied regex using the RE2 engine.
719 For an example of usage, see :func:`RegexRule`.
721 :note: Only available when dnsdist was built with libre2 support.
723 :param str regex: The regular expression to match the QNAME.
725 .. function:: SuffixMatchNodeRule(smn[, quiet])
727 Matches based on a group of domain suffixes for rapid testing of membership.
728 Pass true as second parameter to prevent listing of all domains matched.
730 :param SuffixMatchNode smb: The SuffixMatchNode to match on
731 :param bool quiet: Do not return the list of matched domains. Default is false.
733 .. function:: TagRule(name [, value])
735 .. versionadded:: 1.3.0
737 Matches question or answer with a tag named ``name`` set. If ``value`` is specified, the existing tag value should match too.
739 :param bool name: The name of the tag that has to be set
740 :param bool value: If set, the value the tag has to be set to. Default is unset
742 .. function:: TCPRule([tcp])
744 Matches question received over TCP if ``tcp`` is true, over UDP otherwise.
746 :param bool tcp: Match TCP traffic. Default is true.
748 .. function:: TrailingDataRule()
750 Matches if the query has trailing data.
755 .. function:: AndRule(selectors)
757 Matches traffic if all ``selectors`` match.
759 :param {Rule} selectors: A table of Rules
761 .. function:: NotRule(selector)
763 Matches the traffic if the ``selector`` rule does not match;
765 :param Rule selector: A Rule
767 .. function:: OrRule(selectors)
769 Matches the traffic if one or more of the the ``selectors`` Rules does match.
771 :param {Rule} selector: A table of Rules
773 Convenience Functions
774 ~~~~~~~~~~~~~~~~~~~~~
776 .. function:: makeRule(rule)
778 Make a :func:`NetmaskGroupRule` or a :func:`SuffixMatchNodeRule`, depending on it is called.
779 ``makeRule("0.0.0.0/0")`` will for example match all IPv4 traffic, ``makeRule({"be","nl","lu"})`` will match all Benelux DNS traffic.
781 :param string rule: A string to convert to a rule.
787 :ref:`RulesIntro` need to be combined with an action for them to actually do something with the matched packets.
788 Some actions allow further processing of rules, this is noted in their description.
789 The following actions exist.
791 .. function:: AllowAction()
793 Let these packets go through.
795 .. function:: AllowResponseAction()
797 Let these packets go through.
799 .. function:: DelayAction(milliseconds)
801 Delay the response by the specified amount of milliseconds (UDP-only).
802 Subsequent rules are processed after this rule.
804 :param int milliseconds: The amount of milliseconds to delay the response
806 .. function:: DelayResponseAction(milliseconds)
808 Delay the response by the specified amount of milliseconds (UDP-only).
809 Subsequent rules are processed after this rule.
811 :param int milliseconds: The amount of milliseconds to delay the response
813 .. function:: DisableECSAction()
815 Disable the sending of ECS to the backend.
816 Subsequent rules are processed after this rule.
818 .. function:: DisableValidationAction()
820 Set the CD bit in the query and let it go through.
822 .. function:: DnstapLogAction(identity, logger[, alterFunction])
824 .. versionadded:: 1.3.0
826 Send the the current query to a remote logger as a :doc:`dnstap <reference/dnstap>` message.
827 ``alterFunction`` is a callback, receiving a :class:`DNSQuestion` and a :class:`DnstapMessage`, that can be used to modify the message.
829 :param string identity: Server identity to store in the dnstap message
830 :param logger: The :func:`FrameStreamLogger <newFrameStreamUnixLogger>` or :func:`RemoteLogger <newRemoteLogger>` object to write to
831 :param alterFunction: A Lua function to alter the message before sending
833 .. function:: DnstapLogResponseAction(identity, logger[, alterFunction])
835 .. versionadded:: 1.3.0
837 Send the the current response to a remote logger as a :doc:`dnstap <reference/dnstap>` message.
838 ``alterFunction`` is a callback, receiving a :class:`DNSQuestion` and a :class:`DnstapMessage`, that can be used to modify the message.
840 :param string identity: Server identity to store in the dnstap message
841 :param logger: The :func:`FrameStreamLogger <newFrameStreamUnixLogger>` or :func:`RemoteLogger <newRemoteLogger>` object to write to
842 :param alterFunction: A Lua function to alter the message before sending
844 .. function:: DropAction()
848 .. function:: DropResponseAction()
852 .. function:: ECSOverrideAction(override)
854 Whether an existing EDNS Client Subnet value should be overridden (true) or not (false).
855 Subsequent rules are processed after this rule.
857 :param bool override: Whether or not to override ECS value
859 .. function:: ECSPrefixLengthAction(v4, v6)
861 Set the ECS prefix length.
862 Subsequent rules are processed after this rule.
864 :param int v4: The IPv4 netmask length
865 :param int v6: The IPv6 netmask length
868 .. function:: ERCodeAction(rcode)
870 .. versionadded:: 1.4.0
872 Reply immediately by turning the query into a response with the specified EDNS extended ``rcode``.
873 ``rcode`` can be specified as an integer or as one of the built-in :ref:`DNSRCode`.
875 :param int rcode: The extended RCODE to respond with.
877 .. function:: LogAction([filename[, binary[, append[, buffered]]]])
879 Log a line for each query, to the specified ``file`` if any, to the console (require verbose) otherwise.
880 When logging to a file, the ``binary`` optional parameter specifies whether we log in binary form (default) or in textual form.
881 The ``append`` optional parameter specifies whether we open the file for appending or truncate each time (default).
882 The ``buffered`` optional parameter specifies whether writes to the file are buffered (default) or not.
883 Subsequent rules are processed after this rule.
885 :param string filename: File to log to. Set to an empty string to log to the normal stdout log, this only works when ``-v`` is set on the command line.
886 :param bool binary: Do binary logging. Default true
887 :param bool append: Append to the log. Default false
888 :param bool buffered: Use buffered I/O. default true
890 .. function:: LuaAction(function)
892 Invoke a Lua function that accepts a :class:`DNSQuestion`.
894 The ``function`` should return a :ref:`DNSAction`. If the Lua code fails, ServFail is returned.
896 :param string function: the name of a Lua function
898 .. function:: LuaResponseAction(function)
900 Invoke a Lua function that accepts a :class:`DNSResponse`.
902 The ``function`` should return a :ref:`DNSResponseAction`. If the Lua code fails, ServFail is returned.
904 :param string function: the name of a Lua function
906 .. function:: MacAddrAction(option)
908 Add the source MAC address to the query as EDNS0 option ``option``.
909 This action is currently only supported on Linux.
910 Subsequent rules are processed after this rule.
912 :param int option: The EDNS0 option number
914 .. function:: NoneAction()
917 Subsequent rules are processed after this rule.
919 .. function:: NoRecurseAction()
921 Strip RD bit from the question, let it go through.
922 Subsequent rules are processed after this rule.
924 .. function:: PoolAction(poolname)
926 Send the packet into the specified pool.
928 :param string poolname: The name of the pool
930 .. function:: QPSAction(maxqps)
932 Drop a packet if it does exceed the ``maxqps`` queries per second limits.
933 Letting the subsequent rules apply otherwise.
935 :param int maxqps: The QPS limit
937 .. function:: QPSPoolAction(maxqps, poolname)
939 Send the packet into the specified pool only if it does not exceed the ``maxqps`` queries per second limits.
940 Letting the subsequent rules apply otherwise.
942 :param int maxqps: The QPS limit for that pool
943 :param string poolname: The name of the pool
945 .. function:: RCodeAction(rcode)
947 Reply immediately by turning the query into a response with the specified ``rcode``.
948 ``rcode`` can be specified as an integer or as one of the built-in :ref:`DNSRCode`.
950 :param int rcode: The RCODE to respond with.
952 .. function:: RemoteLogAction(remoteLogger[, alterFunction [, options]])
954 .. versionchanged:: 1.3.0
955 ``options`` optional parameter added.
957 Send the content of this query to a remote logger via Protocol Buffer.
958 ``alterFunction`` is a callback, receiving a :class:`DNSQuestion` and a :class:`DNSDistProtoBufMessage`, that can be used to modify the Protocol Buffer content, for example for anonymization purposes
960 :param string remoteLogger: The :func:`remoteLogger <newRemoteLogger>` object to write to
961 :param string alterFunction: Name of a function to modify the contents of the logs before sending
962 :param table options: A table with key: value pairs.
966 * ``serverID=""``: str - Set the Server Identity field.
968 .. function:: RemoteLogResponseAction(remoteLogger[, alterFunction[, includeCNAME [, options]]])
970 .. versionchanged:: 1.3.0
971 ``options`` optional parameter added.
973 Send the content of this response to a remote logger via Protocol Buffer.
974 ``alterFunction`` is the same callback that receiving a :class:`DNSQuestion` and a :class:`DNSDistProtoBufMessage`, that can be used to modify the Protocol Buffer content, for example for anonymization purposes
975 ``includeCNAME`` indicates whether CNAME records inside the response should be parsed and exported.
976 The default is to only exports A and AAAA records
978 :param string remoteLogger: The :func:`remoteLogger <newRemoteLogger>` object to write to
979 :param string alterFunction: Name of a function to modify the contents of the logs before sending
980 :param bool includeCNAME: Whether or not to parse and export CNAMEs. Default false
981 :param table options: A table with key: value pairs.
985 * ``serverID=""``: str - Set the Server Identity field.
987 .. function:: SetECSAction(v4 [, v6])
989 .. versionadded:: 1.3.1
991 Set the ECS prefix and prefix length sent to backends to an arbitrary value.
992 If both IPv4 and IPv6 masks are supplied the IPv4 one will be used for IPv4 clients
993 and the IPv6 one for IPv6 clients. Otherwise the first mask is used for both, and
994 can actually be an IPv6 mask.
995 Subsequent rules are processed after this rule.
997 :param string v4: The IPv4 netmask, for example "192.0.2.1/32"
998 :param string v6: The IPv6 netmask, if any
1000 .. function:: SkipCacheAction()
1002 Don't lookup the cache for this query, don't store the answer.
1004 .. function:: SNMPTrapAction([message])
1006 Send an SNMP trap, adding the optional ``message`` string as the query description.
1007 Subsequent rules are processed after this rule.
1009 :param string message: The message to include
1011 .. function:: SNMPTrapResponseAction([message])
1013 Send an SNMP trap, adding the optional ``message`` string as the query description.
1014 Subsequent rules are processed after this rule.
1016 :param string message: The message to include
1018 .. function:: SpoofAction(ip[, ip[...]])
1021 Forge a response with the specified IPv4 (for an A query) or IPv6 (for an AAAA) addresses.
1022 If you specify multiple addresses, all that match the query type (A, AAAA or ANY) will get spoofed in.
1024 :param string ip: An IPv4 and/or IPv6 address to spoof
1025 :param {string} ips: A table of IPv4 and/or IPv6 addresses to spoof
1027 .. function:: SpoofCNAMEAction(cname)
1029 Forge a response with the specified CNAME value.
1031 :param string cname: The name to respond with
1033 .. function:: TagAction(name, value)
1035 .. versionadded:: 1.3.0
1037 Associate a tag named ``name`` with a value of ``value`` to this query, that will be passed on to the response.
1039 :param string name: The name of the tag to set
1040 :param string cname: The value of the tag
1042 .. function:: TagResponseAction(name, value)
1044 .. versionadded:: 1.3.0
1046 Associate a tag named ``name`` with a value of ``value`` to this response.
1048 :param string name: The name of the tag to set
1049 :param string cname: The value of the tag
1051 .. function:: TCAction()
1053 Create answer to query with TC and RD bits set, to force the client to TCP.
1055 .. function:: TeeAction(remote[, addECS])
1057 Send copy of query to ``remote``, keep stats on responses.
1058 If ``addECS`` is set to true, EDNS Client Subnet information will be added to the query.
1060 :param string remote: An IP:PORT conbination to send the copied queries to
1061 :param bool addECS: Whether or not to add ECS information. Default false
1063 .. function:: TempFailureCacheTTLAction(ttl)
1065 Set the cache TTL to use for ServFail and Refused replies. TTL is not applied for successful replies.
1067 :param int ttl: Cache TTL for temporary failure replies