4 dnsdist works in essence like any other loadbalancer:
6 It receives packets on one or several addresses it listens on, and determines whether it will process this packet based on the :doc:`advanced/acl`. Should the packet be processed, dnsdist attempts to match any of the configured rules in order and when one matches, the associated action is performed.
8 These rule and action combinations are considered policies.
16 - Turned into an answer directly
17 - Forwarded to a downstream server
18 - Modified and forwarded to a downstream and be modified back
21 This decision can be taken at different times during the forwarding process.
26 Rules for traffic exceeding QPS limits
27 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
29 Traffic that exceeds a QPS limit, in total or per IP (subnet) can be matched by a rule.
33 addAction(MaxQPSIPRule(5, 32, 48), DelayAction(100))
35 This measures traffic per IPv4 address and per /48 of IPv6, and if traffic for such an address (range) exceeds 5 qps, it gets delayed by 100ms. (Please note: :func:`DelayAction` can only delay UDP traffic).
39 addAction(MaxQPSIPRule(5), NoRecurseAction())
41 This strips the Recursion Desired (RD) bit from any traffic per IPv4 or IPv6 /64 that exceeds 5 qps.
42 This means any those traffic bins is allowed to make a recursor do 'work' for only 5 qps.
44 If this is not enough, try::
46 addAction(MaxQPSIPRule(5), DropAction())
50 addAction(MaxQPSIPRule(5), TCAction())
52 This will respectively drop traffic exceeding that 5 QPS limit per IP or range, or return it with TC=1, forcing clients to fall back to TCP.
54 To turn this per IP or range limit into a global limit, use ``NotRule(MaxQPSRule(5000))`` instead of :func:`MaxQPSIPRule`.
59 :func:`RegexRule` matches a regular expression on the query name, and it works like this::
61 addAction(RegexRule("[0-9]{5,}"), DelayAction(750)) -- milliseconds
62 addAction(RegexRule("[0-9]{4,}\\.example$"), DropAction())
64 This delays any query for a domain name with 5 or more consecutive digits in it.
65 The second rule drops anything with more than 4 consecutive digits within a .example domain.
67 Note that the query name is presented without a trailing dot to the regex.
68 The regex is applied case insensitively.
70 Alternatively, if compiled in, :func:`RE2Rule` provides similar functionality, but against libre2.
75 :program:`dnsdist` contains several functions that make it easier to add actions and rules.
77 .. function:: addAnyTCRule()
81 Set the TC-bit (truncate) on ANY queries received over UDP, forcing a retry over TCP.
82 This function has been deprecated as of 1.2.0 and removed in 1.3.0. This is equivalent to doing::
84 addAction(AndRule({QTypeRule(DNSQType.ANY), TCPRule(false)}), TCAction())
86 .. versionchanged:: 1.4.0
87 Before 1.4.0, the QTypes were in the ``dnsdist`` namespace. Use ``dnsdist.ANY`` in these versions.
89 .. function:: addDelay(DNSrule, delay)
93 Delay the query for ``delay`` milliseconds before sending to a backend.
94 This function has been deprecated as of 1.2.0 and removed in 1.3.0, please use instead:
96 addAction(DNSRule, DelayAction(delay))
98 :param DNSRule: The DNSRule to match traffic
99 :param int delay: The delay time in milliseconds.
101 .. function:: addDisableValidationRule(DNSrule)
103 .. deprecated:: 1.2.0
105 Set the CD (Checking Disabled) flag to 1 for all queries matching the DNSRule.
106 This function has been deprecated as of 1.2.0 and removed in 1.3.0. Please use the :func:`DisableValidationAction` action instead.
108 .. function:: addDomainBlock(domain)
110 .. deprecated:: 1.2.0
112 Drop all queries for ``domain`` and all names below it.
113 Deprecated as of 1.2.0 and will be removed in 1.3.0, please use instead:
115 addAction(domain, DropAction())
117 :param string domain: The domain name to block
119 .. function:: addDomainSpoof(domain, IPv4[, IPv6])
120 addDomainSpoof(domain, {IP[,...]})
122 .. deprecated:: 1.2.0
124 Generate answers for A/AAAA/ANY queries.
125 This function has been deprecated as of 1.2.0 and removed in 1.3.0, please use:
127 addAction(domain, SpoofAction({IP[,...]}))
131 addAction(domain, SpoofAction(IPv4[, IPv6]))
133 :param string domain: Domain name to spoof for
134 :param string IPv4: IPv4 address to spoof in the reply
135 :param string IPv6: IPv6 address to spoof in the reply
136 :param string IP: IP address to spoof in the reply
138 .. function:: addDomainCNAMESpoof(domain, cname)
140 .. deprecated:: 1.2.0
142 Generate CNAME answers for queries. This function has been deprecated as of 1.2.0 and removed in 1.3.0, in favor of using:
144 addAction(domain, SpoofCNAMEAction(cname))
146 :param string domain: Domain name to spoof for
147 :param string cname: Domain name to add CNAME to
149 .. function:: addLuaAction(DNSrule, function [, options])
151 .. versionchanged:: 1.3.0
152 Added the optional parameter ``options``.
154 .. versionchanged:: 1.3.0
155 The second argument returned by the ``function`` can be omitted. For earlier releases, simply return an empty string.
157 .. deprecated:: 1.4.0
158 Removed in 1.4.0, use :func:`LuaAction` with :func:`addAction` instead.
160 Invoke a Lua function that accepts a :class:`DNSQuestion`.
161 This function works similar to using :func:`LuaAction`.
162 The ``function`` should return both a :ref:`DNSAction` and its argument `rule`. The `rule` is used as an argument
163 of the following :ref:`DNSAction`: `DNSAction.Spoof`, `DNSAction.Pool` and `DNSAction.Delay`.
164 If the Lua code fails, ServFail is returned.
166 :param DNSRule: match queries based on this rule
167 :param string function: the name of a Lua function
168 :param table options: A table with key: value pairs with options.
172 * ``uuid``: string - UUID to assign to the new rule. By default a random UUID is generated for each rule.
176 function luaaction(dq)
177 if(dq.qtype==DNSQType.NAPTR)
179 return DNSAction.Pool, "abuse" -- send to abuse pool
181 return DNSAction.None, "" -- no action
182 -- return DNSAction.None -- as of dnsdist version 1.3.0
186 addLuaAction(AllRule(), luaaction)
188 .. function:: addLuaResponseAction(DNSrule, function [, options])
190 .. versionchanged:: 1.3.0
191 Added the optional parameter ``options``.
193 .. versionchanged:: 1.3.0
194 The second argument returned by the ``function`` can be omitted. For earlier releases, simply return an empty string.
196 .. deprecated:: 1.4.0
197 Removed in 1.4.0, use :func:`LuaResponseAction` with :func:`addResponseAction` instead.
199 Invoke a Lua function that accepts a :class:`DNSResponse`.
200 This function works similar to using :func:`LuaResponseAction`.
201 The ``function`` should return both a :ref:`DNSResponseAction` and its argument `rule`. The `rule` is used as an argument
202 of the `DNSResponseAction.Delay`.
203 If the Lua code fails, ServFail is returned.
205 :param DNSRule: match queries based on this rule
206 :param string function: the name of a Lua function
207 :param table options: A table with key: value pairs with options.
211 * ``uuid``: string - UUID to assign to the new rule. By default a random UUID is generated for each rule.
213 .. function:: addNoRecurseRule(DNSrule)
215 .. deprecated:: 1.2.0
217 Clear the RD flag for all queries matching the rule.
218 This function has been deprecated as of 1.2.0 and removed in 1.3.0, please use:
220 addAction(DNSRule, NoRecurseAction())
222 :param DNSRule: match queries based on this rule
224 .. function:: addPoolRule(DNSRule, pool)
226 .. deprecated:: 1.2.0
228 Send queries matching the first argument to the pool ``pool``.
231 addPoolRule("example.com", "myPool")
233 This function has been deprecated as of 1.2.0 and removed in 1.3.0, this is equivalent to::
235 addAction("example.com", PoolAction("myPool"))
237 :param DNSRule: match queries based on this rule
238 :param string pool: The name of the pool to send the queries to
240 .. function:: addQPSLimit(DNSrule, limit)
242 .. deprecated:: 1.2.0
244 Limit queries matching the DNSRule to ``limit`` queries per second.
245 All queries over the limit are dropped.
246 This function has been deprecated as of 1.2.0 and removed in 1.3.0, please use:
248 addAction(DNSRule, QPSAction(limit))
250 :param DNSRule: match queries based on this rule
251 :param int limit: QPS limit for this rule
253 .. function:: addQPSPoolRule(DNSRule, limit, pool)
255 .. deprecated:: 1.2.0
257 Send at most ``limit`` queries/s for this pool, letting the subsequent rules apply otherwise.
258 This function has been deprecated as of 1.2.0 and removed in 1.3.0, as it is only a convience function for the following syntax::
260 addAction("192.0.2.0/24", QPSPoolAction(15, "myPool")
262 :param DNSRule: match queries based on this rule
263 :param int limit: QPS limit for this rule
264 :param string pool: The name of the pool to send the queries to
270 Active Rules can be shown with :func:`showRules` and removed with :func:`rmRule`::
272 > addAction("h4xorbooter.xyz.", QPSAction(10))
273 > addAction({"130.161.0.0/16", "145.14.0.0/16"} , QPSAction(20))
274 > addAction({"nl.", "be."}, QPSAction(1))
276 # Matches Rule Action
277 0 0 h4xorbooter.xyz. qps limit to 10
278 1 0 130.161.0.0/16, 145.14.0.0/16 qps limit to 20
279 2 0 nl., be. qps limit to 1
281 For Rules related to the incoming query:
283 .. function:: addAction(DNSrule, action [, options])
285 .. versionchanged:: 1.3.0
286 Added the optional parameter ``options``.
288 Add a Rule and Action to the existing rules.
290 :param DNSrule rule: A DNSRule, e.g. an :func:`AllRule` or a compounded bunch of rules using e.g. :func:`AndRule`
291 :param action: The action to take
292 :param table options: A table with key: value pairs with options.
296 * ``uuid``: string - UUID to assign to the new rule. By default a random UUID is generated for each rule.
298 .. function:: clearRules()
300 Remove all current rules.
302 .. function:: getAction(n) -> Action
304 Returns the Action associated with rule ``n``.
306 :param int n: The rule number
308 .. function:: mvRule(from, to)
310 Move rule ``from`` to a position where it is in front of ``to``.
311 ``to`` can be one larger than the largest rule, in which case the rule will be moved to the last position.
313 :param int from: Rule number to move
314 :param int to: Location to more the Rule to
316 .. function:: newRuleAction(rule, action[, options])
318 .. versionchanged:: 1.3.0
319 Added the optional parameter ``options``.
321 Return a pair of DNS Rule and DNS Action, to be used with :func:`setRules`.
323 :param Rule rule: A `Rule <#traffic-matching>`_
324 :param Action action: The `Action <#actions>`_ to apply to the matched traffic
325 :param table options: A table with key: value pairs with options.
329 * ``uuid``: string - UUID to assign to the new rule. By default a random UUID is generated for each rule.
331 .. function:: setRules(rules)
333 Replace the current rules with the supplied list of pairs of DNS Rules and DNS Actions (see :func:`newRuleAction`)
335 :param [RuleAction] rules: A list of RuleActions
337 .. function:: showRules([options])
339 .. versionchanged:: 1.3.0
340 ``options`` optional parameter added
342 Show all defined rules for queries, optionally displaying their UUIDs.
344 :param table options: A table with key: value pairs with display options.
348 * ``showUUIDs=false``: bool - Whether to display the UUIDs, defaults to false.
349 * ``truncateRuleWidth=-1``: int - Truncate rules output to ``truncateRuleWidth`` size. Defaults to ``-1`` to display the full rule.
351 .. function:: topRule()
353 Move the last rule to the first position.
355 .. function:: rmRule(id)
357 .. versionchanged:: 1.3.0
358 ``id`` can now be an UUID.
362 :param int id: The UUID of the rule to remove if ``id`` is an UUID, its position otherwise
364 For Rules related to responses:
366 .. function:: addResponseAction(DNSRule, action [, options])
368 .. versionchanged:: 1.3.0
369 Added the optional parameter ``options``.
371 Add a Rule and Action for responses to the existing rules.
373 :param DNSRule: A DNSRule, e.g. an :func:`AllRule` or a compounded bunch of rules using e.g. :func:`AndRule`
374 :param action: The action to take
375 :param table options: A table with key: value pairs with options.
379 * ``uuid``: string - UUID to assign to the new rule. By default a random UUID is generated for each rule.
381 .. function:: mvResponseRule(from, to)
383 Move response rule ``from`` to a position where it is in front of ``to``.
384 ``to`` can be one larger than the largest rule, in which case the rule will be moved to the last position.
386 :param int from: Rule number to move
387 :param int to: Location to more the Rule to
389 .. function:: rmResponseRule(id)
391 .. versionchanged:: 1.3.0
392 ``id`` can now be an UUID.
394 Remove response rule ``id``.
396 :param int id: The UUID of the rule to remove if ``id`` is an UUID, its position otherwise
398 .. function:: showResponseRules([options])
400 .. versionchanged:: 1.3.0
401 ``options`` optional parameter added
403 Show all defined response rules, optionally displaying their UUIDs.
405 :param table options: A table with key: value pairs with display options.
409 * ``showUUIDs=false``: bool - Whether to display the UUIDs, defaults to false.
410 * ``truncateRuleWidth=-1``: int - Truncate rules output to ``truncateRuleWidth`` size. Defaults to ``-1`` to display the full rule.
412 .. function:: topResponseRule()
414 Move the last response rule to the first position.
416 Functions for manipulating Cache Hit Respone Rules:
418 .. function:: addCacheHitResponseAction(DNSRule, action [, options])
420 .. versionadded:: 1.2.0
422 .. versionchanged:: 1.3.0
423 Added the optional parameter ``options``.
425 Add a Rule and ResponseAction for Cache Hits to the existing rules.
427 :param DNSRule: A DNSRule, e.g. an :func:`AllRule` or a compounded bunch of rules using e.g. :func:`AndRule`
428 :param action: The action to take
429 :param table options: A table with key: value pairs with options.
433 * ``uuid``: string - UUID to assign to the new rule. By default a random UUID is generated for each rule.
435 .. function:: mvCacheHitResponseRule(from, to)
437 .. versionadded:: 1.2.0
439 Move cache hit response rule ``from`` to a position where it is in front of ``to``.
440 ``to`` can be one larger than the largest rule, in which case the rule will be moved to the last position.
442 :param int from: Rule number to move
443 :param int to: Location to more the Rule to
445 .. function:: rmCacheHitResponseRule(id)
447 .. versionadded:: 1.2.0
449 .. versionchanged:: 1.3.0
450 ``id`` can now be an UUID.
452 :param int id: The UUID of the rule to remove if ``id`` is an UUID, its position otherwise
454 .. function:: showCacheHitResponseRules([options])
456 .. versionadded:: 1.2.0
458 .. versionchanged:: 1.3.0
459 ``options`` optional parameter added
461 Show all defined cache hit response rules, optionally displaying their UUIDs.
463 :param table options: A table with key: value pairs with display options.
467 * ``showUUIDs=false``: bool - Whether to display the UUIDs, defaults to false.
468 * ``truncateRuleWidth=-1``: int - Truncate rules output to ``truncateRuleWidth`` size. Defaults to ``-1`` to display the full rule.
470 .. function:: topCacheHitResponseRule()
472 .. versionadded:: 1.2.0
474 Move the last cache hit response rule to the first position.
476 Functions for manipulating Self-Answered Response Rules:
478 .. function:: addSelfAnsweredResponseAction(DNSRule, action [, options])
480 .. versionadded:: 1.3.0
482 Add a Rule and Action for Self-Answered queries to the existing rules.
484 :param DNSRule: A DNSRule, e.g. an :func:`AllRule` or a compounded bunch of rules using e.g. :func:`AndRule`
485 :param action: The action to take
487 .. function:: mvSelfAnsweredResponseRule(from, to)
489 .. versionadded:: 1.3.0
491 Move self answered response rule ``from`` to a position where it is in front of ``to``.
492 ``to`` can be one larger than the largest rule, in which case the rule will be moved to the last position.
494 :param int from: Rule number to move
495 :param int to: Location to more the Rule to
497 .. function:: rmSelfAnsweredResponseRule(id)
499 .. versionadded:: 1.3.0
501 Remove self answered response rule ``id``.
503 :param int id: The UUID of the rule to remove if ``id`` is an UUID, its position otherwise
505 .. function:: showSelfAnsweredResponseRules([options])
507 .. versionadded:: 1.3.0
509 Show all defined self answered response rules, optionally displaying their UUIDs.
511 :param table options: A table with key: value pairs with display options.
515 * ``showUUIDs=false``: bool - Whether to display the UUIDs, defaults to false.
516 * ``truncateRuleWidth=-1``: int - Truncate rules output to ``truncateRuleWidth`` size. Defaults to ``-1`` to display the full rule.
518 .. function:: topSelfAnsweredResponseRule()
520 .. versionadded:: 1.3.0
522 Move the last self answered response rule to the first position.
526 Matching Packets (Selectors)
527 ----------------------------
529 Packets can be matched by selectors, called a ``DNSRule``.
530 These ``DNSRule``\ s be one of the following items:
532 * A string that is either a domain name or netmask
533 * A list of strings that are either domain names or netmasks
535 * A list of :class:`DNSName`\ s
536 * A (compounded) ``Rule``
538 .. versionadded:: 1.2.0
539 A DNSRule can also be a :class:`DNSName` or a list of these
541 .. function:: AllRule()
545 .. function:: DNSSECRule()
547 Matches queries with the DO flag set
549 .. function:: DSTPortRule(port)
551 Matches questions received to the destination port.
553 :param int port: Match destination port.
555 .. function:: EDNSOptionRule(optcode)
557 .. versionadded:: 1.4.0
559 Matches queries or responses with the specified EDNS option present.
560 ``optcode`` is specified as an integer, or a constant such as `EDNSOptionCode.ECS`.
562 .. function:: EDNSVersionRule(version)
564 .. versionadded:: 1.4.0
566 Matches queries or responses with an OPT record whose EDNS version is greater than the specified EDNS version.
568 :param int version: The EDNS version to match on
570 .. function:: ERCodeRule(rcode)
572 Matches queries or responses with the specified ``rcode``.
573 ``rcode`` can be specified as an integer or as one of the built-in :ref:`DNSRCode`.
574 The full 16bit RCode will be matched. If no EDNS OPT RR is present, the upper 12 bits are treated as 0.
576 :param int rcode: The RCODE to match on
578 .. function:: HTTPHeaderRule(name, regex)
580 .. versionadded:: 1.4.0
582 Matches DNS over HTTPS queries with a HTTP header ``name`` whose content matches the regular expression ``regex``.
584 :param str name: The case-insensitive name of the HTTP header to match on
585 :param str regex: A regular expression to match the content of the specified header
587 .. function:: HTTPPathRegexRule(regex)
589 .. versionadded:: 1.4.0
591 Matches DNS over HTTPS queries with a HTTP path matching the regular expression supplied in ``regex``. For example, if the query has been sent to the https://192.0.2.1:443/PowerDNS?dns=... URL, the path would be '/PowerDNS'.
592 Only valid DNS over HTTPS queries are matched. If you want to match all HTTP queries, see :meth:`DOHFrontend.setResponsesMap` instead.
594 :param str regex: The regex to match on
596 .. function:: HTTPPathRule(path)
598 .. versionadded:: 1.4.0
600 Matches DNS over HTTPS queries with a HTTP path of ``path``. For example, if the query has been sent to the https://192.0.2.1:443/PowerDNS?dns=... URL, the path would be '/PowerDNS'.
601 Only valid DNS over HTTPS queries are matched. If you want to match all HTTP queries, see :meth:`DOHFrontend.setResponsesMap` instead.
603 :param str path: The exact HTTP path to match on
605 .. function:: KeyValueStoreLookupRule(kvs, lookupKey)
607 .. versionadded:: 1.4.0
609 As of 1.4.0, this code is considered experimental.
611 Return true if the key returned by 'lookupKey' exists in the key value store referenced by 'kvs'.
612 The store can be a CDB (:func:`newCDBKVStore`) or a LMDB database (:func:`newLMDBKVStore`).
613 The key can be based on the qname (:func:`KeyValueLookupKeyQName` and :func:`KeyValueLookupKeySuffix`),
614 source IP (:func:`KeyValueLookupKeySourceIP`) or the value of an existing tag (:func:`KeyValueLookupKeyTag`).
616 :param KeyValueStore kvs: The key value store to query
617 :param KeyValueLookupKey lookupKey: The key to use for the lookup
619 .. function:: LuaFFIRule(function)
621 .. versionadded:: 1.5.0
623 Invoke a Lua FFI function that accepts a pointer to a ``dnsdist_ffi_dnsquestion_t`` object, whose bindings are defined in ``dnsdist-lua-ffi.hh``.
625 The ``function`` should return true if the query matches, or false otherwise. If the Lua code fails, false is returned.
627 :param string function: the name of a Lua function
629 .. function:: LuaRule(function)
631 .. versionadded:: 1.5.0
633 Invoke a Lua function that accepts a :class:`DNSQuestion` object.
635 The ``function`` should return true if the query matches, or false otherwise. If the Lua code fails, false is returned.
637 :param string function: the name of a Lua function
639 .. function:: MaxQPSIPRule(qps[, v4Mask[, v6Mask[, burst[, expiration[, cleanupDelay[, scanFraction]]]]]])
641 .. versionchanged:: 1.3.1
642 Added the optional parameters ``expiration``, ``cleanupDelay`` and ``scanFraction``.
644 Matches traffic for a subnet specified by ``v4Mask`` or ``v6Mask`` exceeding ``qps`` queries per second up to ``burst`` allowed.
645 This rule keeps track of QPS by netmask or source IP. This state is cleaned up regularly if ``cleanupDelay`` is greater than zero,
646 removing existing netmasks or IP addresses that have not been seen in the last ``expiration`` seconds.
648 :param int qps: The number of queries per second allowed, above this number traffic is matched
649 :param int v4Mask: The IPv4 netmask to match on. Default is 32 (the whole address)
650 :param int v6Mask: The IPv6 netmask to match on. Default is 64
651 :param int burst: The number of burstable queries per second allowed. Default is same as qps
652 :param int expiration: How long to keep netmask or IP addresses after they have last been seen, in seconds. Default is 300
653 :param int cleanupDelay: The number of seconds between two cleanups. Default is 60
654 :param int scanFraction: The maximum fraction of the store to scan for expired entries, for example 5 would scan at most 20% of it. Default is 10 so 10%
656 .. function:: MaxQPSRule(qps)
658 Matches traffic **not** exceeding this qps limit. If e.g. this is set to 50, starting at the 51st query of the current second traffic stops being matched.
659 This can be used to enforce a global QPS limit.
661 :param int qps: The number of queries per second allowed, above this number the traffic is **not** matched anymore
663 .. function:: NetmaskGroupRule(nmg[, src[, quiet]])
665 .. versionchanged:: 1.4.0
666 ``quiet`` parameter added
668 Matches traffic from/to the network range specified in ``nmg``.
670 Set the ``src`` parameter to false to match ``nmg`` against destination address instead of source address.
671 This can be used to differentiate between clients
673 :param NetMaskGroup nmg: The NetMaskGroup to match on
674 :param bool src: Whether to match source or destination address of the packet. Defaults to true (matches source)
675 :param bool quiet: Do not display the list of matched netmasks in Rules. Default is false.
677 .. function:: OpcodeRule(code)
679 Matches queries with opcode ``code``.
680 ``code`` can be directly specified as an integer, or one of the :ref:`built-in DNSOpcodes <DNSOpcode>`.
682 :param int code: The opcode to match
684 .. function:: ProbaRule(probability)
686 .. versionadded:: 1.3.0
688 Matches queries with a given probability. 1.0 means "always"
690 :param double probability: Probability of a match
692 .. function:: QClassRule(qclass)
694 Matches queries with the specified ``qclass``.
695 ``class`` can be specified as an integer or as one of the built-in :ref:`DNSClass`.
697 :param int qclass: The Query Class to match on
699 .. function:: QNameRule(qname)
701 .. versionadded:: 1.2.0
703 Matches queries with the specified qname exactly.
705 :param string qname: Qname to match
707 .. function:: QNameSetRule(set)
709 .. versionadded:: 1.4.0
711 Matches if the set contains exact qname.
713 To match subdomain names, see :func:`SuffixMatchNodeRule`.
715 :param DNSNameSet set: Set with qnames.
717 .. function:: QNameLabelsCountRule(min, max)
719 Matches if the qname has less than ``min`` or more than ``max`` labels.
721 :param int min: Minimum number of labels
722 :param int max: Maximum nimber of labels
724 .. function:: QNameWireLengthRule(min, max)
726 Matches if the qname's length on the wire is less than ``min`` or more than ``max`` bytes.
728 :param int min: Minimum number of bytes
729 :param int max: Maximum nimber of bytes
731 .. function:: QTypeRule(qtype)
733 Matches queries with the specified ``qtype``
734 ``qtype`` may be specified as an integer or as one of the built-in QTypes.
735 For instance ``DNSQType.A``, ``DNSQType.TXT`` and ``DNSQType.ANY``.
737 :param int qtype: The QType to match on
739 .. function:: RCodeRule(rcode)
741 Matches queries or responses with the specified ``rcode``.
742 ``rcode`` can be specified as an integer or as one of the built-in :ref:`DNSRCode`.
743 Only the non-extended RCode is matched (lower 4bits).
745 :param int rcode: The RCODE to match on
747 .. function:: RDRule()
749 .. versionadded:: 1.2.0
751 Matches queries with the RD flag set.
753 .. function:: RegexRule(regex)
755 Matches the query name against the ``regex``.
759 addAction(RegexRule("[0-9]{5,}"), DelayAction(750)) -- milliseconds
760 addAction(RegexRule("[0-9]{4,}\\.example$"), DropAction())
762 This delays any query for a domain name with 5 or more consecutive digits in it.
763 The second rule drops anything with more than 4 consecutive digits within a .EXAMPLE domain.
765 Note that the query name is presented without a trailing dot to the regex.
766 The regex is applied case insensitively.
768 :param string regex: A regular expression to match the traffic on
770 .. function:: RecordsCountRule(section, minCount, maxCount)
772 Matches if there is at least ``minCount`` and at most ``maxCount`` records in the section ``section``.
773 ``section`` can be specified as an integer or as a :ref:`DNSSection`.
775 :param int section: The section to match on
776 :param int minCount: The minimum number of entries
777 :param int maxCount: The maximum number of entries
779 .. function:: RecordsTypeCountRule(section, qtype, minCount, maxCount)
781 Matches if there is at least ``minCount`` and at most ``maxCount`` records of type ``type`` in the section ``section``.
782 ``section`` can be specified as an integer or as a :ref:`DNSSection`.
783 ``qtype`` may be specified as an integer or as one of the :ref:`built-in QTypes <DNSQType>`, for instance ``DNSQType.A`` or ``DNSQType.TXT``.
785 :param int section: The section to match on
786 :param int qtype: The QTYPE to match on
787 :param int minCount: The minimum number of entries
788 :param int maxCount: The maximum number of entries
790 .. function:: RE2Rule(regex)
792 Matches the query name against the supplied regex using the RE2 engine.
794 For an example of usage, see :func:`RegexRule`.
796 :note: Only available when dnsdist was built with libre2 support.
798 :param str regex: The regular expression to match the QNAME.
800 .. function:: SNIRule(name)
802 .. versionadded:: 1.4.0
804 Matches against the TLS Server Name Indication value sent by the client, if any. Only makes
805 sense for DoT or DoH, and for that last one matching on the HTTP Host header using :func:`HTTPHeaderRule`
806 might provide more consistent results.
807 As of the version 2.3.0-beta of h2o, it is unfortunately not possible to extract the SNI value from DoH
808 connections, and it is therefore necessary to use the HTTP Host header until version 2.3.0 is released.
810 :param str name: The exact SNI name to match.
812 .. function:: SuffixMatchNodeRule(smn[, quiet])
814 Matches based on a group of domain suffixes for rapid testing of membership.
815 Pass true as second parameter to prevent listing of all domains matched.
817 To match domain names exactly, see :func:`QNameSetRule`.
819 :param SuffixMatchNode smb: The SuffixMatchNode to match on
820 :param bool quiet: Do not display the list of matched domains in Rules. Default is false.
822 .. function:: TagRule(name [, value])
824 .. versionadded:: 1.3.0
826 Matches question or answer with a tag named ``name`` set. If ``value`` is specified, the existing tag value should match too.
828 :param bool name: The name of the tag that has to be set
829 :param bool value: If set, the value the tag has to be set to. Default is unset
831 .. function:: TCPRule([tcp])
833 Matches question received over TCP if ``tcp`` is true, over UDP otherwise.
835 :param bool tcp: Match TCP traffic. Default is true.
837 .. function:: TrailingDataRule()
839 Matches if the query has trailing data.
841 .. function:: PoolAvailableRule(poolname)
843 .. versionadded:: 1.3.3
845 Check whether a pool has any servers available to handle queries
849 --- Send queries to default pool when servers are available
850 addAction(PoolAvailableRule(""), PoolAction(""))
851 --- Send queries to fallback pool if not
852 addAction(AllRule(), PoolAction("fallback"))
854 :param string poolname: Pool to check
859 .. function:: AndRule(selectors)
861 Matches traffic if all ``selectors`` match.
863 :param {Rule} selectors: A table of Rules
865 .. function:: NotRule(selector)
867 Matches the traffic if the ``selector`` rule does not match;
869 :param Rule selector: A Rule
871 .. function:: OrRule(selectors)
873 Matches the traffic if one or more of the the ``selectors`` Rules does match.
875 :param {Rule} selector: A table of Rules
877 Convenience Functions
878 ~~~~~~~~~~~~~~~~~~~~~
880 .. function:: makeRule(rule)
882 Make a :func:`NetmaskGroupRule` or a :func:`SuffixMatchNodeRule`, depending on it is called.
883 ``makeRule("0.0.0.0/0")`` will for example match all IPv4 traffic, ``makeRule({"be","nl","lu"})`` will match all Benelux DNS traffic.
885 :param string rule: A string to convert to a rule.
891 :ref:`RulesIntro` need to be combined with an action for them to actually do something with the matched packets.
892 Some actions allow further processing of rules, this is noted in their description.
893 The following actions exist.
895 .. function:: AllowAction()
897 Let these packets go through.
899 .. function:: AllowResponseAction()
901 Let these packets go through.
903 .. function:: ContinueAction(action)
905 .. versionadded:: 1.4.0
907 Execute the specified action and override its return with None, making it possible to continue the processing.
908 Subsequent rules are processed after this action.
910 :param int action: Any other action
912 .. function:: DelayAction(milliseconds)
914 Delay the response by the specified amount of milliseconds (UDP-only).
915 Subsequent rules are processed after this action.
917 :param int milliseconds: The amount of milliseconds to delay the response
919 .. function:: DelayResponseAction(milliseconds)
921 Delay the response by the specified amount of milliseconds (UDP-only).
922 Subsequent rules are processed after this action.
924 :param int milliseconds: The amount of milliseconds to delay the response
926 .. function:: DisableECSAction()
928 Disable the sending of ECS to the backend.
929 Subsequent rules are processed after this action.
931 .. function:: DisableValidationAction()
933 Set the CD bit in the query and let it go through.
935 .. function:: DnstapLogAction(identity, logger[, alterFunction])
937 .. versionadded:: 1.3.0
939 Send the the current query to a remote logger as a :doc:`dnstap <reference/dnstap>` message.
940 ``alterFunction`` is a callback, receiving a :class:`DNSQuestion` and a :class:`DnstapMessage`, that can be used to modify the message.
941 Subsequent rules are processed after this action.
943 :param string identity: Server identity to store in the dnstap message
944 :param logger: The :func:`FrameStreamLogger <newFrameStreamUnixLogger>` or :func:`RemoteLogger <newRemoteLogger>` object to write to
945 :param alterFunction: A Lua function to alter the message before sending
947 .. function:: DnstapLogResponseAction(identity, logger[, alterFunction])
949 .. versionadded:: 1.3.0
951 Send the the current response to a remote logger as a :doc:`dnstap <reference/dnstap>` message.
952 ``alterFunction`` is a callback, receiving a :class:`DNSQuestion` and a :class:`DnstapMessage`, that can be used to modify the message.
953 Subsequent rules are processed after this action.
955 :param string identity: Server identity to store in the dnstap message
956 :param logger: The :func:`FrameStreamLogger <newFrameStreamUnixLogger>` or :func:`RemoteLogger <newRemoteLogger>` object to write to
957 :param alterFunction: A Lua function to alter the message before sending
959 .. function:: DropAction()
963 .. function:: DropResponseAction()
967 .. function:: ECSOverrideAction(override)
969 Whether an existing EDNS Client Subnet value should be overridden (true) or not (false).
970 Subsequent rules are processed after this action.
972 :param bool override: Whether or not to override ECS value
974 .. function:: ECSPrefixLengthAction(v4, v6)
976 Set the ECS prefix length.
977 Subsequent rules are processed after this action.
979 :param int v4: The IPv4 netmask length
980 :param int v6: The IPv6 netmask length
983 .. function:: ERCodeAction(rcode [, options])
985 .. versionadded:: 1.4.0
987 .. versionchanged:: 1.5.0
988 Added the optional parameter ``options``.
990 Reply immediately by turning the query into a response with the specified EDNS extended ``rcode``.
991 ``rcode`` can be specified as an integer or as one of the built-in :ref:`DNSRCode`.
993 :param int rcode: The extended RCODE to respond with.
994 :param table options: A table with key: value pairs with options.
998 * ``aa``: bool - Set the AA bit to this value (true means the bit is set, false means it's cleared). Default is to clear it.
999 * ``ad``: bool - Set the AD bit to this value (true means the bit is set, false means it's cleared). Default is to clear it.
1000 * ``ra``: bool - Set the RA bit to this value (true means the bit is set, false means it's cleared). Default is to copy the value of the RD bit from the incoming query.
1002 .. function:: HTTPStatusAction(status, body, contentType="" [, options])
1004 .. versionadded:: 1.4.0
1006 .. versionchanged:: 1.5.0
1007 Added the optional parameter ``options``.
1009 Return an HTTP response with a status code of ''status''. For HTTP redirects, ''body'' should be the redirect URL.
1011 :param int status: The HTTP status code to return.
1012 :param string body: The body of the HTTP response, or a URL if the status code is a redirect (3xx).
1013 :param string contentType: The HTTP Content-Type header to return for a 200 response, ignored otherwise. Default is ''application/dns-message''.
1014 :param table options: A table with key: value pairs with options.
1018 * ``aa``: bool - Set the AA bit to this value (true means the bit is set, false means it's cleared). Default is to clear it.
1019 * ``ad``: bool - Set the AD bit to this value (true means the bit is set, false means it's cleared). Default is to clear it.
1020 * ``ra``: bool - Set the RA bit to this value (true means the bit is set, false means it's cleared). Default is to copy the value of the RD bit from the incoming query.
1022 .. function:: KeyValueStoreLookupAction(kvs, lookupKey, destinationTag)
1024 .. versionadded:: 1.4.0
1026 As of 1.4.0, this code is considered experimental.
1028 Does a lookup into the key value store referenced by 'kvs' using the key returned by 'lookupKey',
1029 and storing the result if any into the tag named 'destinationTag'.
1030 The store can be a CDB (:func:`newCDBKVStore`) or a LMDB database (:func:`newLMDBKVStore`).
1031 The key can be based on the qname (:func:`KeyValueLookupKeyQName` and :func:`KeyValueLookupKeySuffix`),
1032 source IP (:func:`KeyValueLookupKeySourceIP`) or the value of an existing tag (:func:`KeyValueLookupKeyTag`).
1034 :param KeyValueStore kvs: The key value store to query
1035 :param KeyValueLookupKey lookupKey: The key to use for the lookup
1036 :param string destinationTag: The name of the tag to store the result into
1038 .. function:: LogAction([filename[, binary[, append[, buffered[, verboseOnly[, includeTimestamp]]]]]])
1040 .. versionchanged:: 1.4.0
1041 Added the optional parameters ``verboseOnly`` and ``includeTimestamp``, made ``filename`` optional.
1043 Log a line for each query, to the specified ``file`` if any, to the console (require verbose) if the empty string is given as filename.
1045 If an empty string is supplied in the file name, the logging is done to stdout, and only in verbose mode by default. This can be changed by setting ``verboseOnly`` to false.
1047 When logging to a file, the ``binary`` optional parameter specifies whether we log in binary form (default) or in textual form. Before 1.4.0 the binary log format only included the qname and qtype. Since 1.4.0 it includes an optional timestamp, the query ID, qname, qtype, remote address and port.
1049 The ``append`` optional parameter specifies whether we open the file for appending or truncate each time (default).
1050 The ``buffered`` optional parameter specifies whether writes to the file are buffered (default) or not.
1052 Subsequent rules are processed after this action.
1054 :param string filename: File to log to. Set to an empty string to log to the normal stdout log, this only works when ``-v`` is set on the command line.
1055 :param bool binary: Do binary logging. Default true
1056 :param bool append: Append to the log. Default false
1057 :param bool buffered: Use buffered I/O. Default true
1058 :param bool verboseOnly: Whether to log only in verbose mode when logging to stdout. Default is true
1059 :param bool includeTimestamp: Whether to include a timestamp for every entry. Default is false
1061 .. function:: LogResponseAction([filename[, append[, buffered[, verboseOnly[, includeTimestamp]]]]]])
1063 .. versionadded:: 1.5.0
1065 Log a line for each response, to the specified ``file`` if any, to the console (require verbose) if the empty string is given as filename.
1067 If an empty string is supplied in the file name, the logging is done to stdout, and only in verbose mode by default. This can be changed by setting ``verboseOnly`` to false.
1069 The ``append`` optional parameter specifies whether we open the file for appending or truncate each time (default).
1070 The ``buffered`` optional parameter specifies whether writes to the file are buffered (default) or not.
1072 Subsequent rules are processed after this action.
1074 :param string filename: File to log to. Set to an empty string to log to the normal stdout log, this only works when ``-v`` is set on the command line.
1075 :param bool append: Append to the log. Default false
1076 :param bool buffered: Use buffered I/O. Default true
1077 :param bool verboseOnly: Whether to log only in verbose mode when logging to stdout. Default is true
1078 :param bool includeTimestamp: Whether to include a timestamp for every entry. Default is false
1080 .. function:: LuaAction(function)
1082 Invoke a Lua function that accepts a :class:`DNSQuestion`.
1084 The ``function`` should return a :ref:`DNSAction`. If the Lua code fails, ServFail is returned.
1086 :param string function: the name of a Lua function
1088 .. function:: LuaFFIAction(function)
1090 .. versionadded:: 1.5.0
1092 Invoke a Lua FFI function that accepts a pointer to a ``dnsdist_ffi_dnsquestion_t`` object, whose bindings are defined in ``dnsdist-lua-ffi.hh``.
1094 The ``function`` should return a :ref:`DNSAction`. If the Lua code fails, ServFail is returned.
1096 :param string function: the name of a Lua function
1098 .. function:: LuaFFIResponseAction(function)
1100 .. versionadded:: 1.5.0
1102 Invoke a Lua FFI function that accepts a pointer to a ``dnsdist_ffi_dnsquestion_t`` object, whose bindings are defined in ``dnsdist-lua-ffi.hh``.
1104 The ``function`` should return a :ref:`DNSResponseAction`. If the Lua code fails, ServFail is returned.
1106 :param string function: the name of a Lua function
1108 .. function:: LuaResponseAction(function)
1110 Invoke a Lua function that accepts a :class:`DNSResponse`.
1112 The ``function`` should return a :ref:`DNSResponseAction`. If the Lua code fails, ServFail is returned.
1114 :param string function: the name of a Lua function
1116 .. function:: MacAddrAction(option)
1118 Add the source MAC address to the query as EDNS0 option ``option``.
1119 This action is currently only supported on Linux.
1120 Subsequent rules are processed after this action.
1122 :param int option: The EDNS0 option number
1124 .. function:: NoneAction()
1127 Subsequent rules are processed after this action.
1129 .. function:: NoRecurseAction()
1131 Strip RD bit from the question, let it go through.
1132 Subsequent rules are processed after this action.
1134 .. function:: PoolAction(poolname)
1136 Send the packet into the specified pool.
1138 :param string poolname: The name of the pool
1140 .. function:: QPSAction(maxqps)
1142 Drop a packet if it does exceed the ``maxqps`` queries per second limits.
1143 Letting the subsequent rules apply otherwise.
1145 :param int maxqps: The QPS limit
1147 .. function:: QPSPoolAction(maxqps, poolname)
1149 Send the packet into the specified pool only if it does not exceed the ``maxqps`` queries per second limits.
1150 Letting the subsequent rules apply otherwise.
1152 :param int maxqps: The QPS limit for that pool
1153 :param string poolname: The name of the pool
1155 .. function:: RCodeAction(rcode [, options])
1157 .. versionchanged:: 1.5.0
1158 Added the optional parameter ``options``.
1160 Reply immediately by turning the query into a response with the specified ``rcode``.
1161 ``rcode`` can be specified as an integer or as one of the built-in :ref:`DNSRCode`.
1163 :param int rcode: The RCODE to respond with.
1164 :param table options: A table with key: value pairs with options.
1168 * ``aa``: bool - Set the AA bit to this value (true means the bit is set, false means it's cleared). Default is to clear it.
1169 * ``ad``: bool - Set the AD bit to this value (true means the bit is set, false means it's cleared). Default is to clear it.
1170 * ``ra``: bool - Set the RA bit to this value (true means the bit is set, false means it's cleared). Default is to copy the value of the RD bit from the incoming query.
1172 .. function:: RemoteLogAction(remoteLogger[, alterFunction [, options]])
1174 .. versionchanged:: 1.3.0
1175 ``options`` optional parameter added.
1177 .. versionchanged:: 1.4.0
1178 ``ipEncryptKey`` optional key added to the options table.
1180 Send the content of this query to a remote logger via Protocol Buffer.
1181 ``alterFunction`` is a callback, receiving a :class:`DNSQuestion` and a :class:`DNSDistProtoBufMessage`, that can be used to modify the Protocol Buffer content, for example for anonymization purposes.
1182 Subsequent rules are processed after this action.
1184 :param string remoteLogger: The :func:`remoteLogger <newRemoteLogger>` object to write to
1185 :param string alterFunction: Name of a function to modify the contents of the logs before sending
1186 :param table options: A table with key: value pairs.
1190 * ``serverID=""``: str - Set the Server Identity field.
1191 * ``ipEncryptKey=""``: str - A key, that can be generated via the :func:`makeIPCipherKey` function, to encrypt the IP address of the requestor for anonymization purposes. The encryption is done using ipcrypt for IPv4 and a 128-bit AES ECB operation for IPv6.
1193 .. function:: RemoteLogResponseAction(remoteLogger[, alterFunction[, includeCNAME [, options]]])
1195 .. versionchanged:: 1.3.0
1196 ``options`` optional parameter added.
1198 .. versionchanged:: 1.4.0
1199 ``ipEncryptKey`` optional key added to the options table.
1201 Send the content of this response to a remote logger via Protocol Buffer.
1202 ``alterFunction`` is the same callback that receiving a :class:`DNSQuestion` and a :class:`DNSDistProtoBufMessage`, that can be used to modify the Protocol Buffer content, for example for anonymization purposes.
1203 ``includeCNAME`` indicates whether CNAME records inside the response should be parsed and exported.
1204 The default is to only exports A and AAAA records.
1205 Subsequent rules are processed after this action.
1207 :param string remoteLogger: The :func:`remoteLogger <newRemoteLogger>` object to write to
1208 :param string alterFunction: Name of a function to modify the contents of the logs before sending
1209 :param bool includeCNAME: Whether or not to parse and export CNAMEs. Default false
1210 :param table options: A table with key: value pairs.
1214 * ``serverID=""``: str - Set the Server Identity field.
1215 * ``ipEncryptKey=""``: str - A key, that can be generated via the :func:`makeIPCipherKey` function, to encrypt the IP address of the requestor for anonymization purposes. The encryption is done using ipcrypt for IPv4 and a 128-bit AES ECB operation for IPv6.
1217 .. function:: SetECSAction(v4 [, v6])
1219 .. versionadded:: 1.3.1
1221 Set the ECS prefix and prefix length sent to backends to an arbitrary value.
1222 If both IPv4 and IPv6 masks are supplied the IPv4 one will be used for IPv4 clients
1223 and the IPv6 one for IPv6 clients. Otherwise the first mask is used for both, and
1224 can actually be an IPv6 mask.
1225 Subsequent rules are processed after this action.
1227 :param string v4: The IPv4 netmask, for example "192.0.2.1/32"
1228 :param string v6: The IPv6 netmask, if any
1230 .. function:: SetNegativeAndSOAAction(nxd, zone, ttl, mname, rname, serial, refresh, retry, expire, minimum [, options])
1232 .. versionadded:: 1.5.0
1234 Turn a question into a response, either a NXDOMAIN or a NODATA one based on ''nxd'', setting the QR bit to 1 and adding a SOA record in the additional section.
1236 :param bool nxd: Whether the answer is a NXDOMAIN (true) or a NODATA (false)
1237 :param string zone: The owner name for the SOA record
1238 :param int ttl: The TTL of the SOA record
1239 :param string mname: The mname of the SOA record
1240 :param string rname: The rname of the SOA record
1241 :param int serial: The value of the serial field in the SOA record
1242 :param int refresh: The value of the refresh field in the SOA record
1243 :param int retry: The value of the retry field in the SOA record
1244 :param int expire: The value of the expire field in the SOA record
1245 :param int minimum: The value of the minimum field in the SOA record
1246 :param table options: A table with key: value pairs with options
1250 * ``aa``: bool - Set the AA bit to this value (true means the bit is set, false means it's cleared). Default is to clear it.
1251 * ``ad``: bool - Set the AD bit to this value (true means the bit is set, false means it's cleared). Default is to clear it.
1252 * ``ra``: bool - Set the RA bit to this value (true means the bit is set, false means it's cleared). Default is to copy the value of the RD bit from the incoming query.
1254 .. function:: SetProxyProtocolValuesAction(values)
1256 .. versionadded:: 1.5.0
1258 Set the Proxy-Protocol Type-Length values to be sent to the server along with this query to ``values``.
1260 :param table values: A table of types and values to send, for example: ``{ ["0"] = foo", ["42"] = "bar" }``
1262 .. function:: SkipCacheAction()
1264 Don't lookup the cache for this query, don't store the answer.
1266 .. function:: SNMPTrapAction([message])
1268 Send an SNMP trap, adding the optional ``message`` string as the query description.
1269 Subsequent rules are processed after this action.
1271 :param string message: The message to include
1273 .. function:: SNMPTrapResponseAction([message])
1275 Send an SNMP trap, adding the optional ``message`` string as the query description.
1276 Subsequent rules are processed after this action.
1278 :param string message: The message to include
1280 .. function:: SpoofAction(ip [, options])
1281 SpoofAction(ips [, options])
1283 .. versionchanged:: 1.5.0
1284 Added the optional parameter ``options``.
1286 Forge a response with the specified IPv4 (for an A query) or IPv6 (for an AAAA) addresses.
1287 If you specify multiple addresses, all that match the query type (A, AAAA or ANY) will get spoofed in.
1289 :param string ip: An IPv4 and/or IPv6 address to spoof
1290 :param {string} ips: A table of IPv4 and/or IPv6 addresses to spoof
1291 :param table options: A table with key: value pairs with options.
1295 * ``aa``: bool - Set the AA bit to this value (true means the bit is set, false means it's cleared). Default is to clear it.
1296 * ``ad``: bool - Set the AD bit to this value (true means the bit is set, false means it's cleared). Default is to clear it.
1297 * ``ra``: bool - Set the RA bit to this value (true means the bit is set, false means it's cleared). Default is to copy the value of the RD bit from the incoming query.
1298 * ``ttl``: int - The TTL of the record.
1300 .. function:: SpoofCNAMEAction(cname [, options])
1302 .. versionchanged:: 1.5.0
1303 Added the optional parameter ``options``.
1305 Forge a response with the specified CNAME value.
1307 :param string cname: The name to respond with
1308 :param table options: A table with key: value pairs with options.
1312 * ``aa``: bool - Set the AA bit to this value (true means the bit is set, false means it's cleared). Default is to clear it.
1313 * ``ad``: bool - Set the AD bit to this value (true means the bit is set, false means it's cleared). Default is to clear it.
1314 * ``ra``: bool - Set the RA bit to this value (true means the bit is set, false means it's cleared). Default is to copy the value of the RD bit from the incoming query.
1315 * ``ttl``: int - The TTL of the record.
1317 .. function:: SpoofRawAction(rawAnswer [, options])
1319 .. versionadded:: 1.5.0
1321 Forge a response with the specified raw bytes as record data.
1325 -- select queries for the 'raw.powerdns.com.' name and TXT type, and answer with a "aaa" "bbb" TXT record:
1326 addAction(AndRule({QNameRule('raw.powerdns.com.'), QTypeRule(DNSQType.TXT)}), SpoofRawAction("\003aaa\004bbbb"))
1327 -- select queries for the 'raw-srv.powerdns.com.' name and SRV type, and answer with a '0 0 65535 srv.powerdns.com.' SRV record, setting the AA bit to 1 and the TTL to 3600s
1328 addAction(AndRule({QNameRule('raw-srv.powerdns.com.'), QTypeRule(DNSQType.SRV)}), SpoofRawAction("\000\000\000\000\255\255\003srv\008powerdns\003com\000", { aa=true, ttl=3600 }))
1329 -- select reverse queries for '127.0.0.1' and answer with 'localhost'
1330 addAction(AndRule({QNameRule('1.0.0.127.in-addr.arpa.'), QTypeRule(DNSQType.PTR)}), SpoofRawAction("\009localhost\000"))
1332 :param string rawAnswer: The raw record data
1333 :param table options: A table with key: value pairs with options.
1337 * ``aa``: bool - Set the AA bit to this value (true means the bit is set, false means it's cleared). Default is to clear it.
1338 * ``ad``: bool - Set the AD bit to this value (true means the bit is set, false means it's cleared). Default is to clear it.
1339 * ``ra``: bool - Set the RA bit to this value (true means the bit is set, false means it's cleared). Default is to copy the value of the RD bit from the incoming query.
1340 * ``ttl``: int - The TTL of the record.
1342 .. function:: TagAction(name, value)
1344 .. versionadded:: 1.3.0
1346 Associate a tag named ``name`` with a value of ``value`` to this query, that will be passed on to the response.
1347 Subsequent rules are processed after this action.
1349 :param string name: The name of the tag to set
1350 :param string value: The value of the tag
1352 .. function:: TagResponseAction(name, value)
1354 .. versionadded:: 1.3.0
1356 Associate a tag named ``name`` with a value of ``value`` to this response.
1357 Subsequent rules are processed after this action.
1359 :param string name: The name of the tag to set
1360 :param string value: The value of the tag
1362 .. function:: TCAction()
1364 Create answer to query with TC and RD bits set, to force the client to TCP.
1366 .. function:: TeeAction(remote[, addECS])
1368 Send copy of query to ``remote``, keep stats on responses.
1369 If ``addECS`` is set to true, EDNS Client Subnet information will be added to the query.
1371 :param string remote: An IP:PORT conbination to send the copied queries to
1372 :param bool addECS: Whether or not to add ECS information. Default false
1374 .. function:: TempFailureCacheTTLAction(ttl)
1376 Set the cache TTL to use for ServFail and Refused replies. TTL is not applied for successful replies.
1378 :param int ttl: Cache TTL for temporary failure replies