This has been implemented because of a request on the forum. Since the
proxy is generally outgoing technology it makes sense to enable this
kind of filtering in DNS.
This patch adds a Python script which processes every query and its
response and extracts all IP addresses from it. Those IP addresses will
then be resolved to their origin AS. If there are more then THRESHOLD
different ASes, the request will be blocked.
The AS lookups will only be performed when there is enough IP addresses
to actually hit the threshold. So there should be next to no performance
impact here except the overhead of the Python module itself.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
projects / people / ms / ipfire-2.x.git / commit
