From: Otto Moerbeek Date: Tue, 5 Apr 2022 11:48:54 +0000 (+0200) Subject: Add docs plus some cleanup of the DNS Suffix Match Group docs we refer to. X-Git-Tag: rec-4.7.0-beta1~5^2~3 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=946bd67325c1c18f3aabf42b3277f305eee9da70;p=thirdparty%2Fpdns.git Add docs plus some cleanup of the DNS Suffix Match Group docs we refer to. --- diff --git a/pdns/recursordist/docs/lua-config/proxymapping.rst b/pdns/recursordist/docs/lua-config/proxymapping.rst index bd12475ee0..febf3e5905 100644 --- a/pdns/recursordist/docs/lua-config/proxymapping.rst +++ b/pdns/recursordist/docs/lua-config/proxymapping.rst @@ -30,7 +30,8 @@ An example use: .. code-block:: Lua addProxyMapping("127.0.0.0/24", "203.0.113.1") - addProxyMapping("10.0.0.0/8", "203.0.113.2") + domains = { "example.com", "example.net" } + addProxyMapping("10.0.0.0/8", "203.0.113.2", domains) The following function is available to configure table based proxy mapping. @@ -39,7 +40,7 @@ If the subnets specified in multiple :func:`addProxyMapping` calls overlap, the By default, the address *before* mapping ``S`` is used for internal logging and ``Protobuf`` messages. See :func:`protobufServer` on how to tune the source address logged in ``Protobuf`` messages. -.. function:: addProxyMapping(subnet, ip) +.. function:: addProxyMapping(subnet, ip [, domains]) .. versionadded:: 4.7.0 @@ -47,5 +48,9 @@ See :func:`protobufServer` on how to tune the source address logged in ``Protobu :param string subnet: a subnet to match :param string ip: the IP address or IPaddress port combination to match the subnet to. + :param array domains: An array of strings used to fill a :ref:`dns-suffix-match-group`. +If this ``domains`` argument is given to this function, only queries for names matching the :ref:`dns-suffix-match-group` will use the value ``M`` to determine the outgoing ECS, other queries will use the value ``S``. +The ACL check will be done against the mapped address ``M`` for all queries, independent of the name queried. +If the ``domains`` argument is absent, no extra condition (apart from matching the subnet) aplies to determine the outgoing ECS value. diff --git a/pdns/recursordist/docs/lua-scripting/dnsname.rst b/pdns/recursordist/docs/lua-scripting/dnsname.rst index 909e5e1506..7b2aaf46f0 100644 --- a/pdns/recursordist/docs/lua-scripting/dnsname.rst +++ b/pdns/recursordist/docs/lua-scripting/dnsname.rst @@ -105,10 +105,12 @@ Functions and methods of a ``DNSName`` :param string name: The name to compare to -DNS Suffix Match Groups ------------------------ +.. _dns-suffix-match-group: + +DNS Suffix Match Group +---------------------- -The :func:`newDS` function creates a "Suffix Match group" that allows fast checking if a :class:`DNSName` is part of a group. +The :func:`newDS` function creates a ``DSN Suffix Match Group`` that allows fast checking if a :class:`DNSName` is part of a group. This could e.g. be used to answer questions for known malware domains. To check e.g. the :attr:`dq.qname` against a list: @@ -120,27 +122,29 @@ To check e.g. the :attr:`dq.qname` against a list: .. function:: newDS() -> DNSSuffixMatchGroup - Creates a new DNS Suffix Match Group. + Creates a new ``DNS Suffix Match Group``. .. class:: DNSSuffixMatchGroup This class represents a group of DNS names that can be used to quickly compare a single :class:`DNSName` against. .. method:: DNSSuffixMatchGroup:add(domain) + DNSSuffixMatchGroup:add(dnsname) DNSSuffixMatchGroup:add(domains) - Add one or more domains to the Suffix Match Group. + Add one or more domains to the ``DNS Suffix Match Group``. :param str domain: A domain name to add - :param {str} domain: A list of Domains to add + :param DNSName dnsname: A dnsname to add + :param {str} domains: A list of domain names to add - .. method:: DNSSuffixMatchGroup:check(domain) -> bool + .. method:: DNSSuffixMatchGroup:check(dnsname) -> bool - Check ``domain`` against the Suffix Match Group. - Returns true if it is matched, false otherwise. + Check ``dnsname`` against the ``DNS Suffix Match Group``. + Returns ``true`` if it is matched, ``false`` otherwise. - :param DNSName domain: The domain name to check + :param DNSName dnsname: The dnsname to check .. method:: DNSSuffixMatchGroup:toString() -> str - Returns a string of the set of suffixes matched by the Suffix Match Group + Returns a string of the set of suffixes matched by the ``DNS Suffix Match Group``.