Hi Denis, On 12/07/2023 12:24, Denis MACHARD via dnsdist wrote:
How to exclude some domains with the dynamic block feature (dynBlockRulesGroup), Is it possible ? The documentation is not clear on this, if anyone has an example.
We should document this more clearly, there are two types of rules in a DBRG:
- setQueryRate, setRCodeRate, setRCodeRatio, setQTypeRate and setResponseByteRate work by looking at the queries and responses present in the ring buffers grouped by client IP, so they can decide to apply an action on a given IP. Therefore the excludeRange, includeRange directives apply to these rules to allowlist and denylist some IPs/ranges.
- setSuffixMatchRule and setSuffixMatchRuleFFI work by looking at the responses present in the ring buffers grouped by subdomains, so they can decide to apply an action on a given domain or subdomain. Therefore the excludeDomains directive apply to these rules to prevent a domain and its children from being blocked.
So you cannot exclude an IP or a range from setSuffixMatchRule/setSuffixMatchRuleFFI, and neither can you exclude a domain from the other rules.
I hope that helps! Best regards, -- Remi Gacogne PowerDNS.COM BV - https://www.powerdns.com/
OpenPGP_signature
Description: OpenPGP digital signature
_______________________________________________ dnsdist mailing list dnsdist@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/dnsdist
