ainar-g
commented
11 months ago You could also use ClientIDs for that, if your clients support encrypted DNS.
Open guidocioni opened 11 months ago
ainar-g
commented
11 months ago You could also use ClientIDs for that, if your clients support encrypted DNS.
catfluoride
commented
8 months ago Hi, @ainar-g
Would you mind giving a practical example of how to use ClientIDs to identify all the IP of a given domain? For instance, how should one specify ip-xxx.xxx.xxx.xxx.web.vodafone.com in allowed_clients? Is it feasible?
Thanks a lot in advance.
ainar-g
commented
8 months ago @catfluoride, not based on the domain, but if you want to limit the users to a number of machines regardless of their IP addresses, you can give them ClientIDs and only use them in the allowlist. Domain-based client (un)blocking is not reliable, as AGH would need to first query PTR records for each new client IP and wait for the results. It's not a piece of information present in the request, unlike the source IP address or a ClientID.
catfluoride
commented
8 months ago Thank you for your kind explanation. I'll give it a try.
EDIT: indeed, it worked, after a bit of fiddling.
Leaving this here for future reference:
sld.domain.tldsld.domain.tld and *sld.domain.tld).*.sld.domain.tld to your DNS zone. I added it as a CNAME for sld.domain.tld
Prerequisites
[X] I have checked the Wiki and Discussions and found no answer
[X] I have searched other issues and found no duplicates
[X] I want to request a feature or enhancement and not ask a question
The problem
As far as I know, it is only possible to specify a list of client IP addresses or CIDRs in the "Allowed Clients" section of the DNS settings.
Proposed solution
I would like to have the possibility to allow all IP addresses corresponding to a certain domain, because I realized most of my requests come from 3 or 4 main domains. For example here
I would like to be able to write something like
Is it possible to do that?
Alternatives considered and additional information
No response