mirror of
https://gitlab.isc.org/isc-projects/bind9
synced 2025-08-30 22:15:20 +00:00
5ed3a76f9d
The main intention of PROXY protocol is to pass endpoints information to a back-end server (in our case - BIND). That means that it is a valid way to spoof endpoints information, as the addresses and ports extracted from PROXYv2 headers, from the point of view of BIND, are used instead of the real connection addresses. Of course, an ability to easily spoof endpoints information can be considered a security issue when used uncontrollably. To resolve that, we introduce 'allow-proxy' and 'allow-proxy-on' ACL options. These are the only ACL options in BIND that work with real PROXY connections addresses, allowing a DNS server operator to specify from what clients and on which interfaces he or she is willing to accept PROXY headers. By default, for security reasons we do not allow to accept them.