NS1 Status

Articles in this section

Fencing filters

  • Updated
Follow

NS1's fencing filters allow you to steer DNS traffic to specific record answers using an autonomous system number (ASN), IP prefix, or location.

 

fencing_filteeres_highlighted-01.png

Filter Description
Netfence ASN

This filter eliminates answers whose ASN metadata value(s) do not match the autonomous system (AS) of the requester's IP address. Answers without an ASN metadata value are not eliminated unless you select the "Remove answers without ASN on match" option.

For example, let's say you apply the Netfence ASN filter to a record with two answers: Answer #1 has an ASN value set to 2914, 3257, and Answer #2 does not have an ASN metadata value set. In this example:

  • Requests from an IP in AS2914 receive both answers.
  • Requests from an IP in AS701 receive only the answer with no ASN value set.
  • If you enable the "Remove answers without ASN on match" option, requests from an IP in AS2914 receive only the answer with the matching ASN metadata value, and the answer with the unset metadata value is eliminated. 

Note: The "Remove answers without ASN on match" option only applies if there is at least one entry in the ASN list that matches the requester AS. In other words, even with the option enabled, if no answers match the ASN, then answers without ASNs not set remain eligible.

WARNING
Do not use this filter for security purposes. DNS security features are not currently strong enough to secure traffic. You should implement strong security within the applications, firewalls, access control lists, or other points of contact with your DNS records instead.
Netfence prefix This filter eliminates answers in which the requester’s IP does not match the IP prefix list of the answer. Answers with no set ip_prefixes value are not eliminated unless you select the Remove answers without ip_prefixes on match option.

For example, assume that you have a record with two answers: One with its ip_prefixes value set to 1.2.3.0/24, 2.3.4.0/24, and another answer without an ip_prefixes value. Requests from 1.2.3.4 receive both answers. Requests from 5.6.7.8 only receive the second answer. If you want requests from 1.2.3.4 to only receive the first answer, select the Remove answers without ip_prefixes on match option.

If you select Remove answers without ip_prefixes on match, answers are removed only if at least one answer contains an ip_prefix that matches the requester. If no answers meet this requirement, answers with no ip_prefix are returned.

WARNING
Do not use this filter for security purposes. DNS security features are not currently strong enough to secure traffic. You should implement strong security within the applications, firewalls, access control lists, or other points of contact with your DNS records instead.
Geofence country This filter eliminates answers in which the country, subdivision, state, or province metadata does not match the requester’s location. If the requester’s location does not match the metadata of any answers, all answers without a country, subdivision, state, or province are returned. If no such answer exists, then a NO ERROR, NO ANSWER status will be returned, and the answer data will be blank.

NS1 compares the most granular location in the answer metadata fields to a geoIP database to determine the location of the requester based on one of the following:

  • Source IP of the request if EDNS Client Subnet (ECS) is supported and activated by the recursive resolver, or
  • Source IP of the recursive resolver if ECS is not enabled.
If the location of the requester does not match an answer in the list, that answer is eliminated from the list of possibilities. You should set up a fallback endpoint without any location metadata set to direct traffic from IPs that do not transmit location or that do not match the geofenced location.

If you select Remove answers that don’t match location metadata if any match, answers are removed only if at least one answer contains location metadata that matches the requester’s location. If no answers meet this requirement, answers with no location are returned.
Geofence regional This filter eliminates answers from different geographical regions than the requester. Answers without a georegion value set are not eliminated unless you select the Remove answers without georegion on match option.

This filter examines the georegion value of answers to determine which geographical regions are allowed, then compares it to a geoIP database to determine the region of the requester to determine if there is a match. The answer will not be returned if the georegions do not match.

If you do not select the Remove answers without georegion on match option, answers without a georegion are not eliminated. For example, assume you have two answers: One answer with its georegion value set to US-EAST, EUROPE and another without a georegion value. Requesters in US-EAST will receive both answers, while a requester in ASIAPAC will receive only the second answer. If you want a requester in US-EAST to receive only the first answer, select Remove answers without georegion on match.

Related articles