Netfence filters

Netfencing (network fencing) filters facilitate granular control over traffic steering decisions, allowing you to map requesting clients to specific endpoints based on the requester's IP address or autonomous system number (ASN). When processing incoming requests, these filters reference the ASN or IP prefix metadata defined in each answer and eliminate answers not matching the requester's IP address.

Attention: Do not use these filters for network security purposes. Implement strong security within the applications, firewalls, access control lists, and other contact points with your DNS records.
Table 1. Netfence filters
Filter Description Related metadata
Netfence ASN filter This filter eliminates answers whose ASN metadata does not match the one associated with the requester's IP address. Answers without ASN metadata remain in the list unless the Remove answers without ASN on match option is enabled. AS Number(s)
Netfence Prefix filter This filter eliminates answers whose IP prefix list does not contain the requester's IP address. Answers without ip_prefixes metadata remain in the list unless the Remove answers without ASN on match option is enabled. IP Prefix List

Example: Netfence by ASN

Suppose you have a DNS record (type A) with two answers. You set the AS Number(s) metadata values for the first answer to 2914 and 3257. You leave the ASN metadata blank for the second answer. Then, you create a Filter Chain that includes the Netfence by ASN filter. In this example:

  • Requests from an IP in AS2914 receive both answers.
  • Requests from an IP in AS701 receive only the answer with no ASN value set.
  • If you enable the Remove answers without ASN on match option, requests from an IP in AS2914 receive only the answer with the matching ASN metadata value, and the answer with the unset metadata value is eliminated.
Note: The Remove answers without ASN on match option only applies if there is at least one entry in the ASN list that matches the requester AS. In other words, even with the option enabled, if no answers match the ASN, then answers without ASNs not set remain eligible.

Example: Netfence by IP prefix

Suppose you have a record with two answers. You set the IP Prefix List metadata for the first answer to 1.2.3.0/24, 2.3.4.0/24. You do not specify an IP prefix list for the second answer. In this example:

  • Requests from 1.2.3.4 receive both answers.
  • Requests from 5.6.7.8 only receive the second answer. If you want requests from 1.2.3.4 only to receive the first answer, enable the Remove answers without ASN on match option.
  • If you want requests from 1.2.3.4 only to receive the first answer, enable the Remove answers without ASN on match option.
  • If you select Remove answers without ASN on match, answers are removed only if at least one answer contains an ip_prefix that matches the requester. If no answers meet this requirement, answers with no ip_prefix values are returned.