The NETFENCE_ASN filter allows you to 'fence' clients coming from certain ASN (Autonomous System Number) to specific DNS answers.
The filter is given the IP address of the requesting resolver or the EDNS Client Subnet of the originating end user if available. The filter then determines the Autonomous System Number (ASN) of this IP address or subnet. It compares this ASN to the ASN metadata for the requested record and returns answers accordingly.
Remove answers without matching ASN list on any match:
If it is checked and a match exists, the filter will remove non-matching answers and will return the matching answers to the next filter in the chain. If there is no match, answers without ASN metadata will be returned.
If it is unchecked, any matching answers will be returned first, followed by the answers without ASN metadata.
Notes, and a Caution:
This filter uses the IP address of the DNS resolver and, if present, the EDNS Client Subnet of the originator. Stub resolvers and forwarders can make this filter ineffective. The use of public DNS resolvers which do not support EDNS Client Subnet will make this filter ineffective.
The primary function of the NETFENCE_ASN filter is fencing, and it can cause NXDOMAIN responses for queries which do not have have matching ASNs. To avoid NXDOMAINs on non-matching queries, a default answer without ASN metadata must be available.