chore(docs): regenerate man pages (#7971)

man/coredns-acl.7

@@ -1,5 +1,5 @@
 .\" Generated by Mmark Markdown Processer - mmark.miek.nl
-.TH "COREDNS-ACL" 7 "March 2021" "CoreDNS" "CoreDNS Plugins"
+.TH "COREDNS-ACL" 7 "March 2026" "CoreDNS" "CoreDNS Plugins"
 
 .SH "NAME"
 .PP
@@ -7,7 +7,13 @@
 
 .SH "DESCRIPTION"
 .PP
-With \fB\fCacl\fR enabled, users are able to block or filter suspicious DNS queries by configuring IP filter rule sets, i.e. allowing authorized queries to recurse or blocking unauthorized queries.
+With \fB\fCacl\fR enabled, users are able to block or filter suspicious DNS queries by configuring IP filter rule sets, i.e. allowing authorized queries or blocking unauthorized queries.
+
+.PP
+When evaluating the rule sets, \fIacl\fP uses the source IP of the TCP/UDP headers of the DNS query received by CoreDNS.
+This source IP will be different than the IP of the client originating the request in cases where the source IP of the request is changed in transit.  For example:
+* if the request passes though an intermediate forwarding DNS server or recursive DNS server before reaching CoreDNS
+* if the request traverses a Source NAT before reaching CoreDNS
 
 .PP
 This plugin can be used multiple times per Server Block.
@@ -27,7 +33,7 @@ acl [ZONES...] {
 .IP \(bu 4
 \fBZONES\fP zones it should be authoritative for. If empty, the zones from the configuration block are used.
 .IP \(bu 4
-\fBACTION\fP (\fIallow\fP, \fIblock\fP, or \fIfilter\fP) defines the way to deal with DNS queries matched by this rule. The default action is \fIallow\fP, which means a DNS query not matched by any rules will be allowed to recurse. The difference between \fIblock\fP and \fIfilter\fP is that block returns status code of \fIREFUSED\fP while filter returns an empty set \fINOERROR\fP
+\fBACTION\fP (\fIallow\fP, \fIblock\fP, \fIfilter\fP, or \fIdrop\fP) defines the way to deal with DNS queries matched by this rule. The default action is \fIallow\fP, which means a DNS query not matched by any rules will be allowed to recurse. The difference between \fIblock\fP and \fIfilter\fP is that block returns status code of \fIREFUSED\fP while filter returns an empty set \fINOERROR\fP. \fIdrop\fP however returns no response to the client.
 .IP \(bu 4
 \fBQTYPE\fP is the query type to match for the requests to be allowed or blocked. Common resource record types are supported. \fB\fC*\fR stands for all record types. The default behavior for an omitted \fB\fCtype QTYPE...\fR is to match all kinds of DNS queries (same as \fB\fCtype *\fR).
 .IP \(bu 4
@@ -120,14 +126,34 @@ example.org {
 .fi
 .RE
 
+.PP
+Drop all DNS queries from 192.0.2.0/24:
+
+.PP
+.RS
+
+.nf
+\&. {
+    acl {
+        drop net 192.0.2.0/24
+    }
+}
+
+.fi
+.RE
+
 .SH "METRICS"
 .PP
 If monitoring is enabled (via the \fIprometheus\fP plugin) then the following metrics are exported:
 
 .IP \(bu 4
-\fB\fCcoredns_acl_blocked_requests_total{server, zone}\fR - counter of DNS requests being blocked.
+\fB\fCcoredns_acl_blocked_requests_total{server, zone, view}\fR - counter of DNS requests being blocked.
 .IP \(bu 4
-\fB\fCcoredns_acl_allowed_requests_total{server}\fR - counter of DNS requests being allowed.
+\fB\fCcoredns_acl_filtered_requests_total{server, zone, view}\fR - counter of DNS requests being filtered.
+.IP \(bu 4
+\fB\fCcoredns_acl_allowed_requests_total{server, view}\fR - counter of DNS requests being allowed.
+.IP \(bu 4
+\fB\fCcoredns_acl_dropped_requests_total{server, zone, view}\fR - counter of DNS requests being dropped.
 
 
 .PP