Skip to main content

Default Preferences

From v2.9.0 of DiscrimiNAT, certain behavioural preferences can be set at global level per deployment. These are defined in JSON format in an SSM Parameter named DiscrimiNAT (case-sensitive) and the default value if not defined or not accessible is:

{
"%default": {
"wildcard_exposure": "prohibit_public_suffix",
"flow_log_verbosity": "full",
"see_thru": null,
"x509_crls": "ignore"
}
}
tip

Preferences you wish to leave at defaults can be excluded. Also, any additional JSON keys will simply be ignored.

caution

Preferences are refreshed once every five minutes from the SSM Parameter.

Preferences​

wildcard_exposure​

Generally, ? represents one character match exactly which isn't a ., and * matches any number of characters except ..

Options​

none: no wildcard characters such as ? or * are allowed at all

prohibit_asterisk: ? is allowed; * is not allowed

prohibit_public_suffix: ? is allowed; * is allowed as long as the possibility of resulting domain names are not publicly registrable. For example, *.github.com is okay but *.github.io is not. Another example would be *.cloudflare.net being effecticely public. This is determined using Mozilla's Public Suffix List (PSL) bundled into DiscrimiNAT. The version of the PSL bundled will be in the Release Notes and will be updated with every release.

tip

If a wildcard pattern is not accepted because it could have led to a Public Suffix List match, a config log message like the following will be emitted:

{addr: "*.github.io", cat: "addr", outcome: "publicsuffix[.]org list matched with `github.io`"}

nuclear: ? is allowed; * is allowed with no public suffix list safeguard

Default​

prohibit_public_suffix

flow_log_verbosity​

This setting only impacts the flow logs. config logs verbosity and behaviour will not be affected.

Options​

full: all allowed and disallowed flows for both the client requests and the server responses are logged in the flow logs

only_disallowed: only disallowed flows will be logged

none: no logs at all

Default​

full

see_thru​

The see_thru non-blocking, monitoring mode can be enabled for an entire deployment rather than per Security Group from this level. This is only the default and does not override a see-thru mode defined at a more granular level – even if the one the granular level may have expired.

tip

See see-thru mode docs for understanding this non-blocking, monitoring mode in detail.

Options​

yyyy-mm-dd formatted date

null to not enable see_thru at the default level. null value to be specified without quotes or this top-level key can be left out completely.

Default​

null

x509_crls​

Options​

auto_allow: Automatically allow plaintext HTTP CRL Endpoints of x509 SSL certificates for all TLS FQDNs allowlisted.

ignore: Do not allow CRL Endpoints automatically.

Default​

ignore

Examples​

It may be useful to turn on the non-blocking, monitoring see_thru mode on until a specified date on a new deployment of DiscrimiNAT. This would ensure apps continue to work while data is captured for building an allowlist from eventually:

{"%default":{"see_thru":"2025-02-19"}}

Ultimately, when allowlists are built and enforced, you may want to turn off flow logs for allowed connections, saving on logging costs:

{"%default":{"flow_log_verbosity":"only_disallowed"}}

To also enable automatic allowing of X509 CRL Endpoints:

{"%default":{"flow_log_verbosity":"only_disallowed","x509_crls":"auto_allow"}}