<div dir="ltr"><div dir="ltr"><br></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">Am Sa., 9. Apr. 2022 um 10:57 Uhr schrieb Otto Moerbeek <<a href="mailto:otto@drijf.net">otto@drijf.net</a>>:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">On Sat, Apr 09, 2022 at 10:37:19AM +0200, Jeff Bread wrote:<br>
<br>
> Am Sa., 9. Apr. 2022 um 09:52 Uhr schrieb Jeff Bread <<a href="mailto:jbread68@gmail.com" target="_blank">jbread68@gmail.com</a>>:<br>
> <br>
> ><br>
> ><br>
> ><br>
> > Am Sa., 9. Apr. 2022 um 09:24 Uhr schrieb Jeff Bread <<a href="mailto:jbread68@gmail.com" target="_blank">jbread68@gmail.com</a>>:<br>
> ><br>
> >><br>
> >><br>
> >> Am Sa., 9. Apr. 2022 um 09:05 Uhr schrieb Otto Moerbeek <<a href="mailto:otto@drijf.net" target="_blank">otto@drijf.net</a>>:<br>
> >><br>
> >>> On Sat, Apr 09, 2022 at 08:42:24AM +0200, Jeff Bread via Pdns-users<br>
> >>> wrote:<br>
> >>><br>
> >>> > Hi,<br>
> >>> ><br>
> >>> > I am new to powerdns and wanted to implement a kind of extended<br>
> >>> sinkhole by<br>
> >>> > whitelisting some domains by using a RPZ file.<br>
> >>> ><br>
> >>> > The aim is<br>
> >>> ><br>
> >>> > - to allow only certain domain(s) for a certain IP but drop all other<br>
> >>> > domains<br>
> >>> > - and allow all domains for all other clients<br>
> >>> ><br>
> >>> > The rpz is quite simple<br>
> >>> ><br>
> >>> > <a href="http://example.net" rel="noreferrer" target="_blank">example.net</a> <<a href="http://microsoft.com" rel="noreferrer" target="_blank">http://microsoft.com</a>>. CNAME<br>
> >>> rpz-passthru. ;<br>
> >>> > allow for all including 192.168.16.100<br>
> >>> > *.<a href="http://example.net" rel="noreferrer" target="_blank">example.net</a> <<a href="http://microsoft.com" rel="noreferrer" target="_blank">http://microsoft.com</a>> CNAME<br>
> >>> rpz-passthru. ;<br>
> >>> > allow for all including 192.168.16.100<br>
> >>> ><br>
> >>> > 32.100.16.168.192.rpz-client-ip CNAME rpz-drop. ; drop every other<br>
> >>> > request for 192.168.16.100<br>
> >>> ><br>
> >>> > 0.0.0.0.0.rpz-client-ip CNAME rpz-passthru. ; allow all domains<br>
> >>> for<br>
> >>> > all other clients<br>
> >>> ><br>
> >>> > This works perfect unless an allowed client resolves a records<br>
> >>> forbidden<br>
> >>> > for 192.168.16.100 as afterwards this record is answered from the<br>
> >>> cache for<br>
> >>> > 192.168.16.100.<br>
> >>> ><br>
> >>> > I already saw discussions on the precendes of cached records like<br>
> >>> ><br>
> >>> <a href="https://www.mail-archive.com/pdns-users@mailman.powerdns.com/msg10763.html" rel="noreferrer" target="_blank">https://www.mail-archive.com/pdns-users@mailman.powerdns.com/msg10763.html</a><br>
> >>> ><br>
> >>> > However the solution to disable caching via<br>
> >>> ><br>
> >>> <a href="https://docs.powerdns.com/recursor/lua-scripting/dq.html#DNSQuestion.variable" rel="noreferrer" target="_blank">https://docs.powerdns.com/recursor/lua-scripting/dq.html#DNSQuestion.variable</a><br>
> >>> > for certain records is in a blacklisting scenario workable but not in a<br>
> >>> > whitelisting like scenario as above. It would mean that I would need to<br>
> >>> > disable caching for all records but the the whitelisted ones.<br>
> >>> ><br>
> >>> > Is there a solution for my scenario let me still utilize caching?<br>
> >>> ><br>
> >>> > Thanks<br>
> >>><br>
> >>> The Lua gettag() and gettag_ffi() [1] functions can be used to set a<br>
> >>> packet cache tag which effectively partitions the PC into separate<br>
> >>> instances based on the tag. If you set a tag based on the client's IP<br>
> >>> address--dividing them up in groups that share a policy--you should be<br>
> >>> able achieve the desired effect: different PC instances per client<br>
> >>> group.<br>
> >>><br>
> >>> -Otto<br>
> >>><br>
> >>> [1] <a href="https://docs.powerdns.com/recursor/lua-scripting/hooks.html#gettag" rel="noreferrer" target="_blank">https://docs.powerdns.com/recursor/lua-scripting/hooks.html#gettag</a><br>
> >><br>
> >><br>
> >> Many thanks. Indeed this seems to be the solution I was looking for. Will<br>
> >> try it our and report back.<br>
> >><br>
> >> Jeff<br>
> >><br>
> >><br>
> ><br>
> > I started with a basic config to get a log entry however it seems as if<br>
> > the gettag hook is not triggered.<br>
> ><br>
> > -- this check is applied before the packet cache has been looked up<br>
> > function gettag (remote, ednssubnet, vlocal, qname, qtype)<br>
> > pdnslog("gettag -- remote: "..remote.." - ednssubnet: "..ednssubnet.." -<br>
> > local: "..vlocal.." - qname: "..qname.." - qtype: "..qtype.." - policytags:<br>
> > "..policytags)<br>
> > return 0<br>
> > end<br>
> ><br>
> > In my research I did also not found a working example script.<br>
> ><br>
> <br>
> Switched to version 4.4 (I am testing on a raspi stretch) and played a bit<br>
> with the logging<br>
> <br>
> function gettag(remote, ednssubnet, localip, qname, qtype, ednsoptions,<br>
> tcp, proxyprotocolvalues)<br>
> pdnslog("Danger: gettag called")<br>
> pdnslog("gettag -- remote: "..remote)<br>
> <br>
> First pdnslog creates a syslog entry, so gettag function is triggered and<br>
> called however 2nd pdnslog does not create an entry for whatever unknown<br>
> reason. Tried also with other parameters....<br>
<br>
remote is a ComboAddress. To print it you'll need remote:toString().<br>
This is documented in the links I posted earlier. Your logs should<br>
contain an exception logged for this, unless surpessed. Check if<br>
log-common-errors is set to "yes".<br>
<br>
There is no complete example of gettag in the docs, see [1] . You can<br>
get some inspiration from the regression test code found in [2].<br>
<br>
-Otto<br>
<br>
[1] <a href="https://github.com/PowerDNS/pdns/issues/4697" rel="noreferrer" target="_blank">https://github.com/PowerDNS/pdns/issues/4697</a><br>
[2] <a href="https://github.com/PowerDNS/pdns/blob/master/regression-tests.recursor-dnssec/t$" rel="noreferrer" target="_blank">https://github.com/PowerDNS/pdns/blob/master/regression-tests.recursor-dnssec/t$</a><br>
<br></blockquote><div><br></div><div>This seems to be quite advanced lua scripting I guess, well .. at least it is for me. My understanding of going through the docs is that I need to somehow utilize the edns-padding-tag though not really sure.</div><div><br></div><div> </div></div></div>