<html><head><style id="pgp_css" type="text/css"><!----></style><style id="signatureStyle" type="text/css"><!--#x7701b071e3514c3 #x27e2db6021a6462b9043594e2a946aed
{font-family: Tahoma; font-size: 12pt;}
--></style><style id="css_styles" type="text/css"><!--blockquote.cite { margin-left: 5px; margin-right: 0px; padding-left: 10px; padding-right:0px; border-left: 1px solid #cccccc }
blockquote.cite2 {margin-left: 5px; margin-right: 0px; padding-left: 10px; padding-right:0px; border-left: 1px solid #cccccc; margin-top: 3px; padding-top: 0px; }
a img { border: 0px; }
li[style='text-align: center;'], li[style='text-align: center; '], li[style='text-align: right;'], li[style='text-align: right; '] { list-style-position: inside;}
body { font-family: Segoe UI; font-size: 12pt; }
.quote { margin-left: 1em; margin-right: 1em; border-left: 5px #ebebeb solid; padding-left: 0.3em; }--></style></head><body><div><br /></div>
<div></div>
<div id="x3eb3e5ce493840c"><blockquote cite="CANoYD-RpvrcKJtWZz_d-6qdd8v6edshQVmEO8fGZA=VbBr76VQ@mail.gmail.com" type="cite" class="cite2"><div dir="ltr"><div><span>I am new to powerdns and wanted to implement a kind of extended sinkhole by whitelisting some domains by using a RPZ file.</span></div><div><br /></div><div>The aim is<br /></div><div><br /></div><div>- to allow only certain domain(s) for a certain IP but drop all other domains<br /></div><div>- and allow all domains for all other clients</div></div></blockquote><div id="x3eb3e5ce493840c"><br /></div><div id="x3eb3e5ce493840c">You might try dnSentry[1], a tool I wrote, which acts as an allowlist based DNS firewall for PowerDNS Recursor. It's a Lua-based application rather than RPZ. </div><div id="x3eb3e5ce493840c"><br /></div><div id="x3eb3e5ce493840c">It works the same for all clients (allowing if config allows, denying if not) but you could probably add source IP discrimination without too much trouble.</div><div id="x3eb3e5ce493840c"><br /></div><div id="x3eb3e5ce493840c">I think, but am not sure, that it'll cache the way you'd like.</div><div id="x3eb3e5ce493840c"><br /></div><div id="x3eb3e5ce493840c">HTH,</div><div id="x3eb3e5ce493840c">gowen</div><div id="x3eb3e5ce493840c"><br /></div><div id="x3eb3e5ce493840c">[1] <a href="https://github.com/gowenfawr/dnSentry" style="font-size: 12pt;">https://github.com/gowenfawr/dnSentry</a></div><div id="x3eb3e5ce493840c"><br /></div><div id="x3eb3e5ce493840c">-- <br /> gowen -- Greg Owen -- <a href="mailto:gowen@swynwyr.com">gowen@swynwyr.com</a></div><br /></div>
</body></html>