[dnsdist] Rewrite backend responses based on NXDOMAIN?

Remi Gacogne remi.gacogne at powerdns.com
Thu May 7 09:23:48 UTC 2020 

Hi Mark,

On 5/7/20 1:08 AM, Mark Moseley via dnsdist wrote:
> I've been flailing on this, so time to swallow my pride and ask the list :)
> 
> I'm running PowerDNS repo's 1.4.0-1pdns.bionic on a series of Ubuntu
> Bionic boxes, fronting Powerdns Auth 4.3.0. We've got millions of
> customer domains in MySQL.
> 
> We're looking at implementing DomainConnect. My initial thought was to
> use Lua to serve up DomainConnect TXT records for all domains. Easy
> enough and already implemented it, based on a regex of the hostname.
> 
> The curveball is that some customers already have DomainConnect records.
> So me blindly returning DomainConnect records would mask the customers'
> own DomainConnect TXT records. 
> 
> What I'd *like* to do is have dnsdist do this:
> 
> * Query backend for DomainConnect TXT record like usual
> * If the backend replies with a NOERROR for that query, return the
> backend response and done
> * If the backend replies with a NXDOMAIN, change the rcode to NOERROR
> and generate a synthetic response and return that
> 
> I.e. use the customer's TXT record if there is on; if there's not, use
> our blanket TXT record
> 
> I'm trying to avoid having to add a remote backend into pdns auth. Being
> able to do this in dnsdist itself seems a whole lot less complicated and
> probably far more performant. I've also played with Lua inside Powerdns
> Auth and can probably make this work but the likelihood of a) me
> breaking something due to unintended consequences goes way up; and b)
> I'm sure I'll negatively affect performance.
> 
> So far all my poring over docs says that this isn't possible (that is,
> no action that changes a query response), but I'm hoping someone can
> point out the obvious thing I'm missing.

It might be possible to do what you want using LuaResponseAction and
custom Lua code, although I'm not sure you can edit the content of
anything except the response header that way, but it might be possible
to replace the response buffer by setting dr.dh and dr.len.

function customFunc(dr)
  dr.dh = ...
  dr.len = ...
  return DNSResponseAction.HeaderModify, ""
end

addResponseAction(RCodeRule(DNSRCode.NXDOMAIN),
LuaResponseAction(customFunc))

The other option would be to implement SpoofRawResponseAction. That
shouldn't be too hard but would require writing a bit of C++.

Best regards,
-- 
Remi Gacogne
PowerDNS.COM BV - https://www.powerdns.com/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.powerdns.com/pipermail/dnsdist/attachments/20200507/04a6a206/attachment.sig>

More information about the dnsdist mailing list