[Pdns-dev] Lua script to run when DNS entry IS found

[Michael Fielding]

On 23 Oct 2010, at 11:46, bert hubert wrote:

> On Sat, Oct 23, 2010 at 10:32:33AM +0100, Michael Fielding wrote:
>> I would like to invert the status of the DNS database, to create a
>> blacklist: for anything NOT in the DNS database, a constant entry is
>> returned; for anything IN the database, NXDOMAIN is returned.
>
> I'm a bit confused - the Lua script is in the PowerDNS Recursor,  
> which does
> not have a database.

Sorry, I'm the one who's confused - I missed that reading the  
scripting docs.

>> The nxdomain script function will be called when an entry is NOT
>> found, and I could return what I need. But is it possible to
>> intercept any *resolved* request and override to return NXDOMAIN?
>> (Alternatively, use a preresolve function and check try to resolve
>> in the script itself.)
>
> Right now, this is not possible, but the Lua scripts will be  
> enhanced very
> shortly with a number of new hooks. One of these will allow you to  
> override
> any answer, and even change the question.
>
> If you could elaborate a bit more, we could make sure that the new  
> hooks
> do what you need.

Thank you. I want to be able to provide a DNS-based whitelist and a  
corresponding DNS-based blacklist (operating like DNSBL and DNSWL).  
The whitelist is easy to implement using the Authoritative Server,  
backed by a database. The blacklist must use the same database, but  
respond to an A-record query by providing 127.0.0.2 for anything NOT  
in the whitelist, for a certain TLD e.g. .local, and must return  
NXDOMAIN for anything in the whitelist.

For the core functions I don't think I need the Recursor, just the  
Authoritative Server. Do your scripting enhancement plans include  
hooks for that? Otherwise, it sounds like the enhancements you mention  
would allow me to achieve what I need using the Recursor as a kind of  
script-able front end, configured with forward-zones to the  
Authoritative Server. If I'm right?



	Michael