[Pdns-users] Why is pdns searching for NS records at the sub-domain level?

Aki Tuomi cmouse at youzen.ext.b2.fi
Thu Sep 5 14:40:23 UTC 2013


I don't think you can do other than blacklisting with auth. I think you have
more luck with LUA in resolver. Just keep a list of domains you want to permit
and if not on the list, send evil-record IN CNAME www.youwontgetthere.com which
resolves from somewhere. 

Aki

On Thu, Sep 05, 2013 at 07:33:43AM -0700, chayes wrote:
> John,
> 
> You are correct.  I am trying to build a white-list dns.  
> So for example, if I wanted to white-list cnn.com then I would have
> sufficient domains and records in the pdns database to cover it (corrected
> info below).  
> And if a user attempted to browse to a site that was not allowed, like
> gamble.com, then I assume I would need nxdomain to answer and send them to a
> special IP containing a block page.
> I have made some progress ... I can whitelist specific sub-domains, having
> non-white-listed sites return "page cannot be displayed" ... but I can't
> seem to whitelist entire domains because I can't get wild-card working ...
> and I need to return a block page instead of "page cannot be displayed."
> 
> corrected records table contents:
> +----+-----------+---------+------+----------------------------+-------+------+-------------+
> | id | domain_id | name    | type | content                    | ttl   |
> prio | change_date |
> +----+-----------+---------+------+----------------------------+-------+------+-------------+
> |  1 |         1 | cnn.com | SOA  | localhost dnsadm at afo.net 1 | 86400 |
> NULL |        NULL |
> |  2 |         1 | cnn.com | NS   | ns1.timewarner.net         | 86400 |
> NULL |        NULL |
> |  3 |         1 | cnn.com | NS   | ns3.timewarner.net         | 86400 |
> NULL |        NULL |
> |  4 |         1 | cnn.com | NS   | ns1.p42.dynect.net         | 86400 |
> NULL |        NULL |
> |  5 |         1 | cnn.com | NS   | ns2.p42.dynect.net         | 86400 |
> NULL |        NULL |
> |  6 |         1 | cnn.com | A    | 157.166.226.25             | 86400 |
> NULL |        NULL |
> |  7 |         1 | cnn.com | A    | 157.166.226.26             | 86400 |
> NULL |        NULL |
> +----+-----------+---------+------+----------------------------+-------+------+-------------+
> 
> Cliff
> 
> 
> 
> --
> View this message in context: http://powerdns.13854.n7.nabble.com/Why-is-pdns-searching-for-NS-records-at-the-sub-domain-level-tp10313p10320.html
> Sent from the PowerDNS mailing list archive at Nabble.com.
> 
> _______________________________________________
> Pdns-users mailing list
> Pdns-users at mailman.powerdns.com
> http://mailman.powerdns.com/mailman/listinfo/pdns-users
> 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20130905/9daccf14/attachment-0001.sig>


More information about the Pdns-users mailing list