[Pdns-users] Recursor: Black list

Robert Mortimer robm at scramworks.net
Mon Oct 20 16:29:40 UTC 2014


Hi,

Just to add a bit less light, we implemented this sort of thing about 5 years back
and now with the aid of a small script have a solution which is fully RPZ
compatable. Using PDNS recursor and LUA, which can hadle an RPZ feed of about four 
thousand records and around 5,000 QPS. We did stress test briefly with a 11,000 item
RPZ feed.

As said no need to restart when it updates just do a LUA reload. Hopefully I
should be able to release what we did soon - am waiting for permission from our
legal types.

Really not sure if that helps any, except to say it's very doable and can be
quite stable.


On Mon, 20 Oct 2014, Curtis Maurand wrote:

> On 10/20/2014 9:40 AM, Ciro Iriarte wrote:
> >2014-10-17 13:35 GMT-03:00 ktm at rice.edu <ktm at rice.edu>:
> >>>>Hi Ciro,
> >>>>
> >>>>We used a CDB key value store. It was easy to use/update and had
> >>>>very good performance. "grepping" is O(n*n) so it will tank as
> >>>>your list grows and you really don't want to slow down your DNS
> >>>>lookups.
> >>>>
> >>>>Regards,
> >>>>Ken
> >>>Hi Ken, I'll look at the LUA+CDB mix given it seems more elegant, any
> >>>document specific for PDNS you can point me to?
> >>>
> >>>Regards,!
> >>>
> >>Hi,
> >>
> >>No PDNS specific documentation, we used the CDB map to allow the
> >>blacklist to be update without needing to restart the recursor
> >>and lose all the cached DNS lookups. We wrote a function similar
> >>to the example Lua script using a CDB map instead.
> >>
> >>Regards,
> >>Ken
> >Hi Ken!, would you be willing to publish/share your implementation?.
> >Having two different rules (two groups, each group with different
> >answers), do you think it's best to use two scripts?, or just push
> >more data to the CDB (A record expected + answer) and use one script?
> >
> >Regards,
> 
> I've been looking for a way to do this as well.  I would think that
> a separate pdns instance on a different server than your main dns
> would do the trick or have one bound to one address and a second
> instance bound to another using separate databases.  I tried setting
> up a zone and delegating it to the current DNS and that doesn't
> work.  It's an interesting problem.  Currently I'm using iptables on
> my mail servers, but that get's unwieldy and unmanageable in a
> hurry.  I've also done it with spamassassin rules, but that also
> get's to be unmanageable, too.
> 
> --Curtis
> 
> 
> >
> 
> -- 
> Curtis Maurand
> curtis at maurand.com <mailto:curtis at maurand.com>
> 207-252-7748

> _______________________________________________
> Pdns-users mailing list
> Pdns-users at mailman.powerdns.com
> http://mailman.powerdns.com/mailman/listinfo/pdns-users


-- 
Robm
873
  "Ask not what I can do for the stupid, 
         but what the stupid can do for me" - Graeme Garden




More information about the Pdns-users mailing list