[Pdns-users] Recursor: Black list

Ciro Iriarte cyruspy at gmail.com
Mon Oct 20 17:09:05 UTC 2014

2014-10-20 13:29 GMT-03:00 Robert Mortimer <robm at scramworks.net>:
> Hi,
> Just to add a bit less light, we implemented this sort of thing about 5 years back
> and now with the aid of a small script have a solution which is fully RPZ
> compatable. Using PDNS recursor and LUA, which can hadle an RPZ feed of about four
> thousand records and around 5,000 QPS. We did stress test briefly with a 11,000 item
> RPZ feed.
> As said no need to restart when it updates just do a LUA reload. Hopefully I
> should be able to release what we did soon - am waiting for permission from our
> legal types.
> Really not sure if that helps any, except to say it's very doable and can be
> quite stable.

RPZ seem really interesting, and I see there was a request for it in
the past*. The thing is, we have direct requests from local government
agencies to ban some domains with legal issues (mandated by a judge
for example), and we were just approached about being able to block
sites from the Internet Watch Foundation black list also (with their
own landing page). Both cases will be redirected to different sites,
and each has its own data source. Currently on bind we just define the
domain as authoritative and it's kind of a hassle.

Also, I thought about adding some helpful LUA bits to report date/time
or the client's IP address, but from what I understood, only one LUA
script can be added to the recursor, maybe a super monster script
could be able to achieve all that.

* http://mailman.powerdns.com/pipermail/pdns-users/2012-December/009451.html

Ciro Iriarte

More information about the Pdns-users mailing list