[Pdns-users] Recursor: Black list

Ciro Iriarte cyruspy at gmail.com
Sun Oct 26 04:17:42 UTC 2014

2014-10-20 15:12 GMT-03:00 ktm at rice.edu <ktm at rice.edu>:
> On Mon, Oct 20, 2014 at 02:09:05PM -0300, Ciro Iriarte wrote:
>> 2014-10-20 13:29 GMT-03:00 Robert Mortimer <robm at scramworks.net>:
>> > Hi,
>> >
>> > Just to add a bit less light, we implemented this sort of thing about 5 years back
>> > and now with the aid of a small script have a solution which is fully RPZ
>> > compatable. Using PDNS recursor and LUA, which can hadle an RPZ feed of about four
>> > thousand records and around 5,000 QPS. We did stress test briefly with a 11,000 item
>> > RPZ feed.
>> >
>> > As said no need to restart when it updates just do a LUA reload. Hopefully I
>> > should be able to release what we did soon - am waiting for permission from our
>> > legal types.
>> >
>> > Really not sure if that helps any, except to say it's very doable and can be
>> > quite stable.
>> >
>> >
>> RPZ seem really interesting, and I see there was a request for it in
>> the past*. The thing is, we have direct requests from local government
>> agencies to ban some domains with legal issues (mandated by a judge
>> for example), and we were just approached about being able to block
>> sites from the Internet Watch Foundation black list also (with their
>> own landing page). Both cases will be redirected to different sites,
>> and each has its own data source. Currently on bind we just define the
>> domain as authoritative and it's kind of a hassle.
>> Also, I thought about adding some helpful LUA bits to report date/time
>> or the client's IP address, but from what I understood, only one LUA
>> script can be added to the recursor, maybe a super monster script
>> could be able to achieve all that.
>> Ref:
>> * http://mailman.powerdns.com/pipermail/pdns-users/2012-December/009451.html
>> Regards,
>> --
>> Ciro Iriarte
>> http://iriarte.it
>> --
> Hi,
> I would use a single Lua script for all of it. I am trying to find my
> sample using CDB to post.
> Regards,
> Ken

Hi!, got a proof of concept script that successfully does the CDB
lookup, but I'm curious about the CNAME answers, how can I call
another resolution iteration to find the A record for the final

Currently I can only answer a CNAME record, and any attempt to reach a
website for example will fail with "Couldn't resolve host".


Ciro Iriarte

More information about the Pdns-users mailing list