[Pdns-users] Recursor: Black list

Ciro Iriarte cyruspy at gmail.com
Mon Oct 27 03:49:31 UTC 2014


2014-10-26 1:47 GMT-03:00 Ciro Iriarte <cyruspy at gmail.com>:
> 2014-10-26 1:17 GMT-03:00 Ciro Iriarte <cyruspy at gmail.com>:
>> 2014-10-20 15:12 GMT-03:00 ktm at rice.edu <ktm at rice.edu>:
>>> On Mon, Oct 20, 2014 at 02:09:05PM -0300, Ciro Iriarte wrote:
>>>> 2014-10-20 13:29 GMT-03:00 Robert Mortimer <robm at scramworks.net>:
>>>> > Hi,
>>>> >
>>>> > Just to add a bit less light, we implemented this sort of thing about 5 years back
>>>> > and now with the aid of a small script have a solution which is fully RPZ
>>>> > compatable. Using PDNS recursor and LUA, which can hadle an RPZ feed of about four
>>>> > thousand records and around 5,000 QPS. We did stress test briefly with a 11,000 item
>>>> > RPZ feed.
>>>> >
>>>> > As said no need to restart when it updates just do a LUA reload. Hopefully I
>>>> > should be able to release what we did soon - am waiting for permission from our
>>>> > legal types.
>>>> >
>>>> > Really not sure if that helps any, except to say it's very doable and can be
>>>> > quite stable.
>>>> >
>>>> >
>>>>
>>>> RPZ seem really interesting, and I see there was a request for it in
>>>> the past*. The thing is, we have direct requests from local government
>>>> agencies to ban some domains with legal issues (mandated by a judge
>>>> for example), and we were just approached about being able to block
>>>> sites from the Internet Watch Foundation black list also (with their
>>>> own landing page). Both cases will be redirected to different sites,
>>>> and each has its own data source. Currently on bind we just define the
>>>> domain as authoritative and it's kind of a hassle.
>>>>
>>>> Also, I thought about adding some helpful LUA bits to report date/time
>>>> or the client's IP address, but from what I understood, only one LUA
>>>> script can be added to the recursor, maybe a super monster script
>>>> could be able to achieve all that.
>>>>
>>>>
>>>> Ref:
>>>> * http://mailman.powerdns.com/pipermail/pdns-users/2012-December/009451.html
>>>>
>>>>
>>>> Regards,
>>>> --
>>>> Ciro Iriarte
>>>> http://iriarte.it
>>>> --
>>>
>>> Hi,
>>>
>>> I would use a single Lua script for all of it. I am trying to find my
>>> sample using CDB to post.
>>>
>>> Regards,
>>> Ken
>>
>> Hi!, got a proof of concept script that successfully does the CDB
>> lookup, but I'm curious about the CNAME answers, how can I call
>> another resolution iteration to find the A record for the final
>> destination?
>>
>> Currently I can only answer a CNAME record, and any attempt to reach a
>> website for example will fail with "Couldn't resolve host".
>>
>> Regards,
>>
>> --
>> Ciro Iriarte
>> http://iriarte.it
>> --
>
> Answering to myself, found the followCNAMERecords return option. It
> works to look for a regular A lookup from the CNAME result. It doesn't
> cover the case were out overwritten answer should also be blocked (the
> LUA script is not run on that iteration).
>
> Should that case be covered?, is there other return code that will
> trigger the LUA script again for the CNAME follow up?
>
> --
> Ciro Iriarte
> http://iriarte.it
> --

Got a functional pair of scripts:

http://iriarte.it/?p=316

This doesn't address yet the possibility to black list
"*.offender.com" por example. Comments?


Regards,
Ciro

-- 
Ciro Iriarte
http://iriarte.it
--




More information about the Pdns-users mailing list