[Pdns-users] Recursor: Black list

Aki Tuomi cmouse at youzen.ext.b2.fi
Mon Oct 27 06:46:58 UTC 2014


On Mon, Oct 27, 2014 at 12:49:31AM -0300, Ciro Iriarte wrote:
> 2014-10-26 1:47 GMT-03:00 Ciro Iriarte <cyruspy at gmail.com>:
> > 2014-10-26 1:17 GMT-03:00 Ciro Iriarte <cyruspy at gmail.com>:
> >> 2014-10-20 15:12 GMT-03:00 ktm at rice.edu <ktm at rice.edu>:
> >>> On Mon, Oct 20, 2014 at 02:09:05PM -0300, Ciro Iriarte wrote:
> >>>> 2014-10-20 13:29 GMT-03:00 Robert Mortimer <robm at scramworks.net>:
> >>>> > Hi,
> >>>> >
> >>>> > Just to add a bit less light, we implemented this sort of thing about 5 years back
> >>>> > and now with the aid of a small script have a solution which is fully RPZ
> >>>> > compatable. Using PDNS recursor and LUA, which can hadle an RPZ feed of about four
> >>>> > thousand records and around 5,000 QPS. We did stress test briefly with a 11,000 item
> >>>> > RPZ feed.
> >>>> >
> >>>> > As said no need to restart when it updates just do a LUA reload. Hopefully I
> >>>> > should be able to release what we did soon - am waiting for permission from our
> >>>> > legal types.
> >>>> >
> >>>> > Really not sure if that helps any, except to say it's very doable and can be
> >>>> > quite stable.
> >>>> >
> >>>> >
> >>>>
> >>>> RPZ seem really interesting, and I see there was a request for it in
> >>>> the past*. The thing is, we have direct requests from local government
> >>>> agencies to ban some domains with legal issues (mandated by a judge
> >>>> for example), and we were just approached about being able to block
> >>>> sites from the Internet Watch Foundation black list also (with their
> >>>> own landing page). Both cases will be redirected to different sites,
> >>>> and each has its own data source. Currently on bind we just define the
> >>>> domain as authoritative and it's kind of a hassle.
> >>>>
> >>>> Also, I thought about adding some helpful LUA bits to report date/time
> >>>> or the client's IP address, but from what I understood, only one LUA
> >>>> script can be added to the recursor, maybe a super monster script
> >>>> could be able to achieve all that.
> >>>>
> >>>>
> >>>> Ref:
> >>>> * http://mailman.powerdns.com/pipermail/pdns-users/2012-December/009451.html
> >>>>
> >>>>
> >>>> Regards,
> >>>> --
> >>>> Ciro Iriarte
> >>>> http://iriarte.it
> >>>> --
> >>>
> >>> Hi,
> >>>
> >>> I would use a single Lua script for all of it. I am trying to find my
> >>> sample using CDB to post.
> >>>
> >>> Regards,
> >>> Ken
> >>
> >> Hi!, got a proof of concept script that successfully does the CDB
> >> lookup, but I'm curious about the CNAME answers, how can I call
> >> another resolution iteration to find the A record for the final
> >> destination?
> >>
> >> Currently I can only answer a CNAME record, and any attempt to reach a
> >> website for example will fail with "Couldn't resolve host".
> >>
> >> Regards,
> >>
> >> --
> >> Ciro Iriarte
> >> http://iriarte.it
> >> --
> >
> > Answering to myself, found the followCNAMERecords return option. It
> > works to look for a regular A lookup from the CNAME result. It doesn't
> > cover the case were out overwritten answer should also be blocked (the
> > LUA script is not run on that iteration).
> >
> > Should that case be covered?, is there other return code that will
> > trigger the LUA script again for the CNAME follow up?
> >
> > --
> > Ciro Iriarte
> > http://iriarte.it
> > --
> 
> Got a functional pair of scripts:
> 
> http://iriarte.it/?p=316
> 
> This doesn't address yet the possibility to black list
> "*.offender.com" por example. Comments?
> 
> 
> Regards,
> Ciro
> 
> -- 
> Ciro Iriarte
> http://iriarte.it
> --

In a way i'd chosen sqlite3 instead as it is pretty much on par with cdb.
But, to make it work properly, i'd just add "*.domain.com", and when you lookup,
you could reduce it like this with get()

www.my.long.name.com => NOT FOUND
*.my.long.name.com => NOT FOUND
*.long.name.com => NOT FOUND
*.name.com => FOUND

(
of course you could continue with
*.com
*
)

Aki




More information about the Pdns-users mailing list