[Pdns-users] IXFR/RPZ support first version Re: RBL response and dead-end
bert.hubert at powerdns.com
Sun Oct 25 20:08:05 UTC 2015
So we worked really hard on it last week and a half, and now we have the
very first version of the PowerDNS Recursor that understands RPZ and can
do incremental slaving of large RPZ zones over IXFR.
Thanks go out to MX Tools and Spamhaus who, after John contacted them, gave
us a real life moving RPZ zone to test against.
We should have packages tomorrow, but if you can build from Git (not that
hard), the code is on https://github.com/ahupowerdns/pdns.git
or https://github.com/ahupowerdns/pdns/tree/rpz - this link also explains
how to build.
The configuration is slightly too simple still and still lacks 'override'
policies, but internally the support is there to do that.
The configuration can currently be set like this:
When you fire it up, it looks like this:
Oct 25 21:03:58 Listening for TCP queries on 127.0.0.1:5300
Oct 25 21:03:58 Loading RPZ zone 'dbl.rpz.spamhaus.org.' from 220.127.116.11:53
Oct 25 21:03:58 Loaded & indexed 1311 policy records so far
Oct 25 21:03:59 Loaded & indexed 8159 policy records so far
Oct 25 21:04:00 Loaded & indexed 349303 policy records so far
Oct 25 21:04:01 Loaded & indexed 732118 policy records so far
Oct 25 21:04:02 Loaded & indexed 1226113 policy records so far
Oct 25 21:04:02 Done: 1318691 policy records active, SOA: need.to.know.only. hostmaster.spamhaus.org. 1445803348 60 60 432000 60
Oct 25 21:05:02 Getting IXFR deltas for dbl.rpz.spamhaus.org. from 18.104.22.168:53, our serial: 1445803348
Oct 25 21:05:02 Processing 1 deltas for RPZ dbl.rpz.spamhaus.org.
Oct 25 21:05:02 Had removal of *.pem.webcam.
Oct 25 21:05:02 Had 9 RPZ removals, 1 additions for dbl.rpz.spamhaus.org. New serial: 1445803468
You can also load a straight up file with 'rpz-file=zone-file'. Just make
sure it has an $ORIGIN right now, or is FQDN.
It is all very rough right now, and not ready for production yet, but we got
a LOT of feedback about our upcoming RPZ stuff. Your feedback is very
Next up is making sure you can override policy per zone so you can redirect
to your warning server etc.
On Fri, Oct 16, 2015 at 12:27:45PM -0400, John Miller wrote:
> Hi Phil,
> I found out about the feature from Bert's slides at:
> https://www.powerdns.com/oxsummit/, specifically
> There seems to be a feature request at
> https://github.com/PowerDNS/pdns/issues/2789, but I'm not sure if
> there are any others. I'm sure someone from the pdns team will chime
> in shortly on the official state of RPZ. I'll be glad to see it get
> included; we switched over to BIND for RPZ support; would be nice to
> use pdns-recursor again.
> On Fri, Oct 16, 2015 at 12:19 PM, Phil Daws <phil.daws at innovot.com> wrote:
> > Hello John,
> > Thank you for the help and RPZ sounds very interesting indeed. Is there an RFE one can track to see where it is in the pipeline ?
> > Thanks, Phil
> > ----- On 16 Oct, 2015, at 17:10, John Miller johnmill at brandeis.edu wrote:
> >> Hi Phil,
> >> Presumably you're talking about recursive queries, right? You can
> >> currently script pdns-recursor to do this; check out
> >> https://doc.powerdns.com/md/recursor/scripting/ to get started. From
> >> what I understand, it's in the works to build this into the code
> >> itself - this is a feature called "Response Policy Zones."
> >> John
> >> On Fri, Oct 16, 2015 at 11:52 AM, Phil Daws <uxbod at splatnix.net> wrote:
> >>> Hello:
> >>> Is it possible with PDNS to receive a DNS query, look up the name against an
> >>> RBL, and if it fails return an IP which is either a dead-end or directs to a
> >>> "Bad URL" splash page ?
> >>> All help appreciated, Thanks. Phil
> Pdns-users mailing list
> Pdns-users at mailman.powerdns.com
More information about the Pdns-users