[Pdns-users] Are queries towards RPZ domains supposed to use the packet cache?
sthaug at nethelp.no
sthaug at nethelp.no
Fri Feb 14 14:06:10 UTC 2020
>> I have previously used PowerDNS recursor and RPZ while treating all
>> query sources equally. This works fine.
>>
>> I'm now trying to use RPZ to block copyright type domains selectively
>> based on source IP from the query, by using Lua discardPolicy. I'm
>> seeing an unexpected interaction with the packet cache.
...
>> My question is basically: Is this behavior expected? I find it highly
>> surprising, since it basically means that the RPZ functionality (and
>> whether it works or not) depends on packetcache contents.
>
> Yes, this is expected. Look at
>
> https://docs.powerdns.com/recursor/lua-scripting/dq.html#DNSQuestion.variable
>
> for the solution.
Thank you, that got me a bit further. But I'm not where I want to be
yet. DNSQuestion.variable will let me decide whether an answer should
be inserted into the packet cache or not. But using this in the prerpz
hook I have (so far) not found a way to make insertion in the packet
cache dependent on the *policy name* - which is what I'm trying to
achieve here.
If I have
rpzFile("/usr/local/etc/pdns/a.zone", {policyName="a"})
rpzFile("/usr/local/etc/pdns/b.zone", {policyName="b"})
rpzFile("/usr/local/etc/pdns/c.zone", {policyName="c"})
is there a way to excempt *only* policy "c" from the packet cache?
Steinar Haug, AS2116
More information about the Pdns-users
mailing list