[Pdns-users] Are queries towards RPZ domains supposed to use the packet cache?
Otto Moerbeek
otto at drijf.net
Fri Feb 14 14:34:37 UTC 2020
On Fri, Feb 14, 2020 at 03:06:10PM +0100, Steinar Haug via Pdns-users wrote:
> >> I have previously used PowerDNS recursor and RPZ while treating all
> >> query sources equally. This works fine.
> >>
> >> I'm now trying to use RPZ to block copyright type domains selectively
> >> based on source IP from the query, by using Lua discardPolicy. I'm
> >> seeing an unexpected interaction with the packet cache.
>
> ...
>
> >> My question is basically: Is this behavior expected? I find it highly
> >> surprising, since it basically means that the RPZ functionality (and
> >> whether it works or not) depends on packetcache contents.
> >
> > Yes, this is expected. Look at
> >
> > https://docs.powerdns.com/recursor/lua-scripting/dq.html#DNSQuestion.variable
> >
> > for the solution.
>
> Thank you, that got me a bit further. But I'm not where I want to be
> yet. DNSQuestion.variable will let me decide whether an answer should
> be inserted into the packet cache or not. But using this in the prerpz
> hook I have (so far) not found a way to make insertion in the packet
> cache dependent on the *policy name* - which is what I'm trying to
> achieve here.
in preresolve(dq) dq.appliedPolicy.policyName should be available.
prerpz(dq) is too early in the process.
-Otto
>
> If I have
>
> rpzFile("/usr/local/etc/pdns/a.zone", {policyName="a"})
> rpzFile("/usr/local/etc/pdns/b.zone", {policyName="b"})
> rpzFile("/usr/local/etc/pdns/c.zone", {policyName="c"})
>
> is there a way to excempt *only* policy "c" from the packet cache?
>
> Steinar Haug, AS2116
> _______________________________________________
> Pdns-users mailing list
> Pdns-users at mailman.powerdns.com
> https://mailman.powerdns.com/mailman/listinfo/pdns-users
More information about the Pdns-users
mailing list