[Pdns-users] Are queries towards RPZ domains supposed to use the packet cache?

Otto Moerbeek otto at drijf.net
Fri Feb 14 15:06:21 UTC 2020 

On Fri, Feb 14, 2020 at 03:34:37PM +0100, Otto Moerbeek via Pdns-users wrote:

> On Fri, Feb 14, 2020 at 03:06:10PM +0100, Steinar Haug via Pdns-users wrote:
> 
> > >> I have previously used PowerDNS recursor and RPZ while treating all
> > >> query sources equally. This works fine.
> > >> 
> > >> I'm now trying to use RPZ to block copyright type domains selectively
> > >> based on source IP from the query, by using Lua discardPolicy. I'm
> > >> seeing an unexpected interaction with the packet cache.
> > 
> > ...
> > 
> > >> My question is basically: Is this behavior expected? I find it highly
> > >> surprising, since it basically means that the RPZ functionality (and
> > >> whether it works or not) depends on packetcache contents.
> > > 
> > > Yes, this is expected. Look at
> > > 
> > > https://docs.powerdns.com/recursor/lua-scripting/dq.html#DNSQuestion.variable
> > > 
> > > for the solution.
> > 
> > Thank you, that got me a bit further. But I'm not where I want to be
> > yet. DNSQuestion.variable will let me decide whether an answer should
> > be inserted into the packet cache or not. But using this in the prerpz
> > hook I have (so far) not found a way to make insertion in the packet
> > cache dependent on the *policy name* - which is what I'm trying to
> > achieve here.
> 
> in preresolve(dq) dq.appliedPolicy.policyName should be available.
> prerpz(dq) is too early in the process.

To elaborate: name or client ip based policies will be set in
preresolve(dq). For policies that are applied post resolve, you can
add code in postresolve(dq).

> 
> 	-Otto
> > 
> > If I have
> > 
> > rpzFile("/usr/local/etc/pdns/a.zone", {policyName="a"})
> > rpzFile("/usr/local/etc/pdns/b.zone", {policyName="b"})
> > rpzFile("/usr/local/etc/pdns/c.zone", {policyName="c"})
> > 
> > is there a way to excempt *only* policy "c" from the packet cache?
> > 
> > Steinar Haug, AS2116
> > _______________________________________________
> > Pdns-users mailing list
> > Pdns-users at mailman.powerdns.com
> > https://mailman.powerdns.com/mailman/listinfo/pdns-users
> _______________________________________________
> Pdns-users mailing list
> Pdns-users at mailman.powerdns.com
> https://mailman.powerdns.com/mailman/listinfo/pdns-users

More information about the Pdns-users mailing list