[Pdns-users] Pdns RPZ logging

Francis Turner francis at threatstop.com
Thu Mar 19 09:18:18 UTC 2020 

All,


As you may know ThreatSTOP provides an RPZ service and it works on power DNS. What doesn't quite work is logging and I'm trying to fix that.


My problem is that the documentation for what is output in the protobuf logging is unclear - https://github.com/PowerDNS/pdns/blob/master/pdns/dnsmessage.proto  is the only thing I can find - but it doesn't look like power dns provides the record that caused the RPZ rewrite that is made available in bind. The PolicyType enum tells me that the hit was RESPONSEIP etc. but I don't see anything in the rest of the protobug that gives me the actual rule that was hit.


In bind you have a "via blahblah.." stanza in the log line that does this e.g.

17-Mar-2020 09:34:49.887 rpz: info: client 192.168.123.10#53112 (casasur.cl): rpz QNAME NODATA rewrite casasur.cl via casasur.cl.phishy.di000001.rpz.threatstop.local

For RPZ hits that work on dnames the qname is (plus or minus a *.) such as in the example above then that's fine but if the rule his i somethign else e.g. responseip or nsip then this isn't helpful
e.g. bind tells me this
19-Mar-2020 09:00:45.878 rpz: info: client 192.168.123.12#55929 (peccsr.com): rpz NSIP CNAME rewrite peccsr.com via 29.120.82.251.162.rpz-nsip.phishy.di000001.rpz.threatstop.local

so far as I can tell what I get from power dns is the rewritten return e.g. NXDOMAIN or CNAME something but not the record that caused the rewrite. This makes it hard for us to provide details on why the record was rewritten. E.g. that it was a botnet or phishing or porn or whatever

So my questions are
is there more documentation on what is in the protobuf output?
is there a way to configure it so that it can contain what I need? (ideally without recompiling powerDNS)

Regards

Francis

Francis Turner
Threat STOP Global SE
JP Cell: +81-8080404701 | US Cell: +1-760-402-7676
Office: +1-760-542-1550 | Skype: francis.turner.threatstop
francis at threatstop.com<https://west.exch030.serverdata.net/owa/redir.aspx?C=_XQ5Vz8Mcce6FBPWG3SRNURxxWucllPOVpIrIsW2dHMdMWpxOJbWCA..&URL=mailto%3afrancis%40threatstop.com> | www.threatstop.com<https://west.exch030.serverdata.net/owa/redir.aspx?C=tQTMDuD3pdxKjYNQkf_pe3ePQk-0j-owQDEt5bnZf0YdMWpxOJbWCA..&URL=http%3a%2f%2fwww.threatstop.com%2f>
Weaponize Your Threat Intelligence
“If You Don’t Build It, They Definitely Will Not Come” – P. Vixie
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20200319/faf45222/attachment.htm>

More information about the Pdns-users mailing list