[Pdns-users] Sinkhole with whitelisting by using RPZ

Jeff Bread jbread68 at gmail.com
Sat Apr 9 06:42:24 UTC 2022


Hi,

I am new to powerdns and wanted to implement a kind of extended sinkhole by
whitelisting some domains by using a RPZ file.

The aim is

- to allow only certain domain(s) for a certain IP but drop all other
domains
- and allow all domains for all other clients

The rpz is quite simple

example.net <http://microsoft.com>.                 CNAME   rpz-passthru. ;
allow for all including 192.168.16.100
*.example.net <http://microsoft.com>               CNAME   rpz-passthru.  ;
allow for all including 192.168.16.100

32.100.16.168.192.rpz-client-ip      CNAME rpz-drop. ; drop every other
request for 192.168.16.100

0.0.0.0.0.rpz-client-ip      CNAME rpz-passthru. ; allow all domains for
all other clients

This works perfect unless an allowed client resolves a records forbidden
for 192.168.16.100 as afterwards this record is answered from the cache for
192.168.16.100.

I already saw discussions on the precendes of cached records like
https://www.mail-archive.com/pdns-users@mailman.powerdns.com/msg10763.html

However the solution to disable caching via
https://docs.powerdns.com/recursor/lua-scripting/dq.html#DNSQuestion.variable
for certain records is in a blacklisting scenario workable but not in a
whitelisting like scenario as above. It would mean that I would need to
disable caching for all records but the the whitelisted ones.

Is there a solution for my scenario let me still utilize caching?

Thanks
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20220409/38f4e0d3/attachment.htm>


More information about the Pdns-users mailing list