[Pdns-users] Sinkhole with whitelisting by using RPZ
Jeff Bread
jbread68 at gmail.com
Sat Apr 9 06:42:24 UTC 2022
Hi,
I am new to powerdns and wanted to implement a kind of extended sinkhole by
whitelisting some domains by using a RPZ file.
The aim is
- to allow only certain domain(s) for a certain IP but drop all other
domains
- and allow all domains for all other clients
The rpz is quite simple
example.net <http://microsoft.com>. CNAME rpz-passthru. ;
allow for all including 192.168.16.100
*.example.net <http://microsoft.com> CNAME rpz-passthru. ;
allow for all including 192.168.16.100
32.100.16.168.192.rpz-client-ip CNAME rpz-drop. ; drop every other
request for 192.168.16.100
0.0.0.0.0.rpz-client-ip CNAME rpz-passthru. ; allow all domains for
all other clients
This works perfect unless an allowed client resolves a records forbidden
for 192.168.16.100 as afterwards this record is answered from the cache for
192.168.16.100.
I already saw discussions on the precendes of cached records like
https://www.mail-archive.com/pdns-users@mailman.powerdns.com/msg10763.html
However the solution to disable caching via
https://docs.powerdns.com/recursor/lua-scripting/dq.html#DNSQuestion.variable
for certain records is in a blacklisting scenario workable but not in a
whitelisting like scenario as above. It would mean that I would need to
disable caching for all records but the the whitelisted ones.
Is there a solution for my scenario let me still utilize caching?
Thanks
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20220409/38f4e0d3/attachment.htm>
More information about the Pdns-users
mailing list