[Pdns-users] Sinkhole with whitelisting by using RPZ

Otto Moerbeek otto at drijf.net
Sat Apr 9 07:05:27 UTC 2022 

On Sat, Apr 09, 2022 at 08:42:24AM +0200, Jeff Bread via Pdns-users wrote:

> Hi,
> 
> I am new to powerdns and wanted to implement a kind of extended sinkhole by
> whitelisting some domains by using a RPZ file.
> 
> The aim is
> 
> - to allow only certain domain(s) for a certain IP but drop all other
> domains
> - and allow all domains for all other clients
> 
> The rpz is quite simple
> 
> example.net <http://microsoft.com>.                 CNAME   rpz-passthru. ;
> allow for all including 192.168.16.100
> *.example.net <http://microsoft.com>               CNAME   rpz-passthru.  ;
> allow for all including 192.168.16.100
> 
> 32.100.16.168.192.rpz-client-ip      CNAME rpz-drop. ; drop every other
> request for 192.168.16.100
> 
> 0.0.0.0.0.rpz-client-ip      CNAME rpz-passthru. ; allow all domains for
> all other clients
> 
> This works perfect unless an allowed client resolves a records forbidden
> for 192.168.16.100 as afterwards this record is answered from the cache for
> 192.168.16.100.
> 
> I already saw discussions on the precendes of cached records like
> https://www.mail-archive.com/pdns-users@mailman.powerdns.com/msg10763.html
> 
> However the solution to disable caching via
> https://docs.powerdns.com/recursor/lua-scripting/dq.html#DNSQuestion.variable
> for certain records is in a blacklisting scenario workable but not in a
> whitelisting like scenario as above. It would mean that I would need to
> disable caching for all records but the the whitelisted ones.
> 
> Is there a solution for my scenario let me still utilize caching?
> 
> Thanks

The Lua gettag() and gettag_ffi() [1] functions can be used to set a
packet cache tag which effectively partitions the PC into separate
instances based on the tag. If you set a tag based on the client's IP
address--dividing them up in groups that share a policy--you should be
able achieve the desired effect: different PC instances per client
group.

	-Otto

[1] https://docs.powerdns.com/recursor/lua-scripting/hooks.html#gettag

More information about the Pdns-users mailing list