[Pdns-users] Sinkhole with whitelisting by using RPZ

Jeff Bread jbread68 at gmail.com
Sat Apr 9 07:24:40 UTC 2022


Am Sa., 9. Apr. 2022 um 09:05 Uhr schrieb Otto Moerbeek <otto at drijf.net>:

> On Sat, Apr 09, 2022 at 08:42:24AM +0200, Jeff Bread via Pdns-users wrote:
>
> > Hi,
> >
> > I am new to powerdns and wanted to implement a kind of extended sinkhole
> by
> > whitelisting some domains by using a RPZ file.
> >
> > The aim is
> >
> > - to allow only certain domain(s) for a certain IP but drop all other
> > domains
> > - and allow all domains for all other clients
> >
> > The rpz is quite simple
> >
> > example.net <http://microsoft.com>.                 CNAME
>  rpz-passthru. ;
> > allow for all including 192.168.16.100
> > *.example.net <http://microsoft.com>               CNAME
>  rpz-passthru.  ;
> > allow for all including 192.168.16.100
> >
> > 32.100.16.168.192.rpz-client-ip      CNAME rpz-drop. ; drop every other
> > request for 192.168.16.100
> >
> > 0.0.0.0.0.rpz-client-ip      CNAME rpz-passthru. ; allow all domains for
> > all other clients
> >
> > This works perfect unless an allowed client resolves a records forbidden
> > for 192.168.16.100 as afterwards this record is answered from the cache
> for
> > 192.168.16.100.
> >
> > I already saw discussions on the precendes of cached records like
> >
> https://www.mail-archive.com/pdns-users@mailman.powerdns.com/msg10763.html
> >
> > However the solution to disable caching via
> >
> https://docs.powerdns.com/recursor/lua-scripting/dq.html#DNSQuestion.variable
> > for certain records is in a blacklisting scenario workable but not in a
> > whitelisting like scenario as above. It would mean that I would need to
> > disable caching for all records but the the whitelisted ones.
> >
> > Is there a solution for my scenario let me still utilize caching?
> >
> > Thanks
>
> The Lua gettag() and gettag_ffi() [1] functions can be used to set a
> packet cache tag which effectively partitions the PC into separate
> instances based on the tag. If you set a tag based on the client's IP
> address--dividing them up in groups that share a policy--you should be
> able achieve the desired effect: different PC instances per client
> group.
>
>         -Otto
>
> [1] https://docs.powerdns.com/recursor/lua-scripting/hooks.html#gettag


Many thanks. Indeed this seems to be the solution I was looking for. Will
try it our and report back.

 Jeff
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20220409/29dba6c6/attachment.htm>


More information about the Pdns-users mailing list