[Pdns-users] Sinkhole with whitelisting by using RPZ

Jeff Bread jbread68 at gmail.com
Sat Apr 9 07:52:29 UTC 2022 

Am Sa., 9. Apr. 2022 um 09:24 Uhr schrieb Jeff Bread <jbread68 at gmail.com>:

>
>
> Am Sa., 9. Apr. 2022 um 09:05 Uhr schrieb Otto Moerbeek <otto at drijf.net>:
>
>> On Sat, Apr 09, 2022 at 08:42:24AM +0200, Jeff Bread via Pdns-users wrote:
>>
>> > Hi,
>> >
>> > I am new to powerdns and wanted to implement a kind of extended
>> sinkhole by
>> > whitelisting some domains by using a RPZ file.
>> >
>> > The aim is
>> >
>> > - to allow only certain domain(s) for a certain IP but drop all other
>> > domains
>> > - and allow all domains for all other clients
>> >
>> > The rpz is quite simple
>> >
>> > example.net <http://microsoft.com>.                 CNAME
>>  rpz-passthru. ;
>> > allow for all including 192.168.16.100
>> > *.example.net <http://microsoft.com>               CNAME
>>  rpz-passthru.  ;
>> > allow for all including 192.168.16.100
>> >
>> > 32.100.16.168.192.rpz-client-ip      CNAME rpz-drop. ; drop every other
>> > request for 192.168.16.100
>> >
>> > 0.0.0.0.0.rpz-client-ip      CNAME rpz-passthru. ; allow all domains for
>> > all other clients
>> >
>> > This works perfect unless an allowed client resolves a records forbidden
>> > for 192.168.16.100 as afterwards this record is answered from the cache
>> for
>> > 192.168.16.100.
>> >
>> > I already saw discussions on the precendes of cached records like
>> >
>> https://www.mail-archive.com/pdns-users@mailman.powerdns.com/msg10763.html
>> >
>> > However the solution to disable caching via
>> >
>> https://docs.powerdns.com/recursor/lua-scripting/dq.html#DNSQuestion.variable
>> > for certain records is in a blacklisting scenario workable but not in a
>> > whitelisting like scenario as above. It would mean that I would need to
>> > disable caching for all records but the the whitelisted ones.
>> >
>> > Is there a solution for my scenario let me still utilize caching?
>> >
>> > Thanks
>>
>> The Lua gettag() and gettag_ffi() [1] functions can be used to set a
>> packet cache tag which effectively partitions the PC into separate
>> instances based on the tag. If you set a tag based on the client's IP
>> address--dividing them up in groups that share a policy--you should be
>> able achieve the desired effect: different PC instances per client
>> group.
>>
>>         -Otto
>>
>> [1] https://docs.powerdns.com/recursor/lua-scripting/hooks.html#gettag
>
>
> Many thanks. Indeed this seems to be the solution I was looking for. Will
> try it our and report back.
>
>  Jeff
>
>

I started with a basic config to get a log entry however it seems as if the
gettag hook is not triggered.

-- this check is applied before the packet cache has been looked up
function gettag (remote, ednssubnet, vlocal, qname, qtype)
  pdnslog("gettag -- remote: "..remote.." - ednssubnet: "..ednssubnet.." -
local: "..vlocal.." - qname: "..qname.." - qtype: "..qtype.." - policytags:
"..policytags)
  return 0
end

In my research I did also not found a working example script.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20220409/393c26f2/attachment-0001.htm>

More information about the Pdns-users mailing list