[Pdns-users] Sinkhole with whitelisting by using RPZ

Jeff Bread jbread68 at gmail.com
Sat Apr 9 08:37:19 UTC 2022 

Am Sa., 9. Apr. 2022 um 09:52 Uhr schrieb Jeff Bread <jbread68 at gmail.com>:

>
>
>
> Am Sa., 9. Apr. 2022 um 09:24 Uhr schrieb Jeff Bread <jbread68 at gmail.com>:
>
>>
>>
>> Am Sa., 9. Apr. 2022 um 09:05 Uhr schrieb Otto Moerbeek <otto at drijf.net>:
>>
>>> On Sat, Apr 09, 2022 at 08:42:24AM +0200, Jeff Bread via Pdns-users
>>> wrote:
>>>
>>> > Hi,
>>> >
>>> > I am new to powerdns and wanted to implement a kind of extended
>>> sinkhole by
>>> > whitelisting some domains by using a RPZ file.
>>> >
>>> > The aim is
>>> >
>>> > - to allow only certain domain(s) for a certain IP but drop all other
>>> > domains
>>> > - and allow all domains for all other clients
>>> >
>>> > The rpz is quite simple
>>> >
>>> > example.net <http://microsoft.com>.                 CNAME
>>>  rpz-passthru. ;
>>> > allow for all including 192.168.16.100
>>> > *.example.net <http://microsoft.com>               CNAME
>>>  rpz-passthru.  ;
>>> > allow for all including 192.168.16.100
>>> >
>>> > 32.100.16.168.192.rpz-client-ip      CNAME rpz-drop. ; drop every other
>>> > request for 192.168.16.100
>>> >
>>> > 0.0.0.0.0.rpz-client-ip      CNAME rpz-passthru. ; allow all domains
>>> for
>>> > all other clients
>>> >
>>> > This works perfect unless an allowed client resolves a records
>>> forbidden
>>> > for 192.168.16.100 as afterwards this record is answered from the
>>> cache for
>>> > 192.168.16.100.
>>> >
>>> > I already saw discussions on the precendes of cached records like
>>> >
>>> https://www.mail-archive.com/pdns-users@mailman.powerdns.com/msg10763.html
>>> >
>>> > However the solution to disable caching via
>>> >
>>> https://docs.powerdns.com/recursor/lua-scripting/dq.html#DNSQuestion.variable
>>> > for certain records is in a blacklisting scenario workable but not in a
>>> > whitelisting like scenario as above. It would mean that I would need to
>>> > disable caching for all records but the the whitelisted ones.
>>> >
>>> > Is there a solution for my scenario let me still utilize caching?
>>> >
>>> > Thanks
>>>
>>> The Lua gettag() and gettag_ffi() [1] functions can be used to set a
>>> packet cache tag which effectively partitions the PC into separate
>>> instances based on the tag. If you set a tag based on the client's IP
>>> address--dividing them up in groups that share a policy--you should be
>>> able achieve the desired effect: different PC instances per client
>>> group.
>>>
>>>         -Otto
>>>
>>> [1] https://docs.powerdns.com/recursor/lua-scripting/hooks.html#gettag
>>
>>
>> Many thanks. Indeed this seems to be the solution I was looking for. Will
>> try it our and report back.
>>
>>  Jeff
>>
>>
>
> I started with a basic config to get a log entry however it seems as if
> the gettag hook is not triggered.
>
> -- this check is applied before the packet cache has been looked up
> function gettag (remote, ednssubnet, vlocal, qname, qtype)
>   pdnslog("gettag -- remote: "..remote.." - ednssubnet: "..ednssubnet.." -
> local: "..vlocal.." - qname: "..qname.." - qtype: "..qtype.." - policytags:
> "..policytags)
>   return 0
> end
>
> In my research I did also not found a working example script.
>

Switched to version 4.4 (I am testing on a raspi stretch) and played a bit
with the logging

function gettag(remote, ednssubnet, localip, qname, qtype, ednsoptions,
tcp, proxyprotocolvalues)
  pdnslog("Danger: gettag called")
  pdnslog("gettag -- remote: "..remote)

First pdnslog creates a syslog entry, so gettag function is triggered and
called however 2nd pdnslog does not create an entry for whatever unknown
reason. Tried also with other parameters....
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20220409/97c8f630/attachment.htm>

More information about the Pdns-users mailing list