[Pdns-users] Sinkhole with whitelisting by using RPZ

Otto Moerbeek otto at drijf.net
Sat Apr 9 08:57:45 UTC 2022


On Sat, Apr 09, 2022 at 10:37:19AM +0200, Jeff Bread wrote:

> Am Sa., 9. Apr. 2022 um 09:52 Uhr schrieb Jeff Bread <jbread68 at gmail.com>:
> 
> >
> >
> >
> > Am Sa., 9. Apr. 2022 um 09:24 Uhr schrieb Jeff Bread <jbread68 at gmail.com>:
> >
> >>
> >>
> >> Am Sa., 9. Apr. 2022 um 09:05 Uhr schrieb Otto Moerbeek <otto at drijf.net>:
> >>
> >>> On Sat, Apr 09, 2022 at 08:42:24AM +0200, Jeff Bread via Pdns-users
> >>> wrote:
> >>>
> >>> > Hi,
> >>> >
> >>> > I am new to powerdns and wanted to implement a kind of extended
> >>> sinkhole by
> >>> > whitelisting some domains by using a RPZ file.
> >>> >
> >>> > The aim is
> >>> >
> >>> > - to allow only certain domain(s) for a certain IP but drop all other
> >>> > domains
> >>> > - and allow all domains for all other clients
> >>> >
> >>> > The rpz is quite simple
> >>> >
> >>> > example.net <http://microsoft.com>.                 CNAME
> >>>  rpz-passthru. ;
> >>> > allow for all including 192.168.16.100
> >>> > *.example.net <http://microsoft.com>               CNAME
> >>>  rpz-passthru.  ;
> >>> > allow for all including 192.168.16.100
> >>> >
> >>> > 32.100.16.168.192.rpz-client-ip      CNAME rpz-drop. ; drop every other
> >>> > request for 192.168.16.100
> >>> >
> >>> > 0.0.0.0.0.rpz-client-ip      CNAME rpz-passthru. ; allow all domains
> >>> for
> >>> > all other clients
> >>> >
> >>> > This works perfect unless an allowed client resolves a records
> >>> forbidden
> >>> > for 192.168.16.100 as afterwards this record is answered from the
> >>> cache for
> >>> > 192.168.16.100.
> >>> >
> >>> > I already saw discussions on the precendes of cached records like
> >>> >
> >>> https://www.mail-archive.com/pdns-users@mailman.powerdns.com/msg10763.html
> >>> >
> >>> > However the solution to disable caching via
> >>> >
> >>> https://docs.powerdns.com/recursor/lua-scripting/dq.html#DNSQuestion.variable
> >>> > for certain records is in a blacklisting scenario workable but not in a
> >>> > whitelisting like scenario as above. It would mean that I would need to
> >>> > disable caching for all records but the the whitelisted ones.
> >>> >
> >>> > Is there a solution for my scenario let me still utilize caching?
> >>> >
> >>> > Thanks
> >>>
> >>> The Lua gettag() and gettag_ffi() [1] functions can be used to set a
> >>> packet cache tag which effectively partitions the PC into separate
> >>> instances based on the tag. If you set a tag based on the client's IP
> >>> address--dividing them up in groups that share a policy--you should be
> >>> able achieve the desired effect: different PC instances per client
> >>> group.
> >>>
> >>>         -Otto
> >>>
> >>> [1] https://docs.powerdns.com/recursor/lua-scripting/hooks.html#gettag
> >>
> >>
> >> Many thanks. Indeed this seems to be the solution I was looking for. Will
> >> try it our and report back.
> >>
> >>  Jeff
> >>
> >>
> >
> > I started with a basic config to get a log entry however it seems as if
> > the gettag hook is not triggered.
> >
> > -- this check is applied before the packet cache has been looked up
> > function gettag (remote, ednssubnet, vlocal, qname, qtype)
> >   pdnslog("gettag -- remote: "..remote.." - ednssubnet: "..ednssubnet.." -
> > local: "..vlocal.." - qname: "..qname.." - qtype: "..qtype.." - policytags:
> > "..policytags)
> >   return 0
> > end
> >
> > In my research I did also not found a working example script.
> >
> 
> Switched to version 4.4 (I am testing on a raspi stretch) and played a bit
> with the logging
> 
> function gettag(remote, ednssubnet, localip, qname, qtype, ednsoptions,
> tcp, proxyprotocolvalues)
>   pdnslog("Danger: gettag called")
>   pdnslog("gettag -- remote: "..remote)
> 
> First pdnslog creates a syslog entry, so gettag function is triggered and
> called however 2nd pdnslog does not create an entry for whatever unknown
> reason. Tried also with other parameters....

remote is a ComboAddress. To print it you'll need remote:toString().
This is documented in the links I posted earlier. Your logs should
contain an exception logged for this, unless surpessed. Check if
log-common-errors is set to "yes".

There is no complete example of gettag in the docs, see [1] . You can
get some inspiration from the regression test code found in [2].

	-Otto

[1] https://github.com/PowerDNS/pdns/issues/4697
[2] https://github.com/PowerDNS/pdns/blob/master/regression-tests.recursor-dnssec/t$



More information about the Pdns-users mailing list