[Pdns-users] Sinkhole with whitelisting by using RPZ

Jeff Bread jbread68 at gmail.com
Sat Apr 9 17:36:32 UTC 2022 

Oh yes you are right, so easy, dunno what went wrong. Anyway thanks for
your support.

Am Sa., 9. Apr. 2022 um 18:39 Uhr schrieb Otto Moerbeek <otto at drijf.net>:

> On Sat, Apr 09, 2022 at 06:16:47PM +0200, Otto Moerbeek via Pdns-users
> wrote:
>
> > On Sat, Apr 09, 2022 at 05:11:46PM +0200, Jeff Bread wrote:
> >
> > > Am Sa., 9. Apr. 2022 um 10:57 Uhr schrieb Otto Moerbeek <
> otto at drijf.net>:
> > >
> > > > On Sat, Apr 09, 2022 at 10:37:19AM +0200, Jeff Bread wrote:
> > > >
> > > > > Am Sa., 9. Apr. 2022 um 09:52 Uhr schrieb Jeff Bread <
> jbread68 at gmail.com
> > > > >:
> > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > > Am Sa., 9. Apr. 2022 um 09:24 Uhr schrieb Jeff Bread <
> > > > jbread68 at gmail.com>:
> > > > > >
> > > > > >>
> > > > > >>
> > > > > >> Am Sa., 9. Apr. 2022 um 09:05 Uhr schrieb Otto Moerbeek <
> > > > otto at drijf.net>:
> > > > > >>
> > > > > >>> On Sat, Apr 09, 2022 at 08:42:24AM +0200, Jeff Bread via
> Pdns-users
> > > > > >>> wrote:
> > > > > >>>
> > > > > >>> > Hi,
> > > > > >>> >
> > > > > >>> > I am new to powerdns and wanted to implement a kind of
> extended
> > > > > >>> sinkhole by
> > > > > >>> > whitelisting some domains by using a RPZ file.
> > > > > >>> >
> > > > > >>> > The aim is
> > > > > >>> >
> > > > > >>> > - to allow only certain domain(s) for a certain IP but drop
> all
> > > > other
> > > > > >>> > domains
> > > > > >>> > - and allow all domains for all other clients
> > > > > >>> >
> > > > > >>> > The rpz is quite simple
> > > > > >>> >
> > > > > >>> > example.net <http://microsoft.com>.                 CNAME
> > > > > >>>  rpz-passthru. ;
> > > > > >>> > allow for all including 192.168.16.100
> > > > > >>> > *.example.net <http://microsoft.com>               CNAME
> > > > > >>>  rpz-passthru.  ;
> > > > > >>> > allow for all including 192.168.16.100
> > > > > >>> >
> > > > > >>> > 32.100.16.168.192.rpz-client-ip      CNAME rpz-drop. ; drop
> every
> > > > other
> > > > > >>> > request for 192.168.16.100
> > > > > >>> >
> > > > > >>> > 0.0.0.0.0.rpz-client-ip      CNAME rpz-passthru. ; allow all
> > > > domains
> > > > > >>> for
> > > > > >>> > all other clients
> > > > > >>> >
> > > > > >>> > This works perfect unless an allowed client resolves a
> records
> > > > > >>> forbidden
> > > > > >>> > for 192.168.16.100 as afterwards this record is answered
> from the
> > > > > >>> cache for
> > > > > >>> > 192.168.16.100.
> > > > > >>> >
> > > > > >>> > I already saw discussions on the precendes of cached records
> like
> > > > > >>> >
> > > > > >>>
> > > >
> https://www.mail-archive.com/pdns-users@mailman.powerdns.com/msg10763.html
> > > > > >>> >
> > > > > >>> > However the solution to disable caching via
> > > > > >>> >
> > > > > >>>
> > > >
> https://docs.powerdns.com/recursor/lua-scripting/dq.html#DNSQuestion.variable
> > > > > >>> > for certain records is in a blacklisting scenario workable
> but not
> > > > in a
> > > > > >>> > whitelisting like scenario as above. It would mean that I
> would
> > > > need to
> > > > > >>> > disable caching for all records but the the whitelisted ones.
> > > > > >>> >
> > > > > >>> > Is there a solution for my scenario let me still utilize
> caching?
> > > > > >>> >
> > > > > >>> > Thanks
> > > > > >>>
> > > > > >>> The Lua gettag() and gettag_ffi() [1] functions can be used to
> set a
> > > > > >>> packet cache tag which effectively partitions the PC into
> separate
> > > > > >>> instances based on the tag. If you set a tag based on the
> client's IP
> > > > > >>> address--dividing them up in groups that share a policy--you
> should
> > > > be
> > > > > >>> able achieve the desired effect: different PC instances per
> client
> > > > > >>> group.
> > > > > >>>
> > > > > >>>         -Otto
> > > > > >>>
> > > > > >>> [1]
> > > > https://docs.powerdns.com/recursor/lua-scripting/hooks.html#gettag
> > > > > >>
> > > > > >>
> > > > > >> Many thanks. Indeed this seems to be the solution I was looking
> for.
> > > > Will
> > > > > >> try it our and report back.
> > > > > >>
> > > > > >>  Jeff
> > > > > >>
> > > > > >>
> > > > > >
> > > > > > I started with a basic config to get a log entry however it
> seems as if
> > > > > > the gettag hook is not triggered.
> > > > > >
> > > > > > -- this check is applied before the packet cache has been looked
> up
> > > > > > function gettag (remote, ednssubnet, vlocal, qname, qtype)
> > > > > >   pdnslog("gettag -- remote: "..remote.." - ednssubnet:
> > > > "..ednssubnet.." -
> > > > > > local: "..vlocal.." - qname: "..qname.." - qtype: "..qtype.." -
> > > > policytags:
> > > > > > "..policytags)
> > > > > >   return 0
> > > > > > end
> > > > > >
> > > > > > In my research I did also not found a working example script.
> > > > > >
> > > > >
> > > > > Switched to version 4.4 (I am testing on a raspi stretch) and
> played a
> > > > bit
> > > > > with the logging
> > > > >
> > > > > function gettag(remote, ednssubnet, localip, qname, qtype,
> ednsoptions,
> > > > > tcp, proxyprotocolvalues)
> > > > >   pdnslog("Danger: gettag called")
> > > > >   pdnslog("gettag -- remote: "..remote)
> > > > >
> > > > > First pdnslog creates a syslog entry, so gettag function is
> triggered and
> > > > > called however 2nd pdnslog does not create an entry for whatever
> unknown
> > > > > reason. Tried also with other parameters....
> > > >
> > > > remote is a ComboAddress. To print it you'll need remote:toString().
> > > > This is documented in the links I posted earlier. Your logs should
> > > > contain an exception logged for this, unless surpessed. Check if
> > > > log-common-errors is set to "yes".
> > > >
> > > > There is no complete example of gettag in the docs, see [1] . You can
> > > > get some inspiration from the regression test code found in [2].
> > > >
> > > >         -Otto
> > > >
> > > > [1] https://github.com/PowerDNS/pdns/issues/4697
> > > > [2]
> > > >
> https://github.com/PowerDNS/pdns/blob/master/regression-tests.recursor-dnssec/t$
> > > >
> > > >
> > > This seems to be quite advanced lua scripting I guess, well .. at
> least it
> > > is for me. My understanding of going through the docs is that I need to
> > > somehow utilize the edns-padding-tag though not really sure.
> >
> > Nope, if you return a single int value that will be picked up as the
> > PC tag. for gettag_ffi you can user a method to set a tag on the object
> > supplied as argument to gettag_ffi. Refer to the docs for that
> >
>
> A basic example to distinguish queries coming from a local net:
>
> mynets = newNMG()
> mynets:addMask("127.0.0.0/8")
> mynets:addMask("192.168.178.0/24")
>
> function gettag(remote, ednssubnet, localip, qname, qtype, ednsoptions,
> tcp, proxyprotocolvalues)
>   if mynets:match(remote) then
>     return 1
>   end
>   return 0
> end
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20220409/ef76b3ff/attachment.htm>

More information about the Pdns-users mailing list