Am Sa., 9. Apr. 2022 um 09:05 Uhr schrieb Otto Moerbeek <o...@drijf.net>:
> On Sat, Apr 09, 2022 at 08:42:24AM +0200, Jeff Bread via Pdns-users wrote: > > > Hi, > > > > I am new to powerdns and wanted to implement a kind of extended sinkhole > by > > whitelisting some domains by using a RPZ file. > > > > The aim is > > > > - to allow only certain domain(s) for a certain IP but drop all other > > domains > > - and allow all domains for all other clients > > > > The rpz is quite simple > > > > example.net <http://microsoft.com>. CNAME > rpz-passthru. ; > > allow for all including 192.168.16.100 > > *.example.net <http://microsoft.com> CNAME > rpz-passthru. ; > > allow for all including 192.168.16.100 > > > > 32.100.16.168.192.rpz-client-ip CNAME rpz-drop. ; drop every other > > request for 192.168.16.100 > > > > 0.0.0.0.0.rpz-client-ip CNAME rpz-passthru. ; allow all domains for > > all other clients > > > > This works perfect unless an allowed client resolves a records forbidden > > for 192.168.16.100 as afterwards this record is answered from the cache > for > > 192.168.16.100. > > > > I already saw discussions on the precendes of cached records like > > > https://www.mail-archive.com/pdns-users@mailman.powerdns.com/msg10763.html > > > > However the solution to disable caching via > > > https://docs.powerdns.com/recursor/lua-scripting/dq.html#DNSQuestion.variable > > for certain records is in a blacklisting scenario workable but not in a > > whitelisting like scenario as above. It would mean that I would need to > > disable caching for all records but the the whitelisted ones. > > > > Is there a solution for my scenario let me still utilize caching? > > > > Thanks > > The Lua gettag() and gettag_ffi() [1] functions can be used to set a > packet cache tag which effectively partitions the PC into separate > instances based on the tag. If you set a tag based on the client's IP > address--dividing them up in groups that share a policy--you should be > able achieve the desired effect: different PC instances per client > group. > > -Otto > > [1] https://docs.powerdns.com/recursor/lua-scripting/hooks.html#gettag Many thanks. Indeed this seems to be the solution I was looking for. Will try it our and report back. Jeff
_______________________________________________ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
