Am Sa., 9. Apr. 2022 um 09:24 Uhr schrieb Jeff Bread <jbrea...@gmail.com>:
> > > Am Sa., 9. Apr. 2022 um 09:05 Uhr schrieb Otto Moerbeek <o...@drijf.net>: > >> On Sat, Apr 09, 2022 at 08:42:24AM +0200, Jeff Bread via Pdns-users wrote: >> >> > Hi, >> > >> > I am new to powerdns and wanted to implement a kind of extended >> sinkhole by >> > whitelisting some domains by using a RPZ file. >> > >> > The aim is >> > >> > - to allow only certain domain(s) for a certain IP but drop all other >> > domains >> > - and allow all domains for all other clients >> > >> > The rpz is quite simple >> > >> > example.net <http://microsoft.com>. CNAME >> rpz-passthru. ; >> > allow for all including 192.168.16.100 >> > *.example.net <http://microsoft.com> CNAME >> rpz-passthru. ; >> > allow for all including 192.168.16.100 >> > >> > 32.100.16.168.192.rpz-client-ip CNAME rpz-drop. ; drop every other >> > request for 192.168.16.100 >> > >> > 0.0.0.0.0.rpz-client-ip CNAME rpz-passthru. ; allow all domains for >> > all other clients >> > >> > This works perfect unless an allowed client resolves a records forbidden >> > for 192.168.16.100 as afterwards this record is answered from the cache >> for >> > 192.168.16.100. >> > >> > I already saw discussions on the precendes of cached records like >> > >> https://www.mail-archive.com/pdns-users@mailman.powerdns.com/msg10763.html >> > >> > However the solution to disable caching via >> > >> https://docs.powerdns.com/recursor/lua-scripting/dq.html#DNSQuestion.variable >> > for certain records is in a blacklisting scenario workable but not in a >> > whitelisting like scenario as above. It would mean that I would need to >> > disable caching for all records but the the whitelisted ones. >> > >> > Is there a solution for my scenario let me still utilize caching? >> > >> > Thanks >> >> The Lua gettag() and gettag_ffi() [1] functions can be used to set a >> packet cache tag which effectively partitions the PC into separate >> instances based on the tag. If you set a tag based on the client's IP >> address--dividing them up in groups that share a policy--you should be >> able achieve the desired effect: different PC instances per client >> group. >> >> -Otto >> >> [1] https://docs.powerdns.com/recursor/lua-scripting/hooks.html#gettag > > > Many thanks. Indeed this seems to be the solution I was looking for. Will > try it our and report back. > > Jeff > > I started with a basic config to get a log entry however it seems as if the gettag hook is not triggered. -- this check is applied before the packet cache has been looked up function gettag (remote, ednssubnet, vlocal, qname, qtype) pdnslog("gettag -- remote: "..remote.." - ednssubnet: "..ednssubnet.." - local: "..vlocal.." - qname: "..qname.." - qtype: "..qtype.." - policytags: "..policytags) return 0 end In my research I did also not found a working example script.
_______________________________________________ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
