Am Sa., 9. Apr. 2022 um 09:52 Uhr schrieb Jeff Bread <jbrea...@gmail.com>:
> > > > Am Sa., 9. Apr. 2022 um 09:24 Uhr schrieb Jeff Bread <jbrea...@gmail.com>: > >> >> >> Am Sa., 9. Apr. 2022 um 09:05 Uhr schrieb Otto Moerbeek <o...@drijf.net>: >> >>> On Sat, Apr 09, 2022 at 08:42:24AM +0200, Jeff Bread via Pdns-users >>> wrote: >>> >>> > Hi, >>> > >>> > I am new to powerdns and wanted to implement a kind of extended >>> sinkhole by >>> > whitelisting some domains by using a RPZ file. >>> > >>> > The aim is >>> > >>> > - to allow only certain domain(s) for a certain IP but drop all other >>> > domains >>> > - and allow all domains for all other clients >>> > >>> > The rpz is quite simple >>> > >>> > example.net <http://microsoft.com>. CNAME >>> rpz-passthru. ; >>> > allow for all including 192.168.16.100 >>> > *.example.net <http://microsoft.com> CNAME >>> rpz-passthru. ; >>> > allow for all including 192.168.16.100 >>> > >>> > 32.100.16.168.192.rpz-client-ip CNAME rpz-drop. ; drop every other >>> > request for 192.168.16.100 >>> > >>> > 0.0.0.0.0.rpz-client-ip CNAME rpz-passthru. ; allow all domains >>> for >>> > all other clients >>> > >>> > This works perfect unless an allowed client resolves a records >>> forbidden >>> > for 192.168.16.100 as afterwards this record is answered from the >>> cache for >>> > 192.168.16.100. >>> > >>> > I already saw discussions on the precendes of cached records like >>> > >>> https://www.mail-archive.com/pdns-users@mailman.powerdns.com/msg10763.html >>> > >>> > However the solution to disable caching via >>> > >>> https://docs.powerdns.com/recursor/lua-scripting/dq.html#DNSQuestion.variable >>> > for certain records is in a blacklisting scenario workable but not in a >>> > whitelisting like scenario as above. It would mean that I would need to >>> > disable caching for all records but the the whitelisted ones. >>> > >>> > Is there a solution for my scenario let me still utilize caching? >>> > >>> > Thanks >>> >>> The Lua gettag() and gettag_ffi() [1] functions can be used to set a >>> packet cache tag which effectively partitions the PC into separate >>> instances based on the tag. If you set a tag based on the client's IP >>> address--dividing them up in groups that share a policy--you should be >>> able achieve the desired effect: different PC instances per client >>> group. >>> >>> -Otto >>> >>> [1] https://docs.powerdns.com/recursor/lua-scripting/hooks.html#gettag >> >> >> Many thanks. Indeed this seems to be the solution I was looking for. Will >> try it our and report back. >> >> Jeff >> >> > > I started with a basic config to get a log entry however it seems as if > the gettag hook is not triggered. > > -- this check is applied before the packet cache has been looked up > function gettag (remote, ednssubnet, vlocal, qname, qtype) > pdnslog("gettag -- remote: "..remote.." - ednssubnet: "..ednssubnet.." - > local: "..vlocal.." - qname: "..qname.." - qtype: "..qtype.." - policytags: > "..policytags) > return 0 > end > > In my research I did also not found a working example script. > Switched to version 4.4 (I am testing on a raspi stretch) and played a bit with the logging function gettag(remote, ednssubnet, localip, qname, qtype, ednsoptions, tcp, proxyprotocolvalues) pdnslog("Danger: gettag called") pdnslog("gettag -- remote: "..remote) First pdnslog creates a syslog entry, so gettag function is triggered and called however 2nd pdnslog does not create an entry for whatever unknown reason. Tried also with other parameters....
_______________________________________________ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
