Oh yes you are right, so easy, dunno what went wrong. Anyway thanks for your support.
Am Sa., 9. Apr. 2022 um 18:39 Uhr schrieb Otto Moerbeek <o...@drijf.net>: > On Sat, Apr 09, 2022 at 06:16:47PM +0200, Otto Moerbeek via Pdns-users > wrote: > > > On Sat, Apr 09, 2022 at 05:11:46PM +0200, Jeff Bread wrote: > > > > > Am Sa., 9. Apr. 2022 um 10:57 Uhr schrieb Otto Moerbeek < > o...@drijf.net>: > > > > > > > On Sat, Apr 09, 2022 at 10:37:19AM +0200, Jeff Bread wrote: > > > > > > > > > Am Sa., 9. Apr. 2022 um 09:52 Uhr schrieb Jeff Bread < > jbrea...@gmail.com > > > > >: > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Am Sa., 9. Apr. 2022 um 09:24 Uhr schrieb Jeff Bread < > > > > jbrea...@gmail.com>: > > > > > > > > > > > >> > > > > > >> > > > > > >> Am Sa., 9. Apr. 2022 um 09:05 Uhr schrieb Otto Moerbeek < > > > > o...@drijf.net>: > > > > > >> > > > > > >>> On Sat, Apr 09, 2022 at 08:42:24AM +0200, Jeff Bread via > Pdns-users > > > > > >>> wrote: > > > > > >>> > > > > > >>> > Hi, > > > > > >>> > > > > > > >>> > I am new to powerdns and wanted to implement a kind of > extended > > > > > >>> sinkhole by > > > > > >>> > whitelisting some domains by using a RPZ file. > > > > > >>> > > > > > > >>> > The aim is > > > > > >>> > > > > > > >>> > - to allow only certain domain(s) for a certain IP but drop > all > > > > other > > > > > >>> > domains > > > > > >>> > - and allow all domains for all other clients > > > > > >>> > > > > > > >>> > The rpz is quite simple > > > > > >>> > > > > > > >>> > example.net <http://microsoft.com>. CNAME > > > > > >>> rpz-passthru. ; > > > > > >>> > allow for all including 192.168.16.100 > > > > > >>> > *.example.net <http://microsoft.com> CNAME > > > > > >>> rpz-passthru. ; > > > > > >>> > allow for all including 192.168.16.100 > > > > > >>> > > > > > > >>> > 32.100.16.168.192.rpz-client-ip CNAME rpz-drop. ; drop > every > > > > other > > > > > >>> > request for 192.168.16.100 > > > > > >>> > > > > > > >>> > 0.0.0.0.0.rpz-client-ip CNAME rpz-passthru. ; allow all > > > > domains > > > > > >>> for > > > > > >>> > all other clients > > > > > >>> > > > > > > >>> > This works perfect unless an allowed client resolves a > records > > > > > >>> forbidden > > > > > >>> > for 192.168.16.100 as afterwards this record is answered > from the > > > > > >>> cache for > > > > > >>> > 192.168.16.100. > > > > > >>> > > > > > > >>> > I already saw discussions on the precendes of cached records > like > > > > > >>> > > > > > > >>> > > > > > https://www.mail-archive.com/pdns-users@mailman.powerdns.com/msg10763.html > > > > > >>> > > > > > > >>> > However the solution to disable caching via > > > > > >>> > > > > > > >>> > > > > > https://docs.powerdns.com/recursor/lua-scripting/dq.html#DNSQuestion.variable > > > > > >>> > for certain records is in a blacklisting scenario workable > but not > > > > in a > > > > > >>> > whitelisting like scenario as above. It would mean that I > would > > > > need to > > > > > >>> > disable caching for all records but the the whitelisted ones. > > > > > >>> > > > > > > >>> > Is there a solution for my scenario let me still utilize > caching? > > > > > >>> > > > > > > >>> > Thanks > > > > > >>> > > > > > >>> The Lua gettag() and gettag_ffi() [1] functions can be used to > set a > > > > > >>> packet cache tag which effectively partitions the PC into > separate > > > > > >>> instances based on the tag. If you set a tag based on the > client's IP > > > > > >>> address--dividing them up in groups that share a policy--you > should > > > > be > > > > > >>> able achieve the desired effect: different PC instances per > client > > > > > >>> group. > > > > > >>> > > > > > >>> -Otto > > > > > >>> > > > > > >>> [1] > > > > https://docs.powerdns.com/recursor/lua-scripting/hooks.html#gettag > > > > > >> > > > > > >> > > > > > >> Many thanks. Indeed this seems to be the solution I was looking > for. > > > > Will > > > > > >> try it our and report back. > > > > > >> > > > > > >> Jeff > > > > > >> > > > > > >> > > > > > > > > > > > > I started with a basic config to get a log entry however it > seems as if > > > > > > the gettag hook is not triggered. > > > > > > > > > > > > -- this check is applied before the packet cache has been looked > up > > > > > > function gettag (remote, ednssubnet, vlocal, qname, qtype) > > > > > > pdnslog("gettag -- remote: "..remote.." - ednssubnet: > > > > "..ednssubnet.." - > > > > > > local: "..vlocal.." - qname: "..qname.." - qtype: "..qtype.." - > > > > policytags: > > > > > > "..policytags) > > > > > > return 0 > > > > > > end > > > > > > > > > > > > In my research I did also not found a working example script. > > > > > > > > > > > > > > > > Switched to version 4.4 (I am testing on a raspi stretch) and > played a > > > > bit > > > > > with the logging > > > > > > > > > > function gettag(remote, ednssubnet, localip, qname, qtype, > ednsoptions, > > > > > tcp, proxyprotocolvalues) > > > > > pdnslog("Danger: gettag called") > > > > > pdnslog("gettag -- remote: "..remote) > > > > > > > > > > First pdnslog creates a syslog entry, so gettag function is > triggered and > > > > > called however 2nd pdnslog does not create an entry for whatever > unknown > > > > > reason. Tried also with other parameters.... > > > > > > > > remote is a ComboAddress. To print it you'll need remote:toString(). > > > > This is documented in the links I posted earlier. Your logs should > > > > contain an exception logged for this, unless surpessed. Check if > > > > log-common-errors is set to "yes". > > > > > > > > There is no complete example of gettag in the docs, see [1] . You can > > > > get some inspiration from the regression test code found in [2]. > > > > > > > > -Otto > > > > > > > > [1] https://github.com/PowerDNS/pdns/issues/4697 > > > > [2] > > > > > https://github.com/PowerDNS/pdns/blob/master/regression-tests.recursor-dnssec/t$ > > > > > > > > > > > This seems to be quite advanced lua scripting I guess, well .. at > least it > > > is for me. My understanding of going through the docs is that I need to > > > somehow utilize the edns-padding-tag though not really sure. > > > > Nope, if you return a single int value that will be picked up as the > > PC tag. for gettag_ffi you can user a method to set a tag on the object > > supplied as argument to gettag_ffi. Refer to the docs for that > > > > A basic example to distinguish queries coming from a local net: > > mynets = newNMG() > mynets:addMask("127.0.0.0/8") > mynets:addMask("192.168.178.0/24") > > function gettag(remote, ednssubnet, localip, qname, qtype, ednsoptions, > tcp, proxyprotocolvalues) > if mynets:match(remote) then > return 1 > end > return 0 > end >
_______________________________________________ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
