Re: [Pdns-users] Are queries towards RPZ domains supposed to use the packet cache?
On Mon, Feb 24, 2020 at 08:41:15AM +0100, Steinar Haug via Pdns-users wrote: > >> > Thank you, that got me a bit further. But I'm not where I want to be > >> > yet. DNSQuestion.variable will let me decide whether an answer should > >> > be inserted into the packet cache or not. But using this in the prerpz > >> > hook I have (so far) not found a way to make insertion in the packet > >> > cache dependent on the *policy name* - which is what I'm trying to > >> > achieve here. > >> > >> in preresolve(dq) dq.appliedPolicy.policyName should be available. > >> prerpz(dq) is too early in the process. > > > > To elaborate: name or client ip based policies will be set in > > preresolve(dq). For policies that are applied post resolve, you can > > add code in postresolve(dq). > > Excellent, got that working. Thanks! Now a related question: How can > I give some queries an extra RPZ policy, based on for instance IP of > the querier? > > Steinar Haug, AS2116 Look at e.g. https://tools.ietf.org/id/draft-vixie-dnsop-dns-rpz-00.html#rfc.section.4.1 -Otto ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] Are queries towards RPZ domains supposed to use the packet cache?
>> > Thank you, that got me a bit further. But I'm not where I want to be >> > yet. DNSQuestion.variable will let me decide whether an answer should >> > be inserted into the packet cache or not. But using this in the prerpz >> > hook I have (so far) not found a way to make insertion in the packet >> > cache dependent on the *policy name* - which is what I'm trying to >> > achieve here. >> >> in preresolve(dq) dq.appliedPolicy.policyName should be available. >> prerpz(dq) is too early in the process. > > To elaborate: name or client ip based policies will be set in > preresolve(dq). For policies that are applied post resolve, you can > add code in postresolve(dq). Excellent, got that working. Thanks! Now a related question: How can I give some queries an extra RPZ policy, based on for instance IP of the querier? Steinar Haug, AS2116 ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] Are queries towards RPZ domains supposed to use the packet cache?
On Fri, Feb 14, 2020 at 03:34:37PM +0100, Otto Moerbeek via Pdns-users wrote:
> On Fri, Feb 14, 2020 at 03:06:10PM +0100, Steinar Haug via Pdns-users wrote:
>
> > >> I have previously used PowerDNS recursor and RPZ while treating all
> > >> query sources equally. This works fine.
> > >>
> > >> I'm now trying to use RPZ to block copyright type domains selectively
> > >> based on source IP from the query, by using Lua discardPolicy. I'm
> > >> seeing an unexpected interaction with the packet cache.
> >
> > ...
> >
> > >> My question is basically: Is this behavior expected? I find it highly
> > >> surprising, since it basically means that the RPZ functionality (and
> > >> whether it works or not) depends on packetcache contents.
> > >
> > > Yes, this is expected. Look at
> > >
> > > https://docs.powerdns.com/recursor/lua-scripting/dq.html#DNSQuestion.variable
> > >
> > > for the solution.
> >
> > Thank you, that got me a bit further. But I'm not where I want to be
> > yet. DNSQuestion.variable will let me decide whether an answer should
> > be inserted into the packet cache or not. But using this in the prerpz
> > hook I have (so far) not found a way to make insertion in the packet
> > cache dependent on the *policy name* - which is what I'm trying to
> > achieve here.
>
> in preresolve(dq) dq.appliedPolicy.policyName should be available.
> prerpz(dq) is too early in the process.
To elaborate: name or client ip based policies will be set in
preresolve(dq). For policies that are applied post resolve, you can
add code in postresolve(dq).
>
> -Otto
> >
> > If I have
> >
> > rpzFile("/usr/local/etc/pdns/a.zone", {policyName="a"})
> > rpzFile("/usr/local/etc/pdns/b.zone", {policyName="b"})
> > rpzFile("/usr/local/etc/pdns/c.zone", {policyName="c"})
> >
> > is there a way to excempt *only* policy "c" from the packet cache?
> >
> > Steinar Haug, AS2116
> > ___
> > Pdns-users mailing list
> > Pdns-users@mailman.powerdns.com
> > https://mailman.powerdns.com/mailman/listinfo/pdns-users
> ___
> Pdns-users mailing list
> Pdns-users@mailman.powerdns.com
> https://mailman.powerdns.com/mailman/listinfo/pdns-users
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] Are queries towards RPZ domains supposed to use the packet cache?
On Fri, Feb 14, 2020 at 03:06:10PM +0100, Steinar Haug via Pdns-users wrote:
> >> I have previously used PowerDNS recursor and RPZ while treating all
> >> query sources equally. This works fine.
> >>
> >> I'm now trying to use RPZ to block copyright type domains selectively
> >> based on source IP from the query, by using Lua discardPolicy. I'm
> >> seeing an unexpected interaction with the packet cache.
>
> ...
>
> >> My question is basically: Is this behavior expected? I find it highly
> >> surprising, since it basically means that the RPZ functionality (and
> >> whether it works or not) depends on packetcache contents.
> >
> > Yes, this is expected. Look at
> >
> > https://docs.powerdns.com/recursor/lua-scripting/dq.html#DNSQuestion.variable
> >
> > for the solution.
>
> Thank you, that got me a bit further. But I'm not where I want to be
> yet. DNSQuestion.variable will let me decide whether an answer should
> be inserted into the packet cache or not. But using this in the prerpz
> hook I have (so far) not found a way to make insertion in the packet
> cache dependent on the *policy name* - which is what I'm trying to
> achieve here.
in preresolve(dq) dq.appliedPolicy.policyName should be available.
prerpz(dq) is too early in the process.
-Otto
>
> If I have
>
> rpzFile("/usr/local/etc/pdns/a.zone", {policyName="a"})
> rpzFile("/usr/local/etc/pdns/b.zone", {policyName="b"})
> rpzFile("/usr/local/etc/pdns/c.zone", {policyName="c"})
>
> is there a way to excempt *only* policy "c" from the packet cache?
>
> Steinar Haug, AS2116
> ___
> Pdns-users mailing list
> Pdns-users@mailman.powerdns.com
> https://mailman.powerdns.com/mailman/listinfo/pdns-users
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] Are queries towards RPZ domains supposed to use the packet cache?
>> I have previously used PowerDNS recursor and RPZ while treating all
>> query sources equally. This works fine.
>>
>> I'm now trying to use RPZ to block copyright type domains selectively
>> based on source IP from the query, by using Lua discardPolicy. I'm
>> seeing an unexpected interaction with the packet cache.
...
>> My question is basically: Is this behavior expected? I find it highly
>> surprising, since it basically means that the RPZ functionality (and
>> whether it works or not) depends on packetcache contents.
>
> Yes, this is expected. Look at
>
> https://docs.powerdns.com/recursor/lua-scripting/dq.html#DNSQuestion.variable
>
> for the solution.
Thank you, that got me a bit further. But I'm not where I want to be
yet. DNSQuestion.variable will let me decide whether an answer should
be inserted into the packet cache or not. But using this in the prerpz
hook I have (so far) not found a way to make insertion in the packet
cache dependent on the *policy name* - which is what I'm trying to
achieve here.
If I have
rpzFile("/usr/local/etc/pdns/a.zone", {policyName="a"})
rpzFile("/usr/local/etc/pdns/b.zone", {policyName="b"})
rpzFile("/usr/local/etc/pdns/c.zone", {policyName="c"})
is there a way to excempt *only* policy "c" from the packet cache?
Steinar Haug, AS2116
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] Are queries towards RPZ domains supposed to use the packet cache?
On Mon, Feb 10, 2020 at 03:15:02PM +0100, Steinar Haug via Pdns-users wrote:
> I have previously used PowerDNS recursor and RPZ while treating all
> query sources equally. This works fine.
>
> I'm now trying to use RPZ to block copyright type domains selectively
> based on source IP from the query, by using Lua discardPolicy. I'm
> seeing an unexpected interaction with the packet cache.
>
> Environment: FreeBSD 12.1-STABLE, PowerDNS recursor 4.2.0 installed
> from FreeBSD package.
>
> Contents of lua-config-file:
>
> rpzFile("/usr/local/etc/pdns/copyright.zone", {policyName="copyright"})
>
> Contents of copyright.zone:
>
> $TTL 300
> @ SOA localhost. nobody.localhost. 42 1d 12h 1w 3h
> @ NS localhost.
> ;
> thepiratebay.se A 10.11.12.13
> *.thepiratebay.se A 10.11.12.13
> ...
>
> Contents of lua-dns-script:
>
> badips = newNMG()
> badips:addMask("193.75.110.130/32")
>
> function prerpz(dq)
> pdnslog("prerpz called")
> if badips:match(dq.remoteaddr) then
> pdnslog("prerpz match IP to skip copyright domain check")
> dq:discardPolicy("copyright")
> end
> return false
> end
>
> Right after starting PowerDNS recursor (i.e. empty packetcache):
>
> - If I query from 193.75.110.130 with an empty packetcache, the RPZ
> check is skipped, as expected, and I get
>
> thepiratebay.se.3600IN SOA a.ns14.net.
> curdsadns.internetx.de. 2018070501 43200 7200 1209600 432000
>
> - If I query from a different IP with an empty packetcache, the RPZ
> policy is used, and I get
>
> thepiratebay.se.300 IN A 10.11.12.13
>
> This all seems fine. However, if the packetcache already contains
> the reply to the query above (either the RPZ policy reply or the
> actual reply from for instance a.ns14.net), this reply is handed
> out to *all* query addresses. I.e. it appears as if the RPC policy
> check (or the skipping of same, from discardPolicy) happens after
> the packetcache is consulted. This is highly visible in the logs
> by using "trace=on" in the recursor.conf file.
>
> Example 1: Packetcache contains:
>
> thepiratebay.se.3600IN SOA a.ns14.net.
> curdsadns.internetx.de. 2018070501 43200 7200 1209600 432000
>
> because it was queried from 193.75.110.130 right after startup.
> Subsequent queries, whether they come from 193.75.110.130 or a
> different IP, show hits in the packetcache:
>
> Feb 10 14:54:48 x pdns_recursor[32563]: 3 question answered from packet cache
> tag=0 from 193.75.110.130:39453
> Feb 10 14:54:50 x pdns_recursor[32563]: 3 question answered from packet cache
> tag=0 from 193.75.110.130:47250
> Feb 10 14:55:10 x pdns_recursor[32563]: 3 question answered from packet cache
> tag=0 from 193.75.110.134:37866
> Feb 10 14:55:13 x pdns_recursor[32563]: 3 question answered from packet cache
> tag=0 from 193.75.110.134:10022
>
> and in the replies one can see that TTL counts down:
>
> thepiratebay.se.3598IN SOA a.ns14.net.
> curdsadns.internetx.de. 2018070501 43200 7200 1209600 432000
> thepiratebay.se.3596IN SOA a.ns14.net.
> curdsadns.internetx.de. 2018070501 43200 7200 1209600 432000
>
> etc.
>
> Example 2: Packetcache contains
>
> thepiratebay.se.300 IN A 10.11.12.13
>
> because it was queried from a different IP than 193.75.110.130
> right after startup. Subsequent queries, whether they come from
> 193.75.110.130 or a different IP, show hits in the packetcache:
>
> Feb 10 15:04:04 x pdns_recursor[32627]: 3 question answered from packet cache
> tag=0 from 193.75.110.134:53118
> Feb 10 15:04:06 x pdns_recursor[32627]: 3 question answered from packet cache
> tag=0 from 193.75.110.134:53282
> Feb 10 15:04:12 x pdns_recursor[32627]: 3 question answered from packet cache
> tag=0 from 193.75.110.130:65401
> Feb 10 15:04:14 x pdns_recursor[32627]: 3 question answered from packet cache
> tag=0 from 193.75.110.130:29779
>
> and in the replies one can see that the TTP counts down:
>
> thepiratebay.se.298 IN A 10.11.12.13
> thepiratebay.se.296 IN A 10.11.12.13
>
> etc.
>
> My question is basically: Is this behavior expected? I find it highly
> surprising, since it basically means that the RPZ functionality (and
> whether it works or not) depends on packetcache contents.
>
> A small twist on the above behavior: If the query contains a DNS
> cookie (e.g. if generated by newer versions of dig), it seems the
> packetcache is not consulted - which means that RPZ works the way
> I want. But I cannot depend on DNS cookies always being set...
>
> Steinar Haug, AS2116
> ___
> Pdns-users mailing list
> Pdns-users@mailman.powerdns.com
> https://mailman.powerdns.com/mailman/listinfo/pdns-users
Yes, this is expected. Look at
https://docs.powerdns.com/recursor/lua-scripting/dq.html#DNSQuestion.variable
for the solution.
-Otto
