Re: [PacketFence-users] PF 8.2.0 dns filters, mac and dnscache

Tue, 13 Nov 2018 19:19:57 -0800 

Hello Anders,

ok my bad ...
we use a cache in pfdns in order to not ask the filter engine all the time for the same fqdn. 

https://github.com/inverse-inc/packetfence/blob/devel/go/coredns/plugin/pfdns/pfdns.go#L232

So can you open an issue on github about that and i will have a look.

Regards

Fabrice


Le 18-11-13 à 10 h 24, Anders Westerberg via PacketFence-users a écrit :


Hi
Currently playing around with the new(?) macaddress filter in dns_filter.conf trying to use it as a way to block nodes from getting access to the captive portal when using dns_enforcement since the reject role does not seem to work at all.
My plan was to add them like this and change the ipadress of the portal to something where I could just show a page like ”your device has been blocked”. Lets say that the correct IP for portal.test is 192.168.0.1. 

[mac_blocklist]

filter = mac

operator = regex

value = ^(aa:bb:cc:00:11:22|00:11:22:aa:bb:cc)

[portal_test]

filter = qname

operator = regex

value = portal.test

[dnsenforcement_mac_blocklist:mac_blocklist&portal_test]

scope = dnsenforcement

answer = $qname 1 IN A 10.0.0.1

rcode = NOERROR
And this works fine, a client with a mac in the mac_blocklist will get 10.0.0.1 returned BUT the next client asking for portal.test will also get 10.0.0.1 instead of 192.168.0.1, it seems like the PF nameserver is caching the data since I can just wait a minute or two and then a client not in the list will resolve portal.test to 192.168.0.1.
Strange enough it does not cache it the other way around, if a client not in the list asks for portal.test and it resolves to 192.168.0.1 a client that is in the mac_blocklist will still resolve portal.test to 10.0.0.1 instantly.
I hope the above is clear enough J, if I’m correct and this is some kind of cache in the PF nameserver is there anyway to disable it? 

/anders



_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users






















					Reply via email to