2014-10-20 15:12 GMT-03:00 k...@rice.edu <k...@rice.edu>: > On Mon, Oct 20, 2014 at 02:09:05PM -0300, Ciro Iriarte wrote: >> 2014-10-20 13:29 GMT-03:00 Robert Mortimer <r...@scramworks.net>: >> > Hi, >> > >> > Just to add a bit less light, we implemented this sort of thing about 5 >> > years back >> > and now with the aid of a small script have a solution which is fully RPZ >> > compatable. Using PDNS recursor and LUA, which can hadle an RPZ feed of >> > about four >> > thousand records and around 5,000 QPS. We did stress test briefly with a >> > 11,000 item >> > RPZ feed. >> > >> > As said no need to restart when it updates just do a LUA reload. Hopefully >> > I >> > should be able to release what we did soon - am waiting for permission >> > from our >> > legal types. >> > >> > Really not sure if that helps any, except to say it's very doable and can >> > be >> > quite stable. >> > >> > >> >> RPZ seem really interesting, and I see there was a request for it in >> the past*. The thing is, we have direct requests from local government >> agencies to ban some domains with legal issues (mandated by a judge >> for example), and we were just approached about being able to block >> sites from the Internet Watch Foundation black list also (with their >> own landing page). Both cases will be redirected to different sites, >> and each has its own data source. Currently on bind we just define the >> domain as authoritative and it's kind of a hassle. >> >> Also, I thought about adding some helpful LUA bits to report date/time >> or the client's IP address, but from what I understood, only one LUA >> script can be added to the recursor, maybe a super monster script >> could be able to achieve all that. >> >> >> Ref: >> * http://mailman.powerdns.com/pipermail/pdns-users/2012-December/009451.html >> >> >> Regards, >> -- >> Ciro Iriarte >> http://iriarte.it >> -- > > Hi, > > I would use a single Lua script for all of it. I am trying to find my > sample using CDB to post. > > Regards, > Ken
Hi!, got a proof of concept script that successfully does the CDB lookup, but I'm curious about the CNAME answers, how can I call another resolution iteration to find the A record for the final destination? Currently I can only answer a CNAME record, and any attempt to reach a website for example will fail with "Couldn't resolve host". Regards, -- Ciro Iriarte http://iriarte.it -- _______________________________________________ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
