2014-10-26 1:47 GMT-03:00 Ciro Iriarte <cyru...@gmail.com>: > 2014-10-26 1:17 GMT-03:00 Ciro Iriarte <cyru...@gmail.com>: >> 2014-10-20 15:12 GMT-03:00 k...@rice.edu <k...@rice.edu>: >>> On Mon, Oct 20, 2014 at 02:09:05PM -0300, Ciro Iriarte wrote: >>>> 2014-10-20 13:29 GMT-03:00 Robert Mortimer <r...@scramworks.net>: >>>> > Hi, >>>> > >>>> > Just to add a bit less light, we implemented this sort of thing about 5 >>>> > years back >>>> > and now with the aid of a small script have a solution which is fully RPZ >>>> > compatable. Using PDNS recursor and LUA, which can hadle an RPZ feed of >>>> > about four >>>> > thousand records and around 5,000 QPS. We did stress test briefly with a >>>> > 11,000 item >>>> > RPZ feed. >>>> > >>>> > As said no need to restart when it updates just do a LUA reload. >>>> > Hopefully I >>>> > should be able to release what we did soon - am waiting for permission >>>> > from our >>>> > legal types. >>>> > >>>> > Really not sure if that helps any, except to say it's very doable and >>>> > can be >>>> > quite stable. >>>> > >>>> > >>>> >>>> RPZ seem really interesting, and I see there was a request for it in >>>> the past*. The thing is, we have direct requests from local government >>>> agencies to ban some domains with legal issues (mandated by a judge >>>> for example), and we were just approached about being able to block >>>> sites from the Internet Watch Foundation black list also (with their >>>> own landing page). Both cases will be redirected to different sites, >>>> and each has its own data source. Currently on bind we just define the >>>> domain as authoritative and it's kind of a hassle. >>>> >>>> Also, I thought about adding some helpful LUA bits to report date/time >>>> or the client's IP address, but from what I understood, only one LUA >>>> script can be added to the recursor, maybe a super monster script >>>> could be able to achieve all that. >>>> >>>> >>>> Ref: >>>> * >>>> http://mailman.powerdns.com/pipermail/pdns-users/2012-December/009451.html >>>> >>>> >>>> Regards, >>>> -- >>>> Ciro Iriarte >>>> http://iriarte.it >>>> -- >>> >>> Hi, >>> >>> I would use a single Lua script for all of it. I am trying to find my >>> sample using CDB to post. >>> >>> Regards, >>> Ken >> >> Hi!, got a proof of concept script that successfully does the CDB >> lookup, but I'm curious about the CNAME answers, how can I call >> another resolution iteration to find the A record for the final >> destination? >> >> Currently I can only answer a CNAME record, and any attempt to reach a >> website for example will fail with "Couldn't resolve host". >> >> Regards, >> >> -- >> Ciro Iriarte >> http://iriarte.it >> -- > > Answering to myself, found the followCNAMERecords return option. It > works to look for a regular A lookup from the CNAME result. It doesn't > cover the case were out overwritten answer should also be blocked (the > LUA script is not run on that iteration). > > Should that case be covered?, is there other return code that will > trigger the LUA script again for the CNAME follow up? > > -- > Ciro Iriarte > http://iriarte.it > --
Got a functional pair of scripts: http://iriarte.it/?p=316 This doesn't address yet the possibility to black list "*.offender.com" por example. Comments? Regards, Ciro -- Ciro Iriarte http://iriarte.it -- _______________________________________________ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
