On Mon, Oct 27, 2014 at 12:49:31AM -0300, Ciro Iriarte wrote: > 2014-10-26 1:47 GMT-03:00 Ciro Iriarte <cyru...@gmail.com>: > > 2014-10-26 1:17 GMT-03:00 Ciro Iriarte <cyru...@gmail.com>: > >> 2014-10-20 15:12 GMT-03:00 k...@rice.edu <k...@rice.edu>: > >>> On Mon, Oct 20, 2014 at 02:09:05PM -0300, Ciro Iriarte wrote: > >>>> 2014-10-20 13:29 GMT-03:00 Robert Mortimer <r...@scramworks.net>: > >>>> > Hi, > >>>> > > >>>> > Just to add a bit less light, we implemented this sort of thing about > >>>> > 5 years back > >>>> > and now with the aid of a small script have a solution which is fully > >>>> > RPZ > >>>> > compatable. Using PDNS recursor and LUA, which can hadle an RPZ feed > >>>> > of about four > >>>> > thousand records and around 5,000 QPS. We did stress test briefly with > >>>> > a 11,000 item > >>>> > RPZ feed. > >>>> > > >>>> > As said no need to restart when it updates just do a LUA reload. > >>>> > Hopefully I > >>>> > should be able to release what we did soon - am waiting for permission > >>>> > from our > >>>> > legal types. > >>>> > > >>>> > Really not sure if that helps any, except to say it's very doable and > >>>> > can be > >>>> > quite stable. > >>>> > > >>>> > > >>>> > >>>> RPZ seem really interesting, and I see there was a request for it in > >>>> the past*. The thing is, we have direct requests from local government > >>>> agencies to ban some domains with legal issues (mandated by a judge > >>>> for example), and we were just approached about being able to block > >>>> sites from the Internet Watch Foundation black list also (with their > >>>> own landing page). Both cases will be redirected to different sites, > >>>> and each has its own data source. Currently on bind we just define the > >>>> domain as authoritative and it's kind of a hassle. > >>>> > >>>> Also, I thought about adding some helpful LUA bits to report date/time > >>>> or the client's IP address, but from what I understood, only one LUA > >>>> script can be added to the recursor, maybe a super monster script > >>>> could be able to achieve all that. > >>>> > >>>> > >>>> Ref: > >>>> * > >>>> http://mailman.powerdns.com/pipermail/pdns-users/2012-December/009451.html > >>>> > >>>> > >>>> Regards, > >>>> -- > >>>> Ciro Iriarte > >>>> http://iriarte.it > >>>> -- > >>> > >>> Hi, > >>> > >>> I would use a single Lua script for all of it. I am trying to find my > >>> sample using CDB to post. > >>> > >>> Regards, > >>> Ken > >> > >> Hi!, got a proof of concept script that successfully does the CDB > >> lookup, but I'm curious about the CNAME answers, how can I call > >> another resolution iteration to find the A record for the final > >> destination? > >> > >> Currently I can only answer a CNAME record, and any attempt to reach a > >> website for example will fail with "Couldn't resolve host". > >> > >> Regards, > >> > >> -- > >> Ciro Iriarte > >> http://iriarte.it > >> -- > > > > Answering to myself, found the followCNAMERecords return option. It > > works to look for a regular A lookup from the CNAME result. It doesn't > > cover the case were out overwritten answer should also be blocked (the > > LUA script is not run on that iteration). > > > > Should that case be covered?, is there other return code that will > > trigger the LUA script again for the CNAME follow up? > > > > -- > > Ciro Iriarte > > http://iriarte.it > > -- > > Got a functional pair of scripts: > > http://iriarte.it/?p=316 > > This doesn't address yet the possibility to black list > "*.offender.com" por example. Comments? > > > Regards, > Ciro > > -- > Ciro Iriarte > http://iriarte.it > --
In a way i'd chosen sqlite3 instead as it is pretty much on par with cdb. But, to make it work properly, i'd just add "*.domain.com", and when you lookup, you could reduce it like this with get() www.my.long.name.com => NOT FOUND *.my.long.name.com => NOT FOUND *.long.name.com => NOT FOUND *.name.com => FOUND ( of course you could continue with *.com * ) Aki _______________________________________________ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
