All,
As you may know ThreatSTOP provides an RPZ service and it works on power DNS. What doesn't quite work is logging and I'm trying to fix that. My problem is that the documentation for what is output in the protobuf logging is unclear - https://github.com/PowerDNS/pdns/blob/master/pdns/dnsmessage.proto is the only thing I can find - but it doesn't look like power dns provides the record that caused the RPZ rewrite that is made available in bind. The PolicyType enum tells me that the hit was RESPONSEIP etc. but I don't see anything in the rest of the protobug that gives me the actual rule that was hit. In bind you have a "via blahblah.." stanza in the log line that does this e.g. 17-Mar-2020 09:34:49.887 rpz: info: client 192.168.123.10#53112 (casasur.cl): rpz QNAME NODATA rewrite casasur.cl via casasur.cl.phishy.di000001.rpz.threatstop.local For RPZ hits that work on dnames the qname is (plus or minus a *.) such as in the example above then that's fine but if the rule his i somethign else e.g. responseip or nsip then this isn't helpful e.g. bind tells me this 19-Mar-2020 09:00:45.878 rpz: info: client 192.168.123.12#55929 (peccsr.com): rpz NSIP CNAME rewrite peccsr.com via 29.120.82.251.162.rpz-nsip.phishy.di000001.rpz.threatstop.local so far as I can tell what I get from power dns is the rewritten return e.g. NXDOMAIN or CNAME something but not the record that caused the rewrite. This makes it hard for us to provide details on why the record was rewritten. E.g. that it was a botnet or phishing or porn or whatever So my questions are is there more documentation on what is in the protobuf output? is there a way to configure it so that it can contain what I need? (ideally without recompiling powerDNS) Regards Francis Francis Turner Threat STOP Global SE JP Cell: +81-8080404701 | US Cell: +1-760-402-7676 Office: +1-760-542-1550 | Skype: francis.turner.threatstop fran...@threatstop.com<https://west.exch030.serverdata.net/owa/redir.aspx?C=_XQ5Vz8Mcce6FBPWG3SRNURxxWucllPOVpIrIsW2dHMdMWpxOJbWCA..&URL=mailto%3afrancis%40threatstop.com> | www.threatstop.com<https://west.exch030.serverdata.net/owa/redir.aspx?C=tQTMDuD3pdxKjYNQkf_pe3ePQk-0j-owQDEt5bnZf0YdMWpxOJbWCA..&URL=http%3a%2f%2fwww.threatstop.com%2f> Weaponize Your Threat Intelligence “If You Don’t Build It, They Definitely Will Not Come” – P. Vixie
_______________________________________________ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
