Re: [Pdns-users] dp.variable when changing RPZ policy action?
On 2018-04-17 05:42, MRob wrote: PowerDNS blog recommends setting dq.variable when a domain response is part of the loaded block list. https://blog.powerdns.com/2016/01/19/efficient-optional-filtering-of-domains-in-recursor-4-0-0/ But this example for modifying policy actions does not set dq.variable: https://doc.powerdns.com/md/recursor/scripting/#modifying-policy-decisions Is that oversight, should I set dq.variable if the policy action is liable to changing? After all, it does affect the returned result. Though in testing, I find the correct response for both cases of client requested blocking or not blocking (how does it respond correct with the wrong value in cache?) I see the reason dq.variable is not used in this example is that there is not optional function. Never the less I want to pose the question: If I change policy action, is the original query result cached or the result after the policy action is considered? Thus should I need to consider setting dq.variable in this scenarios? As you read in my last msg above, I see response is correct for both blocked client and non blocked client when assumedly only one answer is cached this makes me think that the policy action is not considered when applying a value to cache. Can you comment? PS, when dq.variable is set is this forcing referral to authoritative name server on every query? Is there performance implications to consider? And that? ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
[Pdns-users] dp.variable when changing RPZ policy action?
PowerDNS blog recommends setting dq.variable when a domain response is part of the loaded block list. https://blog.powerdns.com/2016/01/19/efficient-optional-filtering-of-domains-in-recursor-4-0-0/ But this example for modifying policy actions does not set dq.variable: https://doc.powerdns.com/md/recursor/scripting/#modifying-policy-decisions Is that oversight, should I set dq.variable if the policy action is liable to changing? After all, it does affect the returned result. Though in testing, I find the correct response for both cases of client requested blocking or not blocking (how does it respond correct with the wrong value in cache?) By the way, this example has typo, Lua uses ~= but the example uses != PS, when dq.variable is set is this forcing referral to authoritative name server on every query? Is there performance implications to consider? ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] Lua control of config settings?
On 2018-04-16 10:55, MRob wrote: On 2018-04-16 10:09, Remi Gacogne wrote: On 04/16/2018 12:03 PM, MRob wrote: According to this, you *should* be able to load a million domains into LUA without problem. That's the same method this person said crashed recursor with much less https://git.mauras.ch/Various/powerdns_recursor_ads_blocking Are there other people who have experience? It shouldn't crash the recursor and if you can reproduce the crash and share the reproduction method I would be happy to look into it. ok maybe I will try it but can any people comment is there pros or cons to implementing a block list using Policy Zones instead comparing to loading the file direct into a big list? I have policy zone based blocklisting working but only with a few test domains in zone file I tested with over 500.000 domain list using both methods. RPZ pauses at startup while loading the zone, using Lua domain list pauses when first query comes and the server forks its workers. RPZ pause feels a couple seconds slower, but not scientific measurement. Only RPZ gave this error: Unable to load RPZ zone from '.rpz': name too long I had to comment out long domain lines. Can someone indicate what the maximum domain name length should be? After startup, responsiveness seems normal using both methods but it's just one person test visiting a few different sites so I can't give solid data. Are there another reasons to consider why or why not to use RPZ vs. loading domain list direct in Lua? ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] How to make Policy.NODATA response in policy zone?
On Mon, Apr 16, 2018 at 11:48:43AM +, MRob wrote: > RPZ doxs are here > https://doc.powerdns.com/recursor/lua-config/rpz.html > > With no information how to make the policy responses in the zone file. I had If you read the very first line of that link, it tells you this is an implementation of "RPZ, an open standard developed by Paul Vixie (ISC and Farsight) and Vernon Schryver (Rhyolite), to modify DNS responses based on a policy loaded via a zonefile" Perhaps read up about RPZ? And stop blaming us? This would point you at https://ftp.isc.org/isc/dnsrpz/isc-tn-2010-1.txt > to spend plenty of time wandering around your docs until I find this > examples: A full refund is available. Or contribute some better documentation? (this is the final reply) Bert ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] How to make Policy.NODATA response in policy zone?
On 2018-04-16 11:40, bert hubert wrote: On Mon, Apr 16, 2018 at 11:33:17AM +, MRob wrote: I can make NXDOMAIN applied policy for a domain in policy zone with this: example.com CNAME . But how to cause NODATA response? Hello "MRob", We recommend that you read the documentation we wrote for you on https://doc.powerdns.com/recursor/lua-scripting/index.html RPZ doxs are here https://doc.powerdns.com/recursor/lua-config/rpz.html With no information how to make the policy responses in the zone file. I had to spend plenty of time wandering around your docs until I find this examples: https://github.com/PowerDNS/pdns/blob/master/pdns/basic.rpz but it has no information about causing a NODATA response ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] How to make Policy.NODATA response in policy zone?
On Mon, Apr 16, 2018 at 11:33:17AM +, MRob wrote: > I can make NXDOMAIN applied policy for a domain in policy zone with this: > example.com CNAME . > > But how to cause NODATA response? Hello "MRob", We recommend that you read the documentation we wrote for you on https://doc.powerdns.com/recursor/lua-scripting/index.html It is pretty nice. You have made us explain a lot of stuff already, so now please head to the documentation and figure it out yourself as we do not have the bandwidth to hold your hand. Bert ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
[Pdns-users] How to make Policy.NODATA response in policy zone?
I can make NXDOMAIN applied policy for a domain in policy zone with this: example.com CNAME . But how to cause NODATA response? ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] Lua control of config settings?
On 2018-04-16 10:09, Remi Gacogne wrote: On 04/16/2018 12:03 PM, MRob wrote: According to this, you *should* be able to load a million domains into LUA without problem. That's the same method this person said crashed recursor with much less https://git.mauras.ch/Various/powerdns_recursor_ads_blocking Are there other people who have experience? It shouldn't crash the recursor and if you can reproduce the crash and share the reproduction method I would be happy to look into it. ok maybe I will try it but can any people comment is there pros or cons to implementing a block list using Policy Zones instead comparing to loading the file direct into a big list? I have policy zone based blocklisting working but only with a few test domains in zone file ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] Lua errors finding global objects in recent version
On 04/16/2018 12:09 PM, MRob wrote: > Thank you for your help. I am try to load a policy zone and over-ride > the zone using LUA. A little confused but can you confirm I need both? Yes, you do. lua-config-file is for configuration options, as explained in [1], and lua-dns-script to modify the recursor behavior, for example by intercepting queries, as described in [2]. [1]: https://doc.powerdns.com/recursor/lua-config/index.html [2]: https://doc.powerdns.com/recursor/lua-scripting/configure.html -- Remi Gacogne PowerDNS.COM BV - https://www.powerdns.com/ signature.asc Description: OpenPGP digital signature ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] Lua errors finding global objects in recent version
On 2018-04-16 07:45, Remi Gacogne wrote: Hi, On 04/16/2018 01:41 AM, MRob wrote: I have strange errors in LUA script like this: Unable to load Lua script from '/etc/pdns-recursor/luaScript.lua': STL Exception: [string "chunk"]:2: attempt to call global 'pdnslog' (a nil value) Unable to load Lua script from '/etc/pdns-recursor/luaScript.lua': STL Exception: [string "chunk"]:6: attempt to call global 'newNMG' (a nil value) Strange because I get pdns-recursor from pdns repo. Version 4.1.2 so why is this errors? You are using lua-config-file instead of lua-dns-script to load your file. Thank you for your help. I am try to load a policy zone and over-ride the zone using LUA. A little confused but can you confirm I need both? rpzFile has tobe in lua-config-file Other things, prerecurse must be in lua-dns-script This cvorrect understanding? Thank you ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] Lua control of config settings?
On 04/16/2018 12:03 PM, MRob wrote: >> According to this, you *should* be able to load a million domains into >> LUA without problem. > > That's the same method this person said crashed recursor with much less > https://git.mauras.ch/Various/powerdns_recursor_ads_blocking > Are there other people who have experience? It shouldn't crash the recursor and if you can reproduce the crash and share the reproduction method I would be happy to look into it. -- Remi Gacogne PowerDNS.COM BV - https://www.powerdns.com/ signature.asc Description: OpenPGP digital signature ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] Lua control of config settings?
On 2018-04-16 07:01, Brian Candler wrote: On 15/04/2018 22:08, MRob wrote: I read about how recursor can be used to block queries for tracking domains: https://blog.powerdns.com/2016/01/19/efficient-optional-filtering-of-domains-in-recursor-4-0-0/ You may find this interesting: https://www.powerdns.com/resources/2016%20UKNOF%20filtering%20bert%20hubert.pdf According to this, you *should* be able to load a million domains into LUA without problem. That's the same method this person said crashed recursor with much less https://git.mauras.ch/Various/powerdns_recursor_ads_blocking Are there other people who have experience? But you can also do lookups in a CDB file. Do you know where I can find info about this? There is tinydns backend, maybe there is a way in LUA preresolve function to do lookup to different backend? Ignore backend otherwise. ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] Lua errors finding global objects in recent version
Hi, On 04/16/2018 01:41 AM, MRob wrote: > I have strange errors in LUA script like this: > > Unable to load Lua script from '/etc/pdns-recursor/luaScript.lua': STL > Exception: [string "chunk"]:2: attempt to call global 'pdnslog' (a nil > value) > > Unable to load Lua script from '/etc/pdns-recursor/luaScript.lua': STL > Exception: [string "chunk"]:6: attempt to call global 'newNMG' (a nil > value) > > Strange because I get pdns-recursor from pdns repo. Version 4.1.2 so why > is this errors? You are using lua-config-file instead of lua-dns-script to load your file. Best regards, -- Remi Gacogne PowerDNS.COM BV - https://www.powerdns.com/ signature.asc Description: OpenPGP digital signature ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] Lua control of config settings?
On 15/04/2018 22:08, MRob wrote: I read about how recursor can be used to block queries for tracking domains: https://blog.powerdns.com/2016/01/19/efficient-optional-filtering-of-domains-in-recursor-4-0-0/ You may find this interesting: https://www.powerdns.com/resources/2016%20UKNOF%20filtering%20bert%20hubert.pdf According to this, you *should* be able to load a million domains into LUA without problem. But you can also do lookups in a CDB file. ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users