Re: [Pdns-users] PowerDNS Recursor Performance and Tuning

2022-01-19 Thread Otto Moerbeek via Pdns-users 
On Thu, Jan 20, 2022 at 09:51:51AM +0330, Hamed Haghshenas via Pdns-users wrote:

> >> How can I secure my dns Recursor? I try read document about dnssec in
> powerdns wiki but can't understand what should I do ?
> 
> >>  
> https://doc.powerdns.com/recursor/dnssec.html
> 
> > In short:
> 
> > dnssec=validat
> 
>  
> 
> I set dnssec=validate, but one error exist  (Invalid signature: connected)
> 
>  
> 
> #
> 
> Your dns security:
> 
> DNSSEC (FAIL)
> 
> * Valid signature: connected
> * Invalid signature: connected
> * Expired signature: not connected
> * Missing signature: not connected
> 
>  
> 
> Best Regards,

This is interesting. AFAKS, the query used for this test is

dig badsig.go.dnscheck.tools TXT

According to the website, it should not validate. I will investigate.

-Otto
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] PowerDNS Recursor Performance and Tuning

2022-01-19 Thread Hamed Haghshenas via Pdns-users 
>> How can I secure my dns Recursor? I try read document about dnssec in
powerdns wiki but can't understand what should I do ?

>>  
https://doc.powerdns.com/recursor/dnssec.html

> In short:

> dnssec=validat

 

I set dnssec=validate, but one error exist  (Invalid signature: connected)

 

#

Your dns security:

DNSSEC (FAIL)

*   Valid signature: connected
*   Invalid signature: connected
*   Expired signature: not connected
*   Missing signature: not connected

 

Best Regards,

 

 

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] zoneToCache - File Format

2022-01-19 Thread Bill Pye via Pdns-users 
Hi 

I'd recommends using RPZ on your recursor, if you sign-up here: [ 
https://github.com/Homas/ioc2rpz#installation | 
https://github.com/Homas/ioc2rpz#installation ] - you'll get a ton of regularly 
updates feeds and you an implement your own blacklist/whitelist fairly easily. 
Take a look at it and see what you think. 

I've been using those feeds for quite a while and without problems. 

Regards 

Bill 

> From: "Pdns-users" 
> To: "Pdns-users" 
> Sent: Tuesday, 18 January, 2022 21:13:54
> Subject: [Pdns-users] zoneToCache - File Format

> Hi All,

> BackGround:

> PowerDNS Recursor v4.6.0

> I have the example from the docs
> (https://doc.powerdns.com/recursor/lua-config/ztc.html) working perfectly:

> zoneToCache(".", "url", "https://www.internic.net/domain/root.zone;, {
> refreshPeriod = 0 })

> Problem:

> I’d like to load a “BlackList” file (or multiple BlackList files) the same 
> way,
> but I have no idea what file format the PDNS zoneToCache function is looking
> for. In a perfect world, I’d like to be able to take a list of domains like
> this:

> Domain1.com

> Domain2.com

> Domain3.com

> *.Domain3.com

> Domain4.com

> Sub.Domain4.com

> Sub2.Domain4.com

> And load them via the zoneToCache feature, and have them all point to a
> specific, common IP Address, like 192.168.1.100, but I can’t seem to figure 
> out
> how to accomplish this.

> Any thoughts, examples, or suggestions would be greatly appreciated. Thank you
> very much for your time & help.

> Cheers,

> Clint

> ___
> Pdns-users mailing list
> Pdns-users@mailman.powerdns.com
> https://mailman.powerdns.com/mailman/listinfo/pdns-users
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] zoneToCache - File Format

2022-01-19 Thread Walter Parker via Pdns-users 
If what you want Is a DNS Blacklist, those are a separate thing from a DNS
Cache. Instead of trying to use an existing DNS server, I’d spin up a
separate instance of a PowerDNS authoritative server and populate it with
your domains to be blocked (if the list is mostly static, you might use
LMDB, sqlite3, or tinyDNS as your backend). Then you would add that
server’s name to the mail server’s DNSBL configuration. I have not used
PowerDNS dnsdist, but that is the way to cache authoritative DNS records.
What kind of scale are you looking for? What is your expected query load?

You might look for howtos on how to setup a DNS blacklist. In
today’s world, using multiple instances is usually the way to go.

For example if you want to block email from domainxyz.com and add it to
your existing DNS server, that will cause anything using your DNS for
actual DNS to try and load web requests from the client’s local web server
(which will fail for 99.9% of users) instead of the website for
domainxyz.com. At some point you will discover that a user needs to go to a
website hosted by someone in your DNS black list and you will have
forgotten about your overloading.


Walter

On Wed, Jan 19, 2022 at 8:55 AM Clint Anderson via Pdns-users <
pdns-users@mailman.powerdns.com> wrote:

> Otto & Walter - Thank you for the replies!
>
> Otto,
>
> My assumption was that the cache is the most efficient and if it was in
> the cache, it would return the cached answer and never go looking for an
> update.  Thank you for the clarification on the zoneToCache functionality,
> seems I was barking up the wrong tree.
>
> If using the cache is not the way to go, what is the best, most efficient
> way, to block half a million (500,000) or more domains?  I do not have any
> experience using RPZ files, but I did read up on it and it seems to be the
> best way to go.  Trying to load 500,000 domains into a file and running a
> Lua "preresolve" script seems like it would require more system resources
> and not be as efficient, but I would love to hear your opinion on it.
>
> Thank you very much for your time & help!
>
> Cheers,
> Clint
>
> > Hi All,
> >
> > BackGround:
> > PowerDNS Recursor v4.6.0
> > I have the example from the docs (
> https://doc.powerdns.com/recursor/lua-config/ztc.html) working perfectly:
> > zoneToCache(".", "url", "https://www.internic.net/domain/root.zone;, {
> > refreshPeriod = 0 })
> >
> >
> > Problem:
> > I'd like to load a "BlackList" file (or multiple BlackList files) the
> same way, but I have no idea what file format the PDNS zoneToCache function
> is looking for.  In a perfect world, I'd like to be able to take a list of
> domains like this:
> >
> > Domain1.com
> > Domain2.com
> > Domain3.com
> > *.Domain3.com
> > Domain4.com
> > Sub.Domain4.com
> > Sub2.Domain4.com
> >
> > And load them via the zoneToCache feature, and have them all point to a
> specific, common IP Address, like 192.168.1.100, but I can't seem to figure
> out how to accomplish this.
> >
> > Any thoughts, examples, or suggestions would be greatly appreciated.
> Thank you very much for your time & help.
>
> The format is the zone file format see e.g.
> https://en.wikipedia.org/wiki/Zone_file
>
> But the zone to cache is not for overriding. It is meant to be used for
> keeping the cache hot. The recursor will replace records your are trying to
> override with data retrieved from the net in some cases.
>
> To override names there are two mechanisms available: Lua interception [1]
> and RPZ [2].
>
> [1] https://docs.powerdns.com/recursor/lua-scripting/hooks.html
> [2]
> https://docs.powerdns.com/recursor/lua-config/rpz.html#response-policy-zones-rpz
>
> -Otto
> ___
> Pdns-users mailing list
> Pdns-users@mailman.powerdns.com
> https://mailman.powerdns.com/mailman/listinfo/pdns-users
>
-- 
The greatest dangers to liberty lurk in insidious encroachment by men of
zeal, well-meaning but without understanding.   -- Justice Louis D. Brandeis
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] zoneToCache - File Format

2022-01-19 Thread Otto Moerbeek via Pdns-users 
On Wed, Jan 19, 2022 at 04:54:25PM +, Clint Anderson via Pdns-users wrote:

> Otto & Walter - Thank you for the replies!
> 
> Otto,
> 
> My assumption was that the cache is the most efficient and if it was in the 
> cache, it would return the cached answer and never go looking for an update.  
> Thank you for the clarification on the zoneToCache functionality, seems I was 
> barking up the wrong tree.

RPZ is a good way. 

Quick DB access from Lua can be done, but might be hard to get right
as there are potential pitfallls with respect to threading, Lua
contexts and ffi, to name a few.

An completely different way is to use dnsdist, which can access either
a CDB of LMDB database via 

https://dnsdist.org/rules-actions.html#KeyValueStoreLookupRule

-Otto

> 
> If using the cache is not the way to go, what is the best, most efficient 
> way, to block half a million (500,000) or more domains?  I do not have any 
> experience using RPZ files, but I did read up on it and it seems to be the 
> best way to go.  Trying to load 500,000 domains into a file and running a Lua 
> "preresolve" script seems like it would require more system resources and not 
> be as efficient, but I would love to hear your opinion on it. 
> 
> Thank you very much for your time & help!
> 
> Cheers,
> Clint
> 
> > Hi All,
> > 
> > BackGround:
> > PowerDNS Recursor v4.6.0
> > I have the example from the docs 
> > (https://doc.powerdns.com/recursor/lua-config/ztc.html) working perfectly:
> > zoneToCache(".", "url", "https://www.internic.net/domain/root.zone;, { 
> > refreshPeriod = 0 })
> > 
> > 
> > Problem:
> > I'd like to load a "BlackList" file (or multiple BlackList files) the same 
> > way, but I have no idea what file format the PDNS zoneToCache function is 
> > looking for.  In a perfect world, I'd like to be able to take a list of 
> > domains like this:
> > 
> > Domain1.com
> > Domain2.com
> > Domain3.com
> > *.Domain3.com
> > Domain4.com
> > Sub.Domain4.com
> > Sub2.Domain4.com
> > 
> > And load them via the zoneToCache feature, and have them all point to a 
> > specific, common IP Address, like 192.168.1.100, but I can't seem to figure 
> > out how to accomplish this.
> > 
> > Any thoughts, examples, or suggestions would be greatly appreciated.  Thank 
> > you very much for your time & help.
> 
> The format is the zone file format see e.g. 
> https://en.wikipedia.org/wiki/Zone_file
> 
> But the zone to cache is not for overriding. It is meant to be used for 
> keeping the cache hot. The recursor will replace records your are trying to 
> override with data retrieved from the net in some cases.
> 
> To override names there are two mechanisms available: Lua interception [1] 
> and RPZ [2].
> 
> [1] https://docs.powerdns.com/recursor/lua-scripting/hooks.html
> [2] 
> https://docs.powerdns.com/recursor/lua-config/rpz.html#response-policy-zones-rpz
> 
>   -Otto
> ___
> Pdns-users mailing list
> Pdns-users@mailman.powerdns.com
> https://mailman.powerdns.com/mailman/listinfo/pdns-users
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] zoneToCache - File Format

2022-01-19 Thread Clint Anderson via Pdns-users 
Otto & Walter - Thank you for the replies!

Otto,

My assumption was that the cache is the most efficient and if it was in the 
cache, it would return the cached answer and never go looking for an update.  
Thank you for the clarification on the zoneToCache functionality, seems I was 
barking up the wrong tree.

If using the cache is not the way to go, what is the best, most efficient way, 
to block half a million (500,000) or more domains?  I do not have any 
experience using RPZ files, but I did read up on it and it seems to be the best 
way to go.  Trying to load 500,000 domains into a file and running a Lua 
"preresolve" script seems like it would require more system resources and not 
be as efficient, but I would love to hear your opinion on it. 

Thank you very much for your time & help!

Cheers,
Clint

> Hi All,
> 
> BackGround:
> PowerDNS Recursor v4.6.0
> I have the example from the docs 
> (https://doc.powerdns.com/recursor/lua-config/ztc.html) working perfectly:
> zoneToCache(".", "url", "https://www.internic.net/domain/root.zone;, { 
> refreshPeriod = 0 })
> 
> 
> Problem:
> I'd like to load a "BlackList" file (or multiple BlackList files) the same 
> way, but I have no idea what file format the PDNS zoneToCache function is 
> looking for.  In a perfect world, I'd like to be able to take a list of 
> domains like this:
> 
> Domain1.com
> Domain2.com
> Domain3.com
> *.Domain3.com
> Domain4.com
> Sub.Domain4.com
> Sub2.Domain4.com
> 
> And load them via the zoneToCache feature, and have them all point to a 
> specific, common IP Address, like 192.168.1.100, but I can't seem to figure 
> out how to accomplish this.
> 
> Any thoughts, examples, or suggestions would be greatly appreciated.  Thank 
> you very much for your time & help.

The format is the zone file format see e.g. 
https://en.wikipedia.org/wiki/Zone_file

But the zone to cache is not for overriding. It is meant to be used for keeping 
the cache hot. The recursor will replace records your are trying to override 
with data retrieved from the net in some cases.

To override names there are two mechanisms available: Lua interception [1] and 
RPZ [2].

[1] https://docs.powerdns.com/recursor/lua-scripting/hooks.html
[2] 
https://docs.powerdns.com/recursor/lua-config/rpz.html#response-policy-zones-rpz

-Otto
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] PowerDNS Recursor Performance and Tuning

2022-01-19 Thread Brian Candler via Pdns-users 

On 19/01/2022 09:54, Hamed Haghshenas via Pdns-users wrote:
How can I secure my dns Recursor? I try read document about dnssec in 
powerdns wiki but can’t understand what should I do ?


https://doc.powerdns.com/recursor/dnssec.html

In short:

dnssec=validate
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

[Pdns-users] PowerDNS Recursor Performance and Tuning

2022-01-19 Thread Hamed Haghshenas via Pdns-users 
Hello Dears,

 

I Configure PowerDNS Recursor with below configuration :

 

allow-from-file=/etc/pdns-recursor/IP-Iran-List.txt

setuid=pdns-recursor

setgid=pdns-recursor

local-address=127.0.0.1 x.x.x.x

any-to-tcp=yes

distribution-load-factor=1.25

pdns-distributes-queries=yes

distributor-threads=1

logging-facility=0

max-tcp-queries-per-connection=10

quiet=no

reuseport=yes

threads=3

 

 

When I check with https://dnscheck.tools/, I have some errors like:

 

##

Oh no! Your dns responses are NOT properly authenticated! You may be
susceptible to certain attacks such as dns cache poisoning.

 

And

 

Your dns security:

DNSSEC (FAIL)

*   Valid signature: connected
*   Invalid signature: connected
*   Expired signature: connected
*   Missing signature: connected

#

But when try using 8.8.8.8 different :

 

Great! Your dns responses are authenticated, protecting you from certain
attacks

 

Your dns security:

DNSSEC (PASS)

*   Valid signature: connected
*   Invalid signature: not connected
*   Expired signature: not connected
*   Missing signature: not connected

How can I secure my dns Recursor? I try read document about dnssec in
powerdns wiki but can't understand what should I do ?

 

Best Regards,

Hamed Haghshenas

 

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users