Re: [Pdns-users] wpad filtering
Il Thu, 30 Nov 2017 16:59:08 + Robert Mortimer <r...@scramworks.net> ha scritto: > Hi, > > I did something similar ti implement RPZ like functionality before PDNS had > proper RPZ support and didn't notice any significant impact that was with a > list of a few thousand records we where checking and seeing a few thousand > QPS. > > So it'll make a bit of difference but depending on how busy your server is > you probably won't notice. > > Of course your mileage may vary. > > -- > Robm > 873 > "Ask not what I can do for the stupid, > but what the stupid can do for me" - Graeme Garden > On 30/11/2017 14:33:38, Mario Caruso <car...@tiscali.com> wrote: > Il Thu, 30 Nov 2017 14:51:46 +0100 > Remi Gacogne ha scritto: > [cut] Thank you Robert, in my case I have around twenty/thirty names, and more or less 1k qps, so it should be something unnoticeable, anyway I'll share my experience with the list. have a nice day M. --- () ASCII Ribbon Campaign /\ Against HTML E-Mail --- This mail is ubuntu Hostile --- ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] wpad filtering
Il Thu, 30 Nov 2017 14:51:46 +0100 Remi Gacogne <remi.gaco...@powerdns.com> ha scritto: > Hi Mario, Hi Remi, Thank you for the reply, > > On 11/30/2017 11:52 AM, Mario Caruso wrote: > > I am trying to write a lua rule to somehow filter/capture > > the wpad like dq.qname (http://allievi.sssup.it/techblog/archives/81) > > > > in my test environment (debian stretch and recursor version > > 4.1.0~rc3-1pdns.stretch) I have this rule : > > > >-- US-CERT TA16-144A. > > if (dq.qname:isPartOf(newDN("wpad"))) > > then > > dq.rcode = 0 > > dq:addAnswer(pdns.A, "127.0.0.1") > > return true; > > end > > > > but this doesn't seem to work, maybe I am misinterpreting > > the isPartOf method , or maybe I should use :toString and > > then use lua pattern matching. > > isPartOf() returns true if the name is a sub-domain of the one passed in > parameter, so here it would match any domain under the hypothetic .wpad > TLD, which is not what you want. Lua pattern matching would be one of > the various ways to do that, yes. I switched the expression to this one queryString=dq.qname:toString() -- US-CERT TA16-144A. if (querystring:match('^wpad%.')) then dq.rcode = 0 dq:addAnswer(pdns.A, "127.0.0.1") return true; end and this is working in the test environment. I would like to know what other admins thinks of this approach, I mean can it affect performances as it is "casting" to string every query ? Am I the only one doing this ? thanks to everybody M. --- () ASCII Ribbon Campaign /\ Against HTML E-Mail --- This mail is ubuntu Hostile --- ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
[Pdns-users] wpad filtering
Greetings, I am trying to write a lua rule to somehow filter/capture the wpad like dq.qname (http://allievi.sssup.it/techblog/archives/81) in my test environment (debian stretch and recursor version 4.1.0~rc3-1pdns.stretch) I have this rule : -- US-CERT TA16-144A. if (dq.qname:isPartOf(newDN("wpad"))) then dq.rcode = 0 dq:addAnswer(pdns.A, "127.0.0.1") return true; end but this doesn't seem to work, maybe I am misinterpreting the isPartOf method , or maybe I should use :toString and then use lua pattern matching. Can anyone give me a suggestion ? Also I would like to ask to the list : are you filtering wpad requests ? if yes are you using this method ? thank you M. --- () ASCII Ribbon Campaign /\ Against HTML E-Mail --- This mail is ubuntu Hostile --- ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] also-notify
Hello Remi, > Hi Mario, > > On 05/19/2017 10:28 AM, Mario Caruso wrote: [cut] > > What I'm ideally looking for is a "per zone also-notify". > > Did you look at domain metadata [1]? > > [1]: https://doc.powerdns.com/3/authoritative/domainmetadata/#also-notify my bad I totally missed this information , will start to study it right now Thank you for pointing me to it. > > Best regards, > -- > Remi Gacogne > PowerDNS.COM BV - https://www.powerdns.com/ > bye M pgpp165oeu6GK.pgp Description: OpenPGP digital signature ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
[Pdns-users] also-notify
Hello everybody, I have a setup where a pdns authoritative (3.4.11) with hundreds of zones should notify changes only for one specific zone to two slaves that are not listed as NS, is there a way to achieve this ? Currently I'm using the "also-notify" settings and this works , but it sends notify for all the zones server by the pdns authoritative. What I'm ideally looking for is a "per zone also-notify". Thank you very much for the support Mario Caruso --- () ASCII Ribbon Campaign /\ Against HTML E-Mail --- This mail is ubuntu Hostile --- pgpaEgHoaiAN_.pgp Description: OpenPGP digital signature ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] redis as backend for pdns authoritative
Thanks Ruben I'm actually testing the "PyPdnsRedis" backend (https://pagekite.net/wiki/Floss/PyPdnsRedis/); I was wondering if somebody else used it to exchange experience on it. If I've understood how it works, in this implementation all records are stored as hash into redis. So for example if I create a SOA record for "foo.local" and then I create an A record for "www.foo.local", they're just two hashes, each one contains a single string field. If I add an MX record for "foo.local" it becomes the second string field inside the hash object created for "foo.local". thanks again M. --- () ASCII Ribbon Campaign /\ Against HTML E-Mail --- This mail is ubuntu Hostile --- Il Thu, 12 May 2016 13:26:40 +0200 Ruben d'Arco <ru...@prof-x.net> ha scritto: > Hi, > > I once had the idea of creating a redis backend, but couldn't fully decide on > the structure to use for that as i have no redis expirience :) > > So, currently there is no Redis backend. > > If you're interested in developing it, then maybe the pdns-dev mailling list > is a good option to share ideas around the data structure. > > regards, > Ruben > > > On Thu, May 12, 2016 at 01:15:20PM +0200, Mario Caruso wrote: > > Hi all, > > I'm wondering if anybody here is using redis as backend > > for pdns authoritative, I searched on internet and found > > an old pipe backend called "PyPdnsRedis", I was wondering > > if someone here is using it or has knowledge of other "glue" > > between pdns and redis. > > > > Thanks > > > > M. > > --- > > () ASCII Ribbon Campaign > > /\ Against HTML E-Mail > > --- > > This mail is ubuntu Hostile > > --- > > ___ > > Pdns-users mailing list > > Pdns-users@mailman.powerdns.com > > https://mailman.powerdns.com/mailman/listinfo/pdns-users > ___ > Pdns-users mailing list > Pdns-users@mailman.powerdns.com > https://mailman.powerdns.com/mailman/listinfo/pdns-users ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
[Pdns-users] redis as backend for pdns authoritative
Hi all, I'm wondering if anybody here is using redis as backend for pdns authoritative, I searched on internet and found an old pipe backend called "PyPdnsRedis", I was wondering if someone here is using it or has knowledge of other "glue" between pdns and redis. Thanks M. --- () ASCII Ribbon Campaign /\ Against HTML E-Mail --- This mail is ubuntu Hostile --- ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] Ignoring answer from server socket!
Il Mon, 17 Feb 2014 15:15:49 +0100 bert hubert bert.hub...@netherlabs.nl ha scritto: On Mon, Feb 17, 2014 at 03:12:01PM +0100, car...@tiscali.com wrote: Hello list, I'm trying to investigate the output of my pdns recursor, I'm getting a lot of messages like : Ignoring answer from x.y.z.k on server socket! where x.y.z.k are various client ip addresses. Which version are you running? How often do you get these messages, thousands of times? Which operating system? Are you behind NAT perhaps? Thanks Bert, I'd better describe my environment : 4 servers behind a cisco LB (managed by other people) I'm running 3.5.3-1 on debian wheezy amd64, the package was downloaded from pdns download page (so it is not the official debian package). I have about 60 of this messages every minute , on each server so it seems like a client is sending an answer where the pdns_recursor was expecting a query, reading previous messages I thought that this could be a ddos/amplification pointed at my machines. It could be! Bert reading the Related to recent DoS attacks: thread I also checked the max file descriptor but is seems that I'm quite far from the limit fgrep 'Max open files' /proc/$(pgrep pdns_recursor)/limits Max open files1638416384files find /proc/$(pgrep pdns_recursor)/fd | wc -l 570 M. ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
[Pdns-users] dyndns webapp
Hello, I'm afraid that this is not 100% in topic, but I'll give it a try and face the consequences, I'm currently administering a pdns with mysql backend and I was asked to setup it in order to receive dynamic dns updates using dyndns2 protocol (so updates should came via authenticated http), so first option I though was to write some php web application to handle this, but I'm wondering if we really need to re-invent the wheel, so are you aware of an already existing application ? (something like 'proutdns' for bind or 'Oh Jasmin Dynamic DNS' for djbdns). thank you Mario signature.asc Description: PGP signature ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] dyndns webapp
Il Thu, 7 Mar 2013 12:42:28 +0100 Jan-Piet Mens jpmens@gmail.com ha scritto: mysql backend and I was asked to setup it in order to receive dynamic dns updates using dyndns2 protocol (so updates should came via authenticated http) I'm not aware of anything good, but it's pretty trivial to accomplish, as you probably know: obtain the (authentic) data and INSERT/UPDATE your MySQL back-end tables. :) -JP thanks JP that's exactly what I'm doing (even if I'm not a php expert) I was just wondering if I'm reinventing the wheel :) Mario signature.asc Description: PGP signature ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
[Pdns-users] pdns-recursor and amazon cloudfront
Hello everybody, I'd like to ask your advice on an issue that I'm having with my pdns-recursor; I admin four x86 servers where I installed pdns-recursor (standard package from debian squeeze 64 bit so recursor 3.2) and two old servers (slackware 13.1 32 bit) where bind is running (bind was installed as standard slackware package bind-9.7). All the servers are used by my company customers as dns resolvers ; I received a complaint because some customers are unable to reach some parts of the website creativepark.it ; the issue seems to be linked to the resolution of the name static.creativepark.it. If I use dig on one of the pdns servers everything seems to work fine eg : dig +short @10.39.73.28 static.creativepark.it d3fshx1vqqth2b.cloudfront.net. dig +short @10.39.73.28 d3fshx1vqqth2b.cloudfront.net. 205.251.209.51 205.251.209.149 205.251.209.198 205.251.209.91 205.251.209.171 205.251.209.210 205.251.209.81 205.251.209.6 so the hostname static.creativepark.it is a cname for a cloudfront object d3fshx1vqqth2b.cloudfront.net I expect that resolution on the clients will follow the cname chain up to the end. if I try to resolve with a different tool (nslook or host) I get an error because of the NXDOMAIN flag that is generated by the CNAME in external domain for example : (10.39.73.28 is one of the pdns-recursor servers) --- host static.creativepark.it 10.39.73.28 Using domain server: Name: 10.39.73.28 Address: 10.39.73.28#53 Aliases: Host static.creativepark.it not found: 3(NXDOMAIN) --- nslookup server 10.39.73.28 Default server: 10.39.73.28 Address: 10.39.73.28#53 set nosearch static.creativepark.it Server: 10.39.73.28 Address:10.39.73.28#53 ** server can't find static.creativepark.it: NXDOMAIN --- I thought that this was an issue just for the host and nslookup utilities, because they are fooled by the NXDOMAIN flag, so I tried to make a different test : I logged in a test server , edited resolv.conf to use one of the pdns servers and used wget to download http://static.creativepark.it what I expected was to be able to download the page, instead I got another error: wget --no-proxy static.creativepark.it --17:12:50-- http://static.creativepark.it/ = `index.html' Resolving static.creativepark.it... failed: Name or service not known. so I changed the resolv.conf in order to use one of the bind servers and nslookup / host/dig and even wget started to work : (10.39.113.107 is one of the old bind resolvers) --- wget --no-proxy static.creativepark.it --17:17:23-- http://static.creativepark.it/ = `index.html' Resolving static.creativepark.it... 205.251.209.103, 205.251.209.134, 205.251.209.148, ... Connecting to static.creativepark.it|205.251.209.103|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 392 [text/html] [cut] 17:17:24 (27.88 MB/s) - `index.html' saved [392/392] --- host static.creativepark.it 10.39.113.107 Using domain server: Name: 10.39.113.107 Address: 10.39.113.107#53 Aliases: static.creativepark.it is an alias for d3fshx1vqqth2b.cloudfront.net. d3fshx1vqqth2b.cloudfront.net has address 205.251.209.58 d3fshx1vqqth2b.cloudfront.net has address 205.251.209.100 d3fshx1vqqth2b.cloudfront.net has address 205.251.209.103 d3fshx1vqqth2b.cloudfront.net has address 205.251.209.134 d3fshx1vqqth2b.cloudfront.net has address 205.251.209.148 d3fshx1vqqth2b.cloudfront.net has address 205.251.209.166 d3fshx1vqqth2b.cloudfront.net has address 205.251.209.208 d3fshx1vqqth2b.cloudfront.net has address 205.251.209.32 --- I'm really puzzled by the situation, is there anybody that is having the same behaviour ? or that is aware of this weird thing with cloudfront ? btw; I tried to contact hostmas...@cloudfront.net since it is published into the soa record of cloudfront.net .. but apparently that address doesn't exist :-/ Thank you M. ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] pdns-recursor and amazon cloudfront
Il Tue, 11 Dec 2012 10:33:56 -0600 k...@rice.edu k...@rice.edu ha scritto: On Tue, Dec 11, 2012 at 05:25:55PM +0100, Mario Caruso wrote: Hello everybody, Lots of details deleted... I'm really puzzled by the situation, is there anybody that is having the same behaviour ? or that is aware of this weird thing with cloudfront ? Hi Mario, I reported this bug and it has been fixed and should be available in the next pdns-recursor release: http://wiki.powerdns.com/trac/ticket/598 Regards, Ken Hi Ken, thank you fro the reply, I read your ticket but I still have a doubt , in the ticket the affected version is 3.3 while I'm using 3.2 do you think that the bug that affects all 3.x versions ? Anyway I've upgraded pdns-recursor to version 3.3 using the .deb file from http://downloads.powerdns.com/releases/deb/ but apparently nothing changed, maybe I should compile from latest svn and see how it goes. Regards M. signature.asc Description: PGP signature ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] pdns-recursor and amazon cloudfront
[cut] So, to recap: - the issue is not with cloudfront - the creativepark.it name servers are misconfigured - older recursors get confused by this - current SVN recursor has no trouble with it I cannot judge whether ticket #598 is actually related to this. Kind regards, -- Peter van Dijk Netherlabs Computer Consulting BV - http://www.netherlabs.nl/ ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users Hello Peter, thank you for the clarification/recap , I didn't notice the NXDOMAIN returned by creativepark.it nameservers Kind Regards M. --- () ASCII Ribbon Campaign /\ Against HTML E-Mail --- This mail is ubuntu Hostile --- ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] PowerDNS in an ISP environment
On 08/16/2011 10:05 AM, Chris Russell wrote: Hi Bert, The best I can do is refer to this thread, which lists some data points: http://mailman.powerdns.com/pipermail/pdns-users/2011-May/007719.html [cut] Hello, i work in an isp and we're using pdns as auth server, we have about 4000 domains (we switched from bind for the mysql backend ) bye M. ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] PowerDNS capabilities- link domains?
Il Tue, 27 Jul 2010 11:20:48 -0500 Chris Wopat m...@falz.net ha scritto: Date: Fri, 23 Jul 2010 14:42:30 -0500 From: Chris Wopat m...@falz.net Subject: [Pdns-users] PowerDNS capabilities- link domains? To: pdns-users@mailman.powerdns.com I'm looking for a web based DNS frontend for our customers to use. We have many circumstances where we simply symlink BIND zone files so there's one set of A/CNAME/MX records to maintain for multiple domains (foo.com, foo.org, foo.net, etc). If they need to change an A record, it's done in one place and is consistent across all of those domains. Does PowerDNS natively have the ability to do this? I looked at the default DB schema for MySQL and I'm not seeing anything in it that could accommodate this without another table or a schema change. Anyone have insight as to weather this type of modification is possible? ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users maybe it's silly, but if you use bind backend for those zones/domains and mysql backend for the others, you can use the same behaviour that you use on bind (symlink or same datafile for more zones). In this way you'll obviously lose the ability to change things on mysql for those zones. bye M. --- () ASCII Ribbon Campaign /\ Against HTML E-Mail --- This mail is ubuntu Hostile --- ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
[Pdns-users] strange resolution problem
Hello, I've just upgrade my bind dns cache server to pdns-recursor and I'm having some troubles in resolving the name hostname www.cafsials.it ; this should be a CNAME to another record : web.dataufficio.com , but it seems taht pdns_recursor daemon is not accepting this resolution ... but I cannot understand why, if I try to resolve it with bind daemon on the same server I get a valid responde. Here is an except from the daemon log files, can someone explain me what is happening ? thank you M. Jun 22 14:16:43 elan pdns_recursor[26638]: [2048] www.cafsials.it.: Trying IP 213.92.11.34:53, asking 'www.cafsials.it.|A' Jun 22 14:16:43 elan pdns_recursor[26638]: [2048] www.cafsials.it.: Got 2 answers from ns2.register.it. (213.92.11.34), rcode=3, in 41ms Jun 22 14:16:43 elan pdns_recursor[26638]: [2048] www.cafsials.it.: accept answer 'www.cafsials.it.|CNAME|web.dataufficio.com.' from 'cafsials.it.' nameservers? YES! Jun 22 14:16:43 elan pdns_recursor[26638]: [2048] www.cafsials.it.: accept answer 'dataufficio.com.|SOA|ns1.register.it. hostmaster.register.it. 2004061701 10800 3600 604800 86400' from 'cafsials.it.' nameservers? NO! Jun 22 14:16:43 elan pdns_recursor[26638]: [2048] www.cafsials.it.: determining status after receiving this packet Jun 22 14:16:43 elan pdns_recursor[26638]: [2048] www.cafsials.it.: status=NXDOMAIN, we are done Jun 22 14:16:43 elan pdns_recursor[26638]: [2048] www.cafsials.it.: failed (res=3) Jun 22 14:16:43 elan pdns_recursor[26638]: 0 [2048] answer to question 'www.cafsials.it.|A': 1 answers, 0 additional, took 2 packets, 0 throttled, 0 timeouts, 0 tcp connections, rcode=3 signature.asc Description: PGP signature ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] strange resolution problem
After doing a little checking myself, it looks like the nameserver for the 'cafsials.it' is trying to bundle the referral-chasing into its response, because it has a zone for 'dataufficio.com'. I totally agree, I've verified it too after Wouter response Frankly I'm surprised that the recursor is showing any credulity to the additional stuff in the authority zone; that said, the 'dataufficio.com' zone should be removed from the nameservers being used, if you can; if not, you might contact whoever runs it and mention that the zone shouldn't be there. I've just sent an email to the email contact in the soa, now I'm waiting for a response Of course, that sort of authority-section stuffing should really be ignored to begin with. Bert, if you're reading this, can something be done about this? this is a really good point , if this behaviour is not against some rfc I guess that pdns should ignore that kind of authority-section. bye M. signature.asc Description: PGP signature ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users