Re: [Pdns-users] Are queries towards RPZ domains supposed to use the packet cache?
On Mon, Feb 24, 2020 at 08:41:15AM +0100, Steinar Haug via Pdns-users wrote: > >> > Thank you, that got me a bit further. But I'm not where I want to be > >> > yet. DNSQuestion.variable will let me decide whether an answer should > >> > be inserted into the packet cache or not. But using this in the prerpz > >> > hook I have (so far) not found a way to make insertion in the packet > >> > cache dependent on the *policy name* - which is what I'm trying to > >> > achieve here. > >> > >> in preresolve(dq) dq.appliedPolicy.policyName should be available. > >> prerpz(dq) is too early in the process. > > > > To elaborate: name or client ip based policies will be set in > > preresolve(dq). For policies that are applied post resolve, you can > > add code in postresolve(dq). > > Excellent, got that working. Thanks! Now a related question: How can > I give some queries an extra RPZ policy, based on for instance IP of > the querier? > > Steinar Haug, AS2116 Look at e.g. https://tools.ietf.org/id/draft-vixie-dnsop-dns-rpz-00.html#rfc.section.4.1 -Otto ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] Are queries towards RPZ domains supposed to use the packet cache?
>> > Thank you, that got me a bit further. But I'm not where I want to be >> > yet. DNSQuestion.variable will let me decide whether an answer should >> > be inserted into the packet cache or not. But using this in the prerpz >> > hook I have (so far) not found a way to make insertion in the packet >> > cache dependent on the *policy name* - which is what I'm trying to >> > achieve here. >> >> in preresolve(dq) dq.appliedPolicy.policyName should be available. >> prerpz(dq) is too early in the process. > > To elaborate: name or client ip based policies will be set in > preresolve(dq). For policies that are applied post resolve, you can > add code in postresolve(dq). Excellent, got that working. Thanks! Now a related question: How can I give some queries an extra RPZ policy, based on for instance IP of the querier? Steinar Haug, AS2116 ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] Are queries towards RPZ domains supposed to use the packet cache?
On Fri, Feb 14, 2020 at 03:34:37PM +0100, Otto Moerbeek via Pdns-users wrote: > On Fri, Feb 14, 2020 at 03:06:10PM +0100, Steinar Haug via Pdns-users wrote: > > > >> I have previously used PowerDNS recursor and RPZ while treating all > > >> query sources equally. This works fine. > > >> > > >> I'm now trying to use RPZ to block copyright type domains selectively > > >> based on source IP from the query, by using Lua discardPolicy. I'm > > >> seeing an unexpected interaction with the packet cache. > > > > ... > > > > >> My question is basically: Is this behavior expected? I find it highly > > >> surprising, since it basically means that the RPZ functionality (and > > >> whether it works or not) depends on packetcache contents. > > > > > > Yes, this is expected. Look at > > > > > > https://docs.powerdns.com/recursor/lua-scripting/dq.html#DNSQuestion.variable > > > > > > for the solution. > > > > Thank you, that got me a bit further. But I'm not where I want to be > > yet. DNSQuestion.variable will let me decide whether an answer should > > be inserted into the packet cache or not. But using this in the prerpz > > hook I have (so far) not found a way to make insertion in the packet > > cache dependent on the *policy name* - which is what I'm trying to > > achieve here. > > in preresolve(dq) dq.appliedPolicy.policyName should be available. > prerpz(dq) is too early in the process. To elaborate: name or client ip based policies will be set in preresolve(dq). For policies that are applied post resolve, you can add code in postresolve(dq). > > -Otto > > > > If I have > > > > rpzFile("/usr/local/etc/pdns/a.zone", {policyName="a"}) > > rpzFile("/usr/local/etc/pdns/b.zone", {policyName="b"}) > > rpzFile("/usr/local/etc/pdns/c.zone", {policyName="c"}) > > > > is there a way to excempt *only* policy "c" from the packet cache? > > > > Steinar Haug, AS2116 > > ___ > > Pdns-users mailing list > > Pdns-users@mailman.powerdns.com > > https://mailman.powerdns.com/mailman/listinfo/pdns-users > ___ > Pdns-users mailing list > Pdns-users@mailman.powerdns.com > https://mailman.powerdns.com/mailman/listinfo/pdns-users ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] Are queries towards RPZ domains supposed to use the packet cache?
On Fri, Feb 14, 2020 at 03:06:10PM +0100, Steinar Haug via Pdns-users wrote: > >> I have previously used PowerDNS recursor and RPZ while treating all > >> query sources equally. This works fine. > >> > >> I'm now trying to use RPZ to block copyright type domains selectively > >> based on source IP from the query, by using Lua discardPolicy. I'm > >> seeing an unexpected interaction with the packet cache. > > ... > > >> My question is basically: Is this behavior expected? I find it highly > >> surprising, since it basically means that the RPZ functionality (and > >> whether it works or not) depends on packetcache contents. > > > > Yes, this is expected. Look at > > > > https://docs.powerdns.com/recursor/lua-scripting/dq.html#DNSQuestion.variable > > > > for the solution. > > Thank you, that got me a bit further. But I'm not where I want to be > yet. DNSQuestion.variable will let me decide whether an answer should > be inserted into the packet cache or not. But using this in the prerpz > hook I have (so far) not found a way to make insertion in the packet > cache dependent on the *policy name* - which is what I'm trying to > achieve here. in preresolve(dq) dq.appliedPolicy.policyName should be available. prerpz(dq) is too early in the process. -Otto > > If I have > > rpzFile("/usr/local/etc/pdns/a.zone", {policyName="a"}) > rpzFile("/usr/local/etc/pdns/b.zone", {policyName="b"}) > rpzFile("/usr/local/etc/pdns/c.zone", {policyName="c"}) > > is there a way to excempt *only* policy "c" from the packet cache? > > Steinar Haug, AS2116 > ___ > Pdns-users mailing list > Pdns-users@mailman.powerdns.com > https://mailman.powerdns.com/mailman/listinfo/pdns-users ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] Are queries towards RPZ domains supposed to use the packet cache?
>> I have previously used PowerDNS recursor and RPZ while treating all >> query sources equally. This works fine. >> >> I'm now trying to use RPZ to block copyright type domains selectively >> based on source IP from the query, by using Lua discardPolicy. I'm >> seeing an unexpected interaction with the packet cache. ... >> My question is basically: Is this behavior expected? I find it highly >> surprising, since it basically means that the RPZ functionality (and >> whether it works or not) depends on packetcache contents. > > Yes, this is expected. Look at > > https://docs.powerdns.com/recursor/lua-scripting/dq.html#DNSQuestion.variable > > for the solution. Thank you, that got me a bit further. But I'm not where I want to be yet. DNSQuestion.variable will let me decide whether an answer should be inserted into the packet cache or not. But using this in the prerpz hook I have (so far) not found a way to make insertion in the packet cache dependent on the *policy name* - which is what I'm trying to achieve here. If I have rpzFile("/usr/local/etc/pdns/a.zone", {policyName="a"}) rpzFile("/usr/local/etc/pdns/b.zone", {policyName="b"}) rpzFile("/usr/local/etc/pdns/c.zone", {policyName="c"}) is there a way to excempt *only* policy "c" from the packet cache? Steinar Haug, AS2116 ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] Are queries towards RPZ domains supposed to use the packet cache?
On Mon, Feb 10, 2020 at 03:15:02PM +0100, Steinar Haug via Pdns-users wrote: > I have previously used PowerDNS recursor and RPZ while treating all > query sources equally. This works fine. > > I'm now trying to use RPZ to block copyright type domains selectively > based on source IP from the query, by using Lua discardPolicy. I'm > seeing an unexpected interaction with the packet cache. > > Environment: FreeBSD 12.1-STABLE, PowerDNS recursor 4.2.0 installed > from FreeBSD package. > > Contents of lua-config-file: > > rpzFile("/usr/local/etc/pdns/copyright.zone", {policyName="copyright"}) > > Contents of copyright.zone: > > $TTL 300 > @ SOA localhost. nobody.localhost. 42 1d 12h 1w 3h > @ NS localhost. > ; > thepiratebay.se A 10.11.12.13 > *.thepiratebay.se A 10.11.12.13 > ... > > Contents of lua-dns-script: > > badips = newNMG() > badips:addMask("193.75.110.130/32") > > function prerpz(dq) > pdnslog("prerpz called") > if badips:match(dq.remoteaddr) then > pdnslog("prerpz match IP to skip copyright domain check") > dq:discardPolicy("copyright") > end > return false > end > > Right after starting PowerDNS recursor (i.e. empty packetcache): > > - If I query from 193.75.110.130 with an empty packetcache, the RPZ > check is skipped, as expected, and I get > > thepiratebay.se.3600IN SOA a.ns14.net. > curdsadns.internetx.de. 2018070501 43200 7200 1209600 432000 > > - If I query from a different IP with an empty packetcache, the RPZ > policy is used, and I get > > thepiratebay.se.300 IN A 10.11.12.13 > > This all seems fine. However, if the packetcache already contains > the reply to the query above (either the RPZ policy reply or the > actual reply from for instance a.ns14.net), this reply is handed > out to *all* query addresses. I.e. it appears as if the RPC policy > check (or the skipping of same, from discardPolicy) happens after > the packetcache is consulted. This is highly visible in the logs > by using "trace=on" in the recursor.conf file. > > Example 1: Packetcache contains: > > thepiratebay.se.3600IN SOA a.ns14.net. > curdsadns.internetx.de. 2018070501 43200 7200 1209600 432000 > > because it was queried from 193.75.110.130 right after startup. > Subsequent queries, whether they come from 193.75.110.130 or a > different IP, show hits in the packetcache: > > Feb 10 14:54:48 x pdns_recursor[32563]: 3 question answered from packet cache > tag=0 from 193.75.110.130:39453 > Feb 10 14:54:50 x pdns_recursor[32563]: 3 question answered from packet cache > tag=0 from 193.75.110.130:47250 > Feb 10 14:55:10 x pdns_recursor[32563]: 3 question answered from packet cache > tag=0 from 193.75.110.134:37866 > Feb 10 14:55:13 x pdns_recursor[32563]: 3 question answered from packet cache > tag=0 from 193.75.110.134:10022 > > and in the replies one can see that TTL counts down: > > thepiratebay.se.3598IN SOA a.ns14.net. > curdsadns.internetx.de. 2018070501 43200 7200 1209600 432000 > thepiratebay.se.3596IN SOA a.ns14.net. > curdsadns.internetx.de. 2018070501 43200 7200 1209600 432000 > > etc. > > Example 2: Packetcache contains > > thepiratebay.se.300 IN A 10.11.12.13 > > because it was queried from a different IP than 193.75.110.130 > right after startup. Subsequent queries, whether they come from > 193.75.110.130 or a different IP, show hits in the packetcache: > > Feb 10 15:04:04 x pdns_recursor[32627]: 3 question answered from packet cache > tag=0 from 193.75.110.134:53118 > Feb 10 15:04:06 x pdns_recursor[32627]: 3 question answered from packet cache > tag=0 from 193.75.110.134:53282 > Feb 10 15:04:12 x pdns_recursor[32627]: 3 question answered from packet cache > tag=0 from 193.75.110.130:65401 > Feb 10 15:04:14 x pdns_recursor[32627]: 3 question answered from packet cache > tag=0 from 193.75.110.130:29779 > > and in the replies one can see that the TTP counts down: > > thepiratebay.se.298 IN A 10.11.12.13 > thepiratebay.se.296 IN A 10.11.12.13 > > etc. > > My question is basically: Is this behavior expected? I find it highly > surprising, since it basically means that the RPZ functionality (and > whether it works or not) depends on packetcache contents. > > A small twist on the above behavior: If the query contains a DNS > cookie (e.g. if generated by newer versions of dig), it seems the > packetcache is not consulted - which means that RPZ works the way > I want. But I cannot depend on DNS cookies always being set... > > Steinar Haug, AS2116 > ___ > Pdns-users mailing list > Pdns-users@mailman.powerdns.com > https://mailman.powerdns.com/mailman/listinfo/pdns-users Yes, this is expected. Look at https://docs.powerdns.com/recursor/lua-scripting/dq.html#DNSQuestion.variable for the solution. -Otto