[thirdparty/pdns.git] / pdns / dnsdistconf.lua

-- listen for console connection with the given secret key
-- controlSocket("0.0.0.0")
-- setKey(please generate a fresh private key with makeKey())

-- start the web server on port 8083, using password 'set a random password here'
-- webserver("0.0.0.0:8083", "set a random password here")

-- accept DNS queries on UDP/5200 and TCP/5200
addLocal("0.0.0.0:5200")

-- send statistics to PowerDNS metronome server
-- carbonServer("2001:888:2000:1d::2")

-- fix up possibly badly truncated answers from pdns 2.9.22
truncateTC(true)

warnlog(string.format("Script starting %s", "up!"))

-- define the good servers
newServer("8.8.8.8", 2)  -- 2 qps
newServer("8.8.4.4", 2)
newServer("208.67.222.222", 1)
newServer("208.67.220.220", 1)
newServer("2001:4860:4860::8888", 1)
newServer("2001:4860:4860::8844",1)
newServer("2620:0:ccc::2", 10)
newServer("2620:0:ccd::2", 10)
newServer({address="192.168.1.2", qps=1000, order=2})
newServer({address="192.168.1.79:5300", order=2})
newServer({address="127.0.0.1:5300", order=3})
newServer({address="192.168.1.30:5300", pool="abuse"})

-- switch the server balancing policy to round robin,
-- the default being least outstanding queries
-- setServerPolicy(roundrobin)

-- send the queries for selected domain suffixes to the server
-- in the 'abuse' pool
addAction({"ezdns.it.", "xxx."}, PoolAction("abuse"))

-- send the queries from a selected subnet to the
-- abuse pool
addAction("192.168.1.0/24", PoolAction("abuse"))

-- send the queries for the "com" suffix to the "abuse"
-- pool, but only up to 100 qps
addAction("com.", QPSPoolAction(100, "abuse"))

-- declare a Lua action function, routing NAPTR queries
-- to the abuse pool
function luarule(dq)
	if(dq.qtype==dnsdist.NAPTR)
	then
		return DNSAction.Pool, "abuse" -- send to abuse pool
	else
		return DNSAction.None, ""      -- no action
	end
end
-- send only queries from the selected subnet to
-- the luarule function
addLuaAction("192.168.1.0/24", luarule)

-- drop queries exceeding 5 qps, grouped by /24 for IPv4
-- and /64 for IPv6
addAction(MaxQPSIPRule(5, 24, 64), DropAction())

-- move the last rule to the first position
topRule()

-- drop queries for the following suffixes:
addAction("powerdns.org.", DropAction())
addAction("spectre.", DropAction())

-- called before we distribute a question
block=newDNSName("powerdns.org.")
truncateNMG = newNMG()
truncateNMG:addMask("213.244.0.0/16")
truncateNMG:addMask("2001:503:ba3e::2:30")
truncateNMG:addMask("fe80::/16")

print(string.format("Have %d entries in truncate NMG", truncateNMG:size()))

-- called to pick a downstream server, ignores 'up' status
counter=0
function luaroundrobin(servers, dq)
	 counter=counter+1;
	 return servers[1+(counter % #servers)]
end
-- setServerPolicyLua("luaroundrobin", luaroundrobin)

newServer({address="2001:888:2000:1d::2", pool={"auth", "dnssec"}})
newServer({address="2a01:4f8:110:4389::2", pool={"auth", "dnssec"}})
--addAction(DNSSECRule(), PoolAction("dnssec"))
--topRule()

-- split queries between the 'auth' pool and the regular one,
-- based on the RD flag
function splitSetup(servers, dq)
	 if(dq.dh:getRD() == false)
	 then
		return firstAvailable.policy(getPoolServers("auth"), dq)
	 else
		return firstAvailable.policy(servers, dq)
	 end
end
-- setServerPolicyLua("splitSetup", splitSetup)

-- the 'maintenance' function is called every second
function maintenance()
	 -- block all hosts that exceeded 20 qps over the past 10s,
	 -- for 60s
	 addDynBlocks(exceedQRate(20, 10), "Exceeded query rate", 60)
end

-- allow queries for the domain powerdns.com., drop everything else
-- addAction(makeRule("powerdns.com."), AllowAction())
-- addAction(AllRule(), DropAction())

-- clear the RD flag in queries for powerdns.com.
-- addAction("powerdns.com.", NoRecurseAction())

-- set the CD flag in queries for powerdns.com.
-- addAction("powerdns.com.", DisableValidationAction())

-- delay all responses for 1000ms
-- addAction(AllRule(), DelayAction(1000))

-- truncate ANY queries over UDP only
-- addAction(AndRule{QTypeRule(dnsdist.ANY), TCPRule(false)}, TCAction())

-- truncate ANY queries over TCP only
-- addAction(AndRule({QTypeRule(dnsdist.ANY), TCPRule(true)}), TCAction())
-- can also be written as:
-- addAction(AndRule({QTypeRule("ANY"), TCPRule(true)}), TCAction())

-- return 'not implemented' for qtype != A over UDP
-- addAction(AndRule({NotRule(QTypeRule("A")), TCPRule(false)}), RCodeAction(dnsdist.NOTIMP))

-- return 'not implemented' for qtype == A OR received over UDP
-- addAction(OrRule({QTypeRule("A"), TCPRule(false)}), RCodeAction(dnsdist.NOTIMP))

-- log all queries to a 'dndist.log' file, in text-mode (not binary) appending and unbuffered
-- addAction(AllRule(), LogAction("dnsdist.log", false, true, false))

-- drop all queries with the DO flag set
-- addAction(DNSSECRule(), DropAction())

-- drop all queries for the CHAOS class
-- addAction(QClassRule(3), DropAction())
-- addAction(QClassRule(DNSClass.CHAOS), DropAction())

-- drop all queries with the UPDATE opcode
-- addAction(OpcodeRule(DNSOpcode.Update), DropAction())

-- refuse all queries not having exactly one question
-- addAction(NotRule(RecordsCountRule(DNSSection.Question, 1, 1)), RCodeAction(dnsdist.REFUSED))

-- return 'refused' for domains matching the regex evil[0-9]{4,}.powerdns.com$
-- addAction(RegexRule("evil[0-9]{4,}\\.powerdns\\.com$"), RCodeAction(dnsdist.REFUSED))

-- spoof responses for A, AAAA and ANY for spoof.powerdns.com.
-- A queries will get 192.0.2.1, AAAA 2001:DB8::1 and ANY both
-- addAction("spoof.powerdns.com.", SpoofAction({"192.0.2.1", "2001:DB8::1"}))

-- spoof responses will multiple records
-- A will get 192.0.2.1 and 192.0.2.2, AAAA 20B8::1 and 2001:DB8::2
-- ANY all of that
-- addAction("spoof.powerdns.com", SpoofAction({"192.0.2.1", "192.0.2.2", "20B8::1", "2001:DB8::2"}))

-- spoof responses with a CNAME
-- addAction("cnamespoof.powerdns.com.", SpoofCNAMEAction("cname.powerdns.com."))

-- spoof responses in Lua
--[[
    function spoof1rule(dq)
        if(dq.qtype==1) -- A
        then
                return DNSAction.Spoof, "192.0.2.1"
        elseif(dq.qtype == 28) -- AAAA
        then
                return DNSAction.Spoof, "2001:DB8::1"
        else
                return DNSAction.None, ""
        end
    end
    function spoof2rule(dq)
        return DNSAction.Spoof, "spoofed.powerdns.com."
    end
    addLuaAction("luaspoof1.powerdns.com.", spoof1rule)
    addLuaAction("luaspoof2.powerdns.com.", spoof2rule)

--]]

-- alter a protobuf response for anonymization purposes
--[[
function alterProtobuf(dq, protobuf)
    requestor = newCA(dq.remoteaddr:toString())
    if requestor:isIPv4() then
        requestor:truncate(24)
    else
        requestor:truncate(56)
    end
    protobuf:setRequestor(requestor)
end

rl = newRemoteLogger("127.0.0.1:4242")
addAction(AllRule(), RemoteLogAction(rl, alterProtobuf))
--]]
Commit	Line	Data
ff484825	1	-- listen for console connection with the given secret key
4b775242 RG	2	-- controlSocket("0.0.0.0")
4b775242 RG	3	-- setKey(please generate a fresh private key with makeKey())
ff484825	4
4b775242 RG	5	-- start the web server on port 8083, using password 'set a random password here'
4b775242 RG	6	-- webserver("0.0.0.0:8083", "set a random password here")
ff484825 RG	7
ff484825 RG	8	-- accept DNS queries on UDP/5200 and TCP/5200
2e72cc0e	9	addLocal("0.0.0.0:5200")
ff484825 RG	10
ff484825 RG	11	-- send statistics to PowerDNS metronome server
9ebc0e91	12	-- carbonServer("2001:888:2000:1d::2")
6d01c80c	13
ff484825 RG	14	-- fix up possibly badly truncated answers from pdns 2.9.22
	15	truncateTC(true)
	16
4c6f4321	17	warnlog(string.format("Script starting %s", "up!"))
4c6f4321	18
773470ca	19	-- define the good servers
773470ca	20	newServer("8.8.8.8", 2) -- 2 qps
ff484825	21	newServer("8.8.4.4", 2)
773470ca	22	newServer("208.67.222.222", 1)
ff484825	23	newServer("208.67.220.220", 1)
773470ca	24	newServer("2001:4860:4860::8888", 1)
ff484825 RG	25	newServer("2001:4860:4860::8844",1)
	26	newServer("2620:0:ccc::2", 10)
	27	newServer("2620:0:ccd::2", 10)
bf9edc24 RG	28	newServer({address="192.168.1.2", qps=1000, order=2})
	29	newServer({address="192.168.1.79:5300", order=2})
	30	newServer({address="127.0.0.1:5300", order=3})
	31	newServer({address="192.168.1.30:5300", pool="abuse"})
9dea07d2	32
ff484825 RG	33	-- switch the server balancing policy to round robin,
	34	-- the default being least outstanding queries
	35	-- setServerPolicy(roundrobin)
	36
	37	-- send the queries for selected domain suffixes to the server
	38	-- in the 'abuse' pool
832c1792	39	addAction({"ezdns.it.", "xxx."}, PoolAction("abuse"))
ff484825 RG	40
	41	-- send the queries from a selected subnet to the
	42	-- abuse pool
832c1792	43	addAction("192.168.1.0/24", PoolAction("abuse"))
4f4ad7f5	44
ff484825 RG	45	-- send the queries for the "com" suffix to the "abuse"
ff484825 RG	46	-- pool, but only up to 100 qps
06c8e7f3	47	addAction("com.", QPSPoolAction(100, "abuse"))
9dea07d2	48
ff484825 RG	49	-- declare a Lua action function, routing NAPTR queries
ff484825 RG	50	-- to the abuse pool
497a6e3a	51	function luarule(dq)
ff484825	52	if(dq.qtype==dnsdist.NAPTR)
d8d85a30	53	then
	54	return DNSAction.Pool, "abuse" -- send to abuse pool
	55	else
	56	return DNSAction.None, "" -- no action
	57	end
	58	end
ff484825 RG	59	-- send only queries from the selected subnet to
ff484825 RG	60	-- the luarule function
d8d85a30	61	addLuaAction("192.168.1.0/24", luarule)
4f4ad7f5	62
ff484825 RG	63	-- drop queries exceeding 5 qps, grouped by /24 for IPv4
ff484825 RG	64	-- and /64 for IPv6
1b726acf	65	addAction(MaxQPSIPRule(5, 24, 64), DropAction())
1b726acf	66
ff484825	67	-- move the last rule to the first position
d8d85a30	68	topRule()
d8d85a30	69
ff484825	70	-- drop queries for the following suffixes:
832c1792 RG	71	addAction("powerdns.org.", DropAction())
832c1792 RG	72	addAction("spectre.", DropAction())
0940e4eb	73
9dea07d2	74	-- called before we distribute a question
ff484825	75	block=newDNSName("powerdns.org.")
68e82cf9	76	truncateNMG = newNMG()
	77	truncateNMG:addMask("213.244.0.0/16")
	78	truncateNMG:addMask("2001:503:ba3e::2:30")
	79	truncateNMG:addMask("fe80::/16")
	80
	81	print(string.format("Have %d entries in truncate NMG", truncateNMG:size()))
	82
da4e7813	83	-- called to pick a downstream server, ignores 'up' status
ff484825	84	counter=0
497a6e3a	85	function luaroundrobin(servers, dq)
ceee6652	86	counter=counter+1;
773470ca	87	return servers[1+(counter % #servers)]
9dea07d2	88	end
22b2b326	89	-- setServerPolicyLua("luaroundrobin", luaroundrobin)
9dea07d2	90
bf9edc24 RG	91	newServer({address="2001:888:2000:1d::2", pool={"auth", "dnssec"}})
bf9edc24 RG	92	newServer({address="2a01:4f8:110:4389::2", pool={"auth", "dnssec"}})
832c1792	93	--addAction(DNSSECRule(), PoolAction("dnssec"))
50bed881	94	--topRule()
520eb5a0	95
ff484825 RG	96	-- split queries between the 'auth' pool and the regular one,
	97	-- based on the RD flag
	98	function splitSetup(servers, dq)
	99	if(dq.dh:getRD() == false)
75a2db75	100	then
ff484825	101	return firstAvailable.policy(getPoolServers("auth"), dq)
75a2db75	102	else
ff484825	103	return firstAvailable.policy(servers, dq)
75a2db75	104	end
da4e7813	105	end
bac6e8fb	106	-- setServerPolicyLua("splitSetup", splitSetup)
bac6e8fb	107
ff484825	108	-- the 'maintenance' function is called every second
bac6e8fb	109	function maintenance()
ff484825 RG	110	-- block all hosts that exceeded 20 qps over the past 10s,
	111	-- for 60s
	112	addDynBlocks(exceedQRate(20, 10), "Exceeded query rate", 60)
bac6e8fb	113	end
bac6e8fb	114
ff484825 RG	115	-- allow queries for the domain powerdns.com., drop everything else
	116	-- addAction(makeRule("powerdns.com."), AllowAction())
	117	-- addAction(AllRule(), DropAction())
	118
	119	-- clear the RD flag in queries for powerdns.com.
ff484825 RG	120	-- addAction("powerdns.com.", NoRecurseAction())
	121
	122	-- set the CD flag in queries for powerdns.com.
ff484825 RG	123	-- addAction("powerdns.com.", DisableValidationAction())
	124
	125	-- delay all responses for 1000ms
	126	-- addAction(AllRule(), DelayAction(1000))
	127
	128	-- truncate ANY queries over UDP only
832c1792	129	-- addAction(AndRule{QTypeRule(dnsdist.ANY), TCPRule(false)}, TCAction())
ff484825 RG	130
	131	-- truncate ANY queries over TCP only
	132	-- addAction(AndRule({QTypeRule(dnsdist.ANY), TCPRule(true)}), TCAction())
	133	-- can also be written as:
	134	-- addAction(AndRule({QTypeRule("ANY"), TCPRule(true)}), TCAction())
	135
	136	-- return 'not implemented' for qtype != A over UDP
ce71f790	137	-- addAction(AndRule({NotRule(QTypeRule("A")), TCPRule(false)}), RCodeAction(dnsdist.NOTIMP))
ff484825 RG	138
ff484825 RG	139	-- return 'not implemented' for qtype == A OR received over UDP
ce71f790	140	-- addAction(OrRule({QTypeRule("A"), TCPRule(false)}), RCodeAction(dnsdist.NOTIMP))
ff484825	141
456fc645	142	-- log all queries to a 'dndist.log' file, in text-mode (not binary) appending and unbuffered
456fc645	143	-- addAction(AllRule(), LogAction("dnsdist.log", false, true, false))
ff484825 RG	144
	145	-- drop all queries with the DO flag set
	146	-- addAction(DNSSECRule(), DropAction())
	147
	148	-- drop all queries for the CHAOS class
	149	-- addAction(QClassRule(3), DropAction())
55baa1f2 RG	150	-- addAction(QClassRule(DNSClass.CHAOS), DropAction())
	151
	152	-- drop all queries with the UPDATE opcode
	153	-- addAction(OpcodeRule(DNSOpcode.Update), DropAction())
	154
	155	-- refuse all queries not having exactly one question
	156	-- addAction(NotRule(RecordsCountRule(DNSSection.Question, 1, 1)), RCodeAction(dnsdist.REFUSED))
ff484825 RG	157
ff484825 RG	158	-- return 'refused' for domains matching the regex evil[0-9]{4,}.powerdns.com$
55baa1f2	159	-- addAction(RegexRule("evil[0-9]{4,}\\.powerdns\\.com$"), RCodeAction(dnsdist.REFUSED))
ff484825 RG	160
	161	-- spoof responses for A, AAAA and ANY for spoof.powerdns.com.
	162	-- A queries will get 192.0.2.1, AAAA 2001:DB8::1 and ANY both
832c1792	163	-- addAction("spoof.powerdns.com.", SpoofAction({"192.0.2.1", "2001:DB8::1"}))
ff484825 RG	164
	165	-- spoof responses will multiple records
	166	-- A will get 192.0.2.1 and 192.0.2.2, AAAA 20B8::1 and 2001:DB8::2
	167	-- ANY all of that
832c1792	168	-- addAction("spoof.powerdns.com", SpoofAction({"192.0.2.1", "192.0.2.2", "20B8::1", "2001:DB8::2"}))
ff484825 RG	169
ff484825 RG	170	-- spoof responses with a CNAME
832c1792	171	-- addAction("cnamespoof.powerdns.com.", SpoofCNAMEAction("cname.powerdns.com."))
ff484825 RG	172
	173	-- spoof responses in Lua
	174	--[[
	175	function spoof1rule(dq)
	176	if(dq.qtype==1) -- A
	177	then
	178	return DNSAction.Spoof, "192.0.2.1"
	179	elseif(dq.qtype == 28) -- AAAA
	180	then
	181	return DNSAction.Spoof, "2001:DB8::1"
	182	else
	183	return DNSAction.None, ""
	184	end
	185	end
	186	function spoof2rule(dq)
	187	return DNSAction.Spoof, "spoofed.powerdns.com."
	188	end
	189	addLuaAction("luaspoof1.powerdns.com.", spoof1rule)
	190	addLuaAction("luaspoof2.powerdns.com.", spoof2rule)
	191
	192	--]]
a94673ea RG	193
	194	-- alter a protobuf response for anonymization purposes
	195	--[[
	196	function alterProtobuf(dq, protobuf)
	197	requestor = newCA(dq.remoteaddr:toString())
	198	if requestor:isIPv4() then
	199	requestor:truncate(24)
	200	else
	201	requestor:truncate(56)
	202	end
	203	protobuf:setRequestor(requestor)
	204	end
	205
	206	rl = newRemoteLogger("127.0.0.1:4242")
	207	addAction(AllRule(), RemoteLogAction(rl, alterProtobuf))
	208	--]]