[thirdparty/pdns.git] / pdns / dnsdistconf.lua

-- listen for console connection with the given secret key
-- controlSocket("0.0.0.0")
-- setKey(please generate a fresh private key with makeKey())

-- start the web server on port 8083, using password 'set a random password here'
-- webserver("0.0.0.0:8083", "set a random password here")

-- accept DNS queries on UDP/5200 and TCP/5200
addLocal("0.0.0.0:5200")

-- send statistics to PowerDNS metronome server
-- carbonServer("2001:888:2000:1d::2")

-- fix up possibly badly truncated answers from pdns 2.9.22
truncateTC(true)

warnlog(string.format("Script starting %s", "up!"))

-- define the good servers
newServer("8.8.8.8", 2)  -- 2 qps
newServer("8.8.4.4", 2)
newServer("208.67.222.222", 1)
newServer("208.67.220.220", 1)
newServer("2001:4860:4860::8888", 1)
newServer("2001:4860:4860::8844",1)
newServer("2620:0:ccc::2", 10)
newServer("2620:0:ccd::2", 10)
newServer({address="192.168.1.2", qps=1000, order=2})
newServer({address="192.168.1.79:5300", order=2})
newServer({address="127.0.0.1:5300", order=3})
newServer({address="192.168.1.30:5300", pool="abuse"})

-- switch the server balancing policy to round robin,
-- the default being least outstanding queries
-- setServerPolicy(roundrobin)

-- send the queries for selected domain suffixes to the server
-- in the 'abuse' pool
addAction({"ezdns.it.", "xxx."}, PoolAction("abuse"))

-- send the queries from a selected subnet to the
-- abuse pool
addAction("192.168.1.0/24", PoolAction("abuse"))

-- send the queries for the "com" suffix to the "abuse"
-- pool, but only up to 100 qps
addAction("com.", QPSPoolAction(100, "abuse"))

-- declare a Lua action function, routing NAPTR queries
-- to the abuse pool
function luarule(dq)
	if(dq.qtype==DNSQType.NAPTR)
	then
		return DNSAction.Pool, "abuse" -- send to abuse pool
	else
		return DNSAction.None, ""      -- no action
	end
end
-- send only queries from the selected subnet to
-- the luarule function
addAction("192.168.1.0/24", LuaAction(luarule))

-- drop queries exceeding 5 qps, grouped by /24 for IPv4
-- and /64 for IPv6
addAction(MaxQPSIPRule(5, 24, 64), DropAction())

-- move the last rule to the first position
topRule()

-- drop queries for the following suffixes:
addAction("powerdns.org.", DropAction())
addAction("spectre.", DropAction())

-- called before we distribute a question
block=newDNSName("powerdns.org.")
truncateNMG = newNMG()
truncateNMG:addMask("213.244.0.0/16")
truncateNMG:addMask("2001:503:ba3e::2:30")
truncateNMG:addMask("fe80::/16")

print(string.format("Have %d entries in truncate NMG", truncateNMG:size()))

-- called to pick a downstream server, ignores 'up' status
counter=0
function luaroundrobin(servers, dq)
	 counter=counter+1;
	 return servers[1+(counter % #servers)]
end
-- setServerPolicyLua("luaroundrobin", luaroundrobin)

newServer({address="2001:888:2000:1d::2", pool={"auth", "dnssec"}})
newServer({address="2a01:4f8:110:4389::2", pool={"auth", "dnssec"}})
--addAction(DNSSECRule(), PoolAction("dnssec"))
--topRule()

-- split queries between the 'auth' pool and the regular one,
-- based on the RD flag
function splitSetup(servers, dq)
	 if(dq.dh:getRD() == false)
	 then
		return firstAvailable.policy(getPoolServers("auth"), dq)
	 else
		return firstAvailable.policy(servers, dq)
	 end
end
-- setServerPolicyLua("splitSetup", splitSetup)

-- the 'maintenance' function is called every second
function maintenance()
	 -- block all hosts that exceeded 20 qps over the past 10s,
	 -- for 60s
	 addDynBlocks(exceedQRate(20, 10), "Exceeded query rate", 60)
end

-- allow queries for the domain powerdns.com., drop everything else
-- addAction(makeRule("powerdns.com."), AllowAction())
-- addAction(AllRule(), DropAction())

-- clear the RD flag in queries for powerdns.com.
-- addAction("powerdns.com.", NoRecurseAction())

-- set the CD flag in queries for powerdns.com.
-- addAction("powerdns.com.", DisableValidationAction())

-- delay all responses for 1000ms
-- addAction(AllRule(), DelayAction(1000))

-- truncate ANY queries over UDP only
-- addAction(AndRule{QTypeRule(DNSQType.ANY), TCPRule(false)}, TCAction())

-- truncate ANY queries over TCP only
-- addAction(AndRule({QTypeRule(DNSQType.ANY), TCPRule(true)}), TCAction())
-- can also be written as:
-- addAction(AndRule({QTypeRule("ANY"), TCPRule(true)}), TCAction())

-- return 'not implemented' for qtype != A over UDP
-- addAction(AndRule({NotRule(QTypeRule("A")), TCPRule(false)}), RCodeAction(DNSRCode.NOTIMP))

-- return 'not implemented' for qtype == A OR received over UDP
-- addAction(OrRule({QTypeRule("A"), TCPRule(false)}), RCodeAction(DNSRCode.NOTIMP))

-- log all queries to a 'dndist.log' file, in text-mode (not binary) appending and unbuffered
-- addAction(AllRule(), LogAction("dnsdist.log", false, true, false))

-- drop all queries with the DO flag set
-- addAction(DNSSECRule(), DropAction())

-- drop all queries for the CHAOS class
-- addAction(QClassRule(3), DropAction())
-- addAction(QClassRule(DNSClass.CHAOS), DropAction())

-- drop all queries with the UPDATE opcode
-- addAction(OpcodeRule(DNSOpcode.Update), DropAction())

-- refuse all queries not having exactly one question
-- addAction(NotRule(RecordsCountRule(DNSSection.Question, 1, 1)), RCodeAction(DNSRCode.REFUSED))

-- return 'refused' for domains matching the regex evil[0-9]{4,}.powerdns.com$
-- addAction(RegexRule("evil[0-9]{4,}\\.powerdns\\.com$"), RCodeAction(DNSRCode.REFUSED))

-- spoof responses for A, AAAA and ANY for spoof.powerdns.com.
-- A queries will get 192.0.2.1, AAAA 2001:DB8::1 and ANY both
-- addAction("spoof.powerdns.com.", SpoofAction({"192.0.2.1", "2001:DB8::1"}))

-- spoof responses will multiple records
-- A will get 192.0.2.1 and 192.0.2.2, AAAA 20B8::1 and 2001:DB8::2
-- ANY all of that
-- addAction("spoof.powerdns.com", SpoofAction({"192.0.2.1", "192.0.2.2", "20B8::1", "2001:DB8::2"}))

-- spoof responses with a CNAME
-- addAction("cnamespoof.powerdns.com.", SpoofCNAMEAction("cname.powerdns.com."))

-- spoof responses in Lua
--[[
    function spoof1rule(dq)
        if(dq.qtype==1) -- A
        then
                return DNSAction.Spoof, "192.0.2.1"
        elseif(dq.qtype == 28) -- AAAA
        then
                return DNSAction.Spoof, "2001:DB8::1"
        else
                return DNSAction.None, ""
        end
    end
    function spoof2rule(dq)
        return DNSAction.Spoof, "spoofed.powerdns.com."
    end
    addAction("luaspoof1.powerdns.com.", LuaAction(spoof1rule))
    addAction("luaspoof2.powerdns.com.", LuaAction(spoof2rule))

--]]

-- alter a protobuf response for anonymization purposes
--[[
function alterProtobuf(dq, protobuf)
    requestor = newCA(dq.remoteaddr:toString())
    if requestor:isIPv4() then
        requestor:truncate(24)
    else
        requestor:truncate(56)
    end
    protobuf:setRequestor(requestor)
end

rl = newRemoteLogger("127.0.0.1:4242")
addAction(AllRule(), RemoteLogAction(rl, alterProtobuf))
--]]
Commit	Line	Data
ff484825	1	-- listen for console connection with the given secret key
4b775242 RG	2	-- controlSocket("0.0.0.0")
4b775242 RG	3	-- setKey(please generate a fresh private key with makeKey())
ff484825	4
4b775242 RG	5	-- start the web server on port 8083, using password 'set a random password here'
4b775242 RG	6	-- webserver("0.0.0.0:8083", "set a random password here")
ff484825 RG	7
ff484825 RG	8	-- accept DNS queries on UDP/5200 and TCP/5200
2e72cc0e	9	addLocal("0.0.0.0:5200")
ff484825 RG	10
ff484825 RG	11	-- send statistics to PowerDNS metronome server
9ebc0e91	12	-- carbonServer("2001:888:2000:1d::2")
6d01c80c	13
ff484825 RG	14	-- fix up possibly badly truncated answers from pdns 2.9.22
	15	truncateTC(true)
	16
4c6f4321	17	warnlog(string.format("Script starting %s", "up!"))
4c6f4321	18
773470ca	19	-- define the good servers
773470ca	20	newServer("8.8.8.8", 2) -- 2 qps
ff484825	21	newServer("8.8.4.4", 2)
773470ca	22	newServer("208.67.222.222", 1)
ff484825	23	newServer("208.67.220.220", 1)
773470ca	24	newServer("2001:4860:4860::8888", 1)
ff484825 RG	25	newServer("2001:4860:4860::8844",1)
	26	newServer("2620:0:ccc::2", 10)
	27	newServer("2620:0:ccd::2", 10)
bf9edc24 RG	28	newServer({address="192.168.1.2", qps=1000, order=2})
	29	newServer({address="192.168.1.79:5300", order=2})
	30	newServer({address="127.0.0.1:5300", order=3})
	31	newServer({address="192.168.1.30:5300", pool="abuse"})
9dea07d2	32
ff484825 RG	33	-- switch the server balancing policy to round robin,
	34	-- the default being least outstanding queries
	35	-- setServerPolicy(roundrobin)
	36
	37	-- send the queries for selected domain suffixes to the server
	38	-- in the 'abuse' pool
832c1792	39	addAction({"ezdns.it.", "xxx."}, PoolAction("abuse"))
ff484825 RG	40
	41	-- send the queries from a selected subnet to the
	42	-- abuse pool
832c1792	43	addAction("192.168.1.0/24", PoolAction("abuse"))
4f4ad7f5	44
ff484825 RG	45	-- send the queries for the "com" suffix to the "abuse"
ff484825 RG	46	-- pool, but only up to 100 qps
06c8e7f3	47	addAction("com.", QPSPoolAction(100, "abuse"))
9dea07d2	48
ff484825 RG	49	-- declare a Lua action function, routing NAPTR queries
ff484825 RG	50	-- to the abuse pool
497a6e3a	51	function luarule(dq)
1beafa5d	52	if(dq.qtype==DNSQType.NAPTR)
d8d85a30	53	then
	54	return DNSAction.Pool, "abuse" -- send to abuse pool
	55	else
	56	return DNSAction.None, "" -- no action
	57	end
	58	end
ff484825 RG	59	-- send only queries from the selected subnet to
ff484825 RG	60	-- the luarule function
81b0a083	61	addAction("192.168.1.0/24", LuaAction(luarule))
4f4ad7f5	62
ff484825 RG	63	-- drop queries exceeding 5 qps, grouped by /24 for IPv4
ff484825 RG	64	-- and /64 for IPv6
1b726acf	65	addAction(MaxQPSIPRule(5, 24, 64), DropAction())
1b726acf	66
ff484825	67	-- move the last rule to the first position
d8d85a30	68	topRule()
d8d85a30	69
ff484825	70	-- drop queries for the following suffixes:
832c1792 RG	71	addAction("powerdns.org.", DropAction())
832c1792 RG	72	addAction("spectre.", DropAction())
0940e4eb	73
9dea07d2	74	-- called before we distribute a question
ff484825	75	block=newDNSName("powerdns.org.")
68e82cf9	76	truncateNMG = newNMG()
	77	truncateNMG:addMask("213.244.0.0/16")
	78	truncateNMG:addMask("2001:503:ba3e::2:30")
	79	truncateNMG:addMask("fe80::/16")
	80
	81	print(string.format("Have %d entries in truncate NMG", truncateNMG:size()))
	82
da4e7813	83	-- called to pick a downstream server, ignores 'up' status
ff484825	84	counter=0
497a6e3a	85	function luaroundrobin(servers, dq)
ceee6652	86	counter=counter+1;
773470ca	87	return servers[1+(counter % #servers)]
9dea07d2	88	end
22b2b326	89	-- setServerPolicyLua("luaroundrobin", luaroundrobin)
9dea07d2	90
bf9edc24 RG	91	newServer({address="2001:888:2000:1d::2", pool={"auth", "dnssec"}})
bf9edc24 RG	92	newServer({address="2a01:4f8:110:4389::2", pool={"auth", "dnssec"}})
832c1792	93	--addAction(DNSSECRule(), PoolAction("dnssec"))
50bed881	94	--topRule()
520eb5a0	95
ff484825 RG	96	-- split queries between the 'auth' pool and the regular one,
	97	-- based on the RD flag
	98	function splitSetup(servers, dq)
	99	if(dq.dh:getRD() == false)
75a2db75	100	then
ff484825	101	return firstAvailable.policy(getPoolServers("auth"), dq)
75a2db75	102	else
ff484825	103	return firstAvailable.policy(servers, dq)
75a2db75	104	end
da4e7813	105	end
bac6e8fb	106	-- setServerPolicyLua("splitSetup", splitSetup)
bac6e8fb	107
ff484825	108	-- the 'maintenance' function is called every second
bac6e8fb	109	function maintenance()
ff484825 RG	110	-- block all hosts that exceeded 20 qps over the past 10s,
	111	-- for 60s
	112	addDynBlocks(exceedQRate(20, 10), "Exceeded query rate", 60)
bac6e8fb	113	end
bac6e8fb	114
ff484825 RG	115	-- allow queries for the domain powerdns.com., drop everything else
	116	-- addAction(makeRule("powerdns.com."), AllowAction())
	117	-- addAction(AllRule(), DropAction())
	118
	119	-- clear the RD flag in queries for powerdns.com.
ff484825 RG	120	-- addAction("powerdns.com.", NoRecurseAction())
	121
	122	-- set the CD flag in queries for powerdns.com.
ff484825 RG	123	-- addAction("powerdns.com.", DisableValidationAction())
	124
	125	-- delay all responses for 1000ms
	126	-- addAction(AllRule(), DelayAction(1000))
	127
	128	-- truncate ANY queries over UDP only
1beafa5d	129	-- addAction(AndRule{QTypeRule(DNSQType.ANY), TCPRule(false)}, TCAction())
ff484825 RG	130
ff484825 RG	131	-- truncate ANY queries over TCP only
1beafa5d	132	-- addAction(AndRule({QTypeRule(DNSQType.ANY), TCPRule(true)}), TCAction())
ff484825 RG	133	-- can also be written as:
	134	-- addAction(AndRule({QTypeRule("ANY"), TCPRule(true)}), TCAction())
	135
	136	-- return 'not implemented' for qtype != A over UDP
1beafa5d	137	-- addAction(AndRule({NotRule(QTypeRule("A")), TCPRule(false)}), RCodeAction(DNSRCode.NOTIMP))
ff484825 RG	138
ff484825 RG	139	-- return 'not implemented' for qtype == A OR received over UDP
1beafa5d	140	-- addAction(OrRule({QTypeRule("A"), TCPRule(false)}), RCodeAction(DNSRCode.NOTIMP))
ff484825	141
456fc645	142	-- log all queries to a 'dndist.log' file, in text-mode (not binary) appending and unbuffered
456fc645	143	-- addAction(AllRule(), LogAction("dnsdist.log", false, true, false))
ff484825 RG	144
	145	-- drop all queries with the DO flag set
	146	-- addAction(DNSSECRule(), DropAction())
	147
	148	-- drop all queries for the CHAOS class
	149	-- addAction(QClassRule(3), DropAction())
55baa1f2 RG	150	-- addAction(QClassRule(DNSClass.CHAOS), DropAction())
	151
	152	-- drop all queries with the UPDATE opcode
	153	-- addAction(OpcodeRule(DNSOpcode.Update), DropAction())
	154
	155	-- refuse all queries not having exactly one question
1beafa5d	156	-- addAction(NotRule(RecordsCountRule(DNSSection.Question, 1, 1)), RCodeAction(DNSRCode.REFUSED))
ff484825 RG	157
ff484825 RG	158	-- return 'refused' for domains matching the regex evil[0-9]{4,}.powerdns.com$
1beafa5d	159	-- addAction(RegexRule("evil[0-9]{4,}\\.powerdns\\.com$"), RCodeAction(DNSRCode.REFUSED))
ff484825 RG	160
	161	-- spoof responses for A, AAAA and ANY for spoof.powerdns.com.
	162	-- A queries will get 192.0.2.1, AAAA 2001:DB8::1 and ANY both
832c1792	163	-- addAction("spoof.powerdns.com.", SpoofAction({"192.0.2.1", "2001:DB8::1"}))
ff484825 RG	164
	165	-- spoof responses will multiple records
	166	-- A will get 192.0.2.1 and 192.0.2.2, AAAA 20B8::1 and 2001:DB8::2
	167	-- ANY all of that
832c1792	168	-- addAction("spoof.powerdns.com", SpoofAction({"192.0.2.1", "192.0.2.2", "20B8::1", "2001:DB8::2"}))
ff484825 RG	169
ff484825 RG	170	-- spoof responses with a CNAME
832c1792	171	-- addAction("cnamespoof.powerdns.com.", SpoofCNAMEAction("cname.powerdns.com."))
ff484825 RG	172
	173	-- spoof responses in Lua
	174	--[[
	175	function spoof1rule(dq)
	176	if(dq.qtype==1) -- A
	177	then
	178	return DNSAction.Spoof, "192.0.2.1"
	179	elseif(dq.qtype == 28) -- AAAA
	180	then
	181	return DNSAction.Spoof, "2001:DB8::1"
	182	else
	183	return DNSAction.None, ""
	184	end
	185	end
	186	function spoof2rule(dq)
	187	return DNSAction.Spoof, "spoofed.powerdns.com."
	188	end
81b0a083 OM	189	addAction("luaspoof1.powerdns.com.", LuaAction(spoof1rule))
81b0a083 OM	190	addAction("luaspoof2.powerdns.com.", LuaAction(spoof2rule))
ff484825 RG	191
ff484825 RG	192	--]]
a94673ea RG	193
	194	-- alter a protobuf response for anonymization purposes
	195	--[[
	196	function alterProtobuf(dq, protobuf)
	197	requestor = newCA(dq.remoteaddr:toString())
	198	if requestor:isIPv4() then
	199	requestor:truncate(24)
	200	else
	201	requestor:truncate(56)
	202	end
	203	protobuf:setRequestor(requestor)
	204	end
	205
	206	rl = newRemoteLogger("127.0.0.1:4242")
	207	addAction(AllRule(), RemoteLogAction(rl, alterProtobuf))
	208	--]]