]>
Commit | Line | Data |
---|---|---|
ff484825 | 1 | -- listen for console connection with the given secret key |
4b775242 RG |
2 | -- controlSocket("0.0.0.0") |
3 | -- setKey(please generate a fresh private key with makeKey()) | |
ff484825 | 4 | |
4b775242 RG |
5 | -- start the web server on port 8083, using password 'set a random password here' |
6 | -- webserver("0.0.0.0:8083", "set a random password here") | |
ff484825 RG |
7 | |
8 | -- accept DNS queries on UDP/5200 and TCP/5200 | |
2e72cc0e | 9 | addLocal("0.0.0.0:5200") |
ff484825 RG |
10 | |
11 | -- send statistics to PowerDNS metronome server | |
9ebc0e91 | 12 | -- carbonServer("2001:888:2000:1d::2") |
6d01c80c | 13 | |
ff484825 RG |
14 | -- fix up possibly badly truncated answers from pdns 2.9.22 |
15 | truncateTC(true) | |
16 | ||
4c6f4321 | 17 | warnlog(string.format("Script starting %s", "up!")) |
18 | ||
773470ca | 19 | -- define the good servers |
20 | newServer("8.8.8.8", 2) -- 2 qps | |
ff484825 | 21 | newServer("8.8.4.4", 2) |
773470ca | 22 | newServer("208.67.222.222", 1) |
ff484825 | 23 | newServer("208.67.220.220", 1) |
773470ca | 24 | newServer("2001:4860:4860::8888", 1) |
ff484825 RG |
25 | newServer("2001:4860:4860::8844",1) |
26 | newServer("2620:0:ccc::2", 10) | |
27 | newServer("2620:0:ccd::2", 10) | |
bf9edc24 RG |
28 | newServer({address="192.168.1.2", qps=1000, order=2}) |
29 | newServer({address="192.168.1.79:5300", order=2}) | |
30 | newServer({address="127.0.0.1:5300", order=3}) | |
31 | newServer({address="192.168.1.30:5300", pool="abuse"}) | |
9dea07d2 | 32 | |
ff484825 RG |
33 | -- switch the server balancing policy to round robin, |
34 | -- the default being least outstanding queries | |
35 | -- setServerPolicy(roundrobin) | |
36 | ||
37 | -- send the queries for selected domain suffixes to the server | |
38 | -- in the 'abuse' pool | |
832c1792 | 39 | addAction({"ezdns.it.", "xxx."}, PoolAction("abuse")) |
ff484825 RG |
40 | |
41 | -- send the queries from a selected subnet to the | |
42 | -- abuse pool | |
832c1792 | 43 | addAction("192.168.1.0/24", PoolAction("abuse")) |
4f4ad7f5 | 44 | |
ff484825 RG |
45 | -- send the queries for the "com" suffix to the "abuse" |
46 | -- pool, but only up to 100 qps | |
832c1792 | 47 | addAction("com.", QPSPoolRule(100, "abuse")) |
9dea07d2 | 48 | |
ff484825 RG |
49 | -- declare a Lua action function, routing NAPTR queries |
50 | -- to the abuse pool | |
497a6e3a | 51 | function luarule(dq) |
ff484825 | 52 | if(dq.qtype==dnsdist.NAPTR) |
d8d85a30 | 53 | then |
54 | return DNSAction.Pool, "abuse" -- send to abuse pool | |
55 | else | |
56 | return DNSAction.None, "" -- no action | |
57 | end | |
58 | end | |
ff484825 RG |
59 | -- send only queries from the selected subnet to |
60 | -- the luarule function | |
d8d85a30 | 61 | addLuaAction("192.168.1.0/24", luarule) |
4f4ad7f5 | 62 | |
ff484825 RG |
63 | -- drop queries exceeding 5 qps, grouped by /24 for IPv4 |
64 | -- and /64 for IPv6 | |
1b726acf | 65 | addAction(MaxQPSIPRule(5, 24, 64), DropAction()) |
66 | ||
ff484825 | 67 | -- move the last rule to the first position |
d8d85a30 | 68 | topRule() |
69 | ||
ff484825 | 70 | -- drop queries for the following suffixes: |
832c1792 RG |
71 | addAction("powerdns.org.", DropAction()) |
72 | addAction("spectre.", DropAction()) | |
0940e4eb | 73 | |
9dea07d2 | 74 | -- called before we distribute a question |
ff484825 | 75 | block=newDNSName("powerdns.org.") |
68e82cf9 | 76 | truncateNMG = newNMG() |
77 | truncateNMG:addMask("213.244.0.0/16") | |
78 | truncateNMG:addMask("2001:503:ba3e::2:30") | |
79 | truncateNMG:addMask("fe80::/16") | |
80 | ||
81 | print(string.format("Have %d entries in truncate NMG", truncateNMG:size())) | |
82 | ||
da4e7813 | 83 | -- called to pick a downstream server, ignores 'up' status |
ff484825 | 84 | counter=0 |
497a6e3a | 85 | function luaroundrobin(servers, dq) |
ceee6652 | 86 | counter=counter+1; |
773470ca | 87 | return servers[1+(counter % #servers)] |
9dea07d2 | 88 | end |
22b2b326 | 89 | -- setServerPolicyLua("luaroundrobin", luaroundrobin) |
9dea07d2 | 90 | |
bf9edc24 RG |
91 | newServer({address="2001:888:2000:1d::2", pool={"auth", "dnssec"}}) |
92 | newServer({address="2a01:4f8:110:4389::2", pool={"auth", "dnssec"}}) | |
832c1792 | 93 | --addAction(DNSSECRule(), PoolAction("dnssec")) |
50bed881 | 94 | --topRule() |
520eb5a0 | 95 | |
ff484825 RG |
96 | -- split queries between the 'auth' pool and the regular one, |
97 | -- based on the RD flag | |
98 | function splitSetup(servers, dq) | |
99 | if(dq.dh:getRD() == false) | |
75a2db75 | 100 | then |
ff484825 | 101 | return firstAvailable.policy(getPoolServers("auth"), dq) |
75a2db75 | 102 | else |
ff484825 | 103 | return firstAvailable.policy(servers, dq) |
75a2db75 | 104 | end |
da4e7813 | 105 | end |
bac6e8fb | 106 | -- setServerPolicyLua("splitSetup", splitSetup) |
107 | ||
ff484825 | 108 | -- the 'maintenance' function is called every second |
bac6e8fb | 109 | function maintenance() |
ff484825 RG |
110 | -- block all hosts that exceeded 20 qps over the past 10s, |
111 | -- for 60s | |
112 | addDynBlocks(exceedQRate(20, 10), "Exceeded query rate", 60) | |
bac6e8fb | 113 | end |
114 | ||
ff484825 RG |
115 | -- allow queries for the domain powerdns.com., drop everything else |
116 | -- addAction(makeRule("powerdns.com."), AllowAction()) | |
117 | -- addAction(AllRule(), DropAction()) | |
118 | ||
119 | -- clear the RD flag in queries for powerdns.com. | |
ff484825 RG |
120 | -- addAction("powerdns.com.", NoRecurseAction()) |
121 | ||
122 | -- set the CD flag in queries for powerdns.com. | |
ff484825 RG |
123 | -- addAction("powerdns.com.", DisableValidationAction()) |
124 | ||
125 | -- delay all responses for 1000ms | |
126 | -- addAction(AllRule(), DelayAction(1000)) | |
127 | ||
128 | -- truncate ANY queries over UDP only | |
832c1792 | 129 | -- addAction(AndRule{QTypeRule(dnsdist.ANY), TCPRule(false)}, TCAction()) |
ff484825 RG |
130 | |
131 | -- truncate ANY queries over TCP only | |
132 | -- addAction(AndRule({QTypeRule(dnsdist.ANY), TCPRule(true)}), TCAction()) | |
133 | -- can also be written as: | |
134 | -- addAction(AndRule({QTypeRule("ANY"), TCPRule(true)}), TCAction()) | |
135 | ||
136 | -- return 'not implemented' for qtype != A over UDP | |
ce71f790 | 137 | -- addAction(AndRule({NotRule(QTypeRule("A")), TCPRule(false)}), RCodeAction(dnsdist.NOTIMP)) |
ff484825 RG |
138 | |
139 | -- return 'not implemented' for qtype == A OR received over UDP | |
ce71f790 | 140 | -- addAction(OrRule({QTypeRule("A"), TCPRule(false)}), RCodeAction(dnsdist.NOTIMP)) |
ff484825 | 141 | |
456fc645 | 142 | -- log all queries to a 'dndist.log' file, in text-mode (not binary) appending and unbuffered |
143 | -- addAction(AllRule(), LogAction("dnsdist.log", false, true, false)) | |
ff484825 RG |
144 | |
145 | -- drop all queries with the DO flag set | |
146 | -- addAction(DNSSECRule(), DropAction()) | |
147 | ||
148 | -- drop all queries for the CHAOS class | |
149 | -- addAction(QClassRule(3), DropAction()) | |
55baa1f2 RG |
150 | -- addAction(QClassRule(DNSClass.CHAOS), DropAction()) |
151 | ||
152 | -- drop all queries with the UPDATE opcode | |
153 | -- addAction(OpcodeRule(DNSOpcode.Update), DropAction()) | |
154 | ||
155 | -- refuse all queries not having exactly one question | |
156 | -- addAction(NotRule(RecordsCountRule(DNSSection.Question, 1, 1)), RCodeAction(dnsdist.REFUSED)) | |
ff484825 RG |
157 | |
158 | -- return 'refused' for domains matching the regex evil[0-9]{4,}.powerdns.com$ | |
55baa1f2 | 159 | -- addAction(RegexRule("evil[0-9]{4,}\\.powerdns\\.com$"), RCodeAction(dnsdist.REFUSED)) |
ff484825 RG |
160 | |
161 | -- spoof responses for A, AAAA and ANY for spoof.powerdns.com. | |
162 | -- A queries will get 192.0.2.1, AAAA 2001:DB8::1 and ANY both | |
832c1792 | 163 | -- addAction("spoof.powerdns.com.", SpoofAction({"192.0.2.1", "2001:DB8::1"})) |
ff484825 RG |
164 | |
165 | -- spoof responses will multiple records | |
166 | -- A will get 192.0.2.1 and 192.0.2.2, AAAA 20B8::1 and 2001:DB8::2 | |
167 | -- ANY all of that | |
832c1792 | 168 | -- addAction("spoof.powerdns.com", SpoofAction({"192.0.2.1", "192.0.2.2", "20B8::1", "2001:DB8::2"})) |
ff484825 RG |
169 | |
170 | -- spoof responses with a CNAME | |
832c1792 | 171 | -- addAction("cnamespoof.powerdns.com.", SpoofCNAMEAction("cname.powerdns.com.")) |
ff484825 RG |
172 | |
173 | -- spoof responses in Lua | |
174 | --[[ | |
175 | function spoof1rule(dq) | |
176 | if(dq.qtype==1) -- A | |
177 | then | |
178 | return DNSAction.Spoof, "192.0.2.1" | |
179 | elseif(dq.qtype == 28) -- AAAA | |
180 | then | |
181 | return DNSAction.Spoof, "2001:DB8::1" | |
182 | else | |
183 | return DNSAction.None, "" | |
184 | end | |
185 | end | |
186 | function spoof2rule(dq) | |
187 | return DNSAction.Spoof, "spoofed.powerdns.com." | |
188 | end | |
189 | addLuaAction("luaspoof1.powerdns.com.", spoof1rule) | |
190 | addLuaAction("luaspoof2.powerdns.com.", spoof2rule) | |
191 | ||
192 | --]] | |
a94673ea RG |
193 | |
194 | -- alter a protobuf response for anonymization purposes | |
195 | --[[ | |
196 | function alterProtobuf(dq, protobuf) | |
197 | requestor = newCA(dq.remoteaddr:toString()) | |
198 | if requestor:isIPv4() then | |
199 | requestor:truncate(24) | |
200 | else | |
201 | requestor:truncate(56) | |
202 | end | |
203 | protobuf:setRequestor(requestor) | |
204 | end | |
205 | ||
206 | rl = newRemoteLogger("127.0.0.1:4242") | |
207 | addAction(AllRule(), RemoteLogAction(rl, alterProtobuf)) | |
208 | --]] |