pdns/dnsdistconf.lua

   1 -- listen for console connection with the given secret key
   2 controlSocket("0.0.0.0")
   3 setKey("MXNeLFWHUe4363BBKrY06cAsH8NWNb+Se2eXU5+Bb74=")
   4
   5 -- start the web server on port 8083, using password 'geheim2'
   6 webserver("0.0.0.0:8083", "geheim2")
   7
   8 -- accept DNS queries on UDP/5200 and TCP/5200
   9 addLocal("0.0.0.0:5200")
  10
  11 -- send statistics to PowerDNS metronome server
  12 -- carbonServer("2001:888:2000:1d::2")
  13
  14 -- fix up possibly badly truncated answers from pdns 2.9.22
  15 truncateTC(true)
  16
  17 warnlog(string.format("Script starting %s", "up!"))
  18
  19 -- define the good servers
  20 newServer("8.8.8.8", 2)  -- 2 qps
  21 newServer("8.8.4.4", 2)
  22 newServer("208.67.222.222", 1)
  23 newServer("208.67.220.220", 1)
  24 newServer("2001:4860:4860::8888", 1)
  25 newServer("2001:4860:4860::8844",1)
  26 newServer("2620:0:ccc::2", 10)
  27 newServer("2620:0:ccd::2", 10)
  28 newServer({address="192.168.1.2", qps=1000, order=2})
  29 newServer({address="192.168.1.79:5300", order=2})
  30 newServer({address="127.0.0.1:5300", order=3})
  31 newServer({address="192.168.1.30:5300", pool="abuse"})
  32
  33 -- switch the server balancing policy to round robin,
  34 -- the default being least outstanding queries
  35 -- setServerPolicy(roundrobin)
  36
  37 -- send the queries for selected domain suffixes to the server
  38 -- in the 'abuse' pool
  39 addPoolRule({"ezdns.it.", "xxx."}, "abuse")
  40
  41 -- send the queries from a selected subnet to the
  42 -- abuse pool
  43 addPoolRule("192.168.1.0/24", "abuse")
  44
  45 -- send the queries for the "com" suffix to the "abuse"
  46 -- pool, but only up to 100 qps
  47 addQPSPoolRule("com.", 100, "abuse")
  48
  49 -- declare a Lua action function, routing NAPTR queries
  50 -- to the abuse pool
  51 function luarule(dq)
  52         if(dq.qtype==dnsdist.NAPTR)
  53         then
  54                 return DNSAction.Pool, "abuse" -- send to abuse pool
  55         else
  56                 return DNSAction.None, ""      -- no action
  57         end
  58 end
  59 -- send only queries from the selected subnet to
  60 -- the luarule function
  61 addLuaAction("192.168.1.0/24", luarule)
  62
  63 -- drop queries exceeding 5 qps, grouped by /24 for IPv4
  64 -- and /64 for IPv6
  65 addAction(MaxQPSIPRule(5, 24, 64), DropAction())
  66
  67 -- move the last rule to the first position
  68 topRule()
  69
  70 -- drop queries for the following suffixes:
  71 addDomainBlock("powerdns.org.")
  72 addDomainBlock("spectre.")
  73 -- this is equivalent to addAction("isis.", DropAction())
  74 addDomainBlock("isis.")
  75
  76 -- called before we distribute a question
  77 block=newDNSName("powerdns.org.")
  78 truncateNMG = newNMG()
  79 truncateNMG:addMask("213.244.0.0/16")
  80 truncateNMG:addMask("2001:503:ba3e::2:30")
  81 truncateNMG:addMask("fe80::/16")
  82
  83 print(string.format("Have %d entries in truncate NMG", truncateNMG:size()))
  84
  85 -- called to pick a downstream server, ignores 'up' status
  86 counter=0
  87 function luaroundrobin(servers, dq)
  88          counter=counter+1;
  89          return servers[1+(counter % #servers)]
  90 end
  91 -- setServerPolicyLua("luaroundrobin", luaroundrobin)
  92
  93 newServer({address="2001:888:2000:1d::2", pool={"auth", "dnssec"}})
  94 newServer({address="2a01:4f8:110:4389::2", pool={"auth", "dnssec"}})
  95 --setDNSSECPool("dnssec")
  96 --topRule()
  97
  98 -- split queries between the 'auth' pool and the regular one,
  99 -- based on the RD flag
 100 function splitSetup(servers, dq)
 101          if(dq.dh:getRD() == false)
 102          then
 103                 return firstAvailable.policy(getPoolServers("auth"), dq)
 104          else
 105                 return firstAvailable.policy(servers, dq)
 106          end
 107 end
 108 -- setServerPolicyLua("splitSetup", splitSetup)
 109
 110 -- the 'maintenance' function is called every second
 111 function maintenance()
 112          -- block all hosts that exceeded 20 qps over the past 10s,
 113          -- for 60s
 114          addDynBlocks(exceedQRate(20, 10), "Exceeded query rate", 60)
 115 end
 116
 117 -- allow queries for the domain powerdns.com., drop everything else
 118 -- addAction(makeRule("powerdns.com."), AllowAction())
 119 -- addAction(AllRule(), DropAction())
 120
 121 -- clear the RD flag in queries for powerdns.com.
 122 -- addNoRecurseRule("powerdns.com.")
 123 -- another way to do the exact same thing:
 124 -- addAction("powerdns.com.", NoRecurseAction())
 125
 126 -- set the CD flag in queries for powerdns.com.
 127 -- addDisableValidationRule("powerdns.com.")
 128 -- or:
 129 -- addAction("powerdns.com.", DisableValidationAction())
 130
 131 -- delay all responses for 1000ms
 132 -- addAction(AllRule(), DelayAction(1000))
 133
 134 -- truncate ANY queries over UDP only
 135 -- addAnyTCRule()
 136
 137 -- truncate ANY queries over TCP only
 138 -- addAction(AndRule({QTypeRule(dnsdist.ANY), TCPRule(true)}), TCAction())
 139 -- can also be written as:
 140 -- addAction(AndRule({QTypeRule("ANY"), TCPRule(true)}), TCAction())
 141
 142 -- return 'not implemented' for qtype != A over UDP
 143 -- addAction(AndRule({NotRule(QTypeRule("A")), TCPRule(false)}), RCodeAction(dnsdist.NOTIMP))
 144
 145 -- return 'not implemented' for qtype == A OR received over UDP
 146 -- addAction(OrRule({QTypeRule("A"), TCPRule(false)}), RCodeAction(dnsdist.NOTIMP))
 147
 148 -- log all queries to a 'dndist.log' file, in text-mode (not binary) appending and unbuffered
 149 -- addAction(AllRule(), LogAction("dnsdist.log", false, true, false))
 150
 151 -- drop all queries with the DO flag set
 152 -- addAction(DNSSECRule(), DropAction())
 153
 154 -- drop all queries for the CHAOS class
 155 -- addAction(QClassRule(3), DropAction())
 156 -- addAction(QClassRule(DNSClass.CHAOS), DropAction())
 157
 158 -- drop all queries with the UPDATE opcode
 159 -- addAction(OpcodeRule(DNSOpcode.Update), DropAction())
 160
 161 -- refuse all queries not having exactly one question
 162 -- addAction(NotRule(RecordsCountRule(DNSSection.Question, 1, 1)), RCodeAction(dnsdist.REFUSED))
 163
 164 -- return 'refused' for domains matching the regex evil[0-9]{4,}.powerdns.com$
 165 -- addAction(RegexRule("evil[0-9]{4,}\\.powerdns\\.com$"), RCodeAction(dnsdist.REFUSED))
 166
 167 -- spoof responses for A, AAAA and ANY for spoof.powerdns.com.
 168 -- A queries will get 192.0.2.1, AAAA 2001:DB8::1 and ANY both
 169 -- addDomainSpoof("spoof.powerdns.com.", "192.0.2.1", "2001:DB8::1")
 170
 171 -- spoof responses will multiple records
 172 -- A will get 192.0.2.1 and 192.0.2.2, AAAA 20B8::1 and 2001:DB8::2
 173 -- ANY all of that
 174 -- addDomainSpoof("spoof.powerdns.com", {"192.0.2.1", "192.0.2.2", "20B8::1", "2001:DB8::2"})
 175
 176 -- spoof responses with a CNAME
 177 -- addDomainCNAMESpoof("cnamespoof.powerdns.com.", "cname.powerdns.com.")
 178
 179 -- spoof responses in Lua
 180 --[[
 181     function spoof1rule(dq)
 182         if(dq.qtype==1) -- A
 183         then
 184                 return DNSAction.Spoof, "192.0.2.1"
 185         elseif(dq.qtype == 28) -- AAAA
 186         then
 187                 return DNSAction.Spoof, "2001:DB8::1"
 188         else
 189                 return DNSAction.None, ""
 190         end
 191     end
 192     function spoof2rule(dq)
 193         return DNSAction.Spoof, "spoofed.powerdns.com."
 194     end
 195     addLuaAction("luaspoof1.powerdns.com.", spoof1rule)
 196     addLuaAction("luaspoof2.powerdns.com.", spoof2rule)
 197
 198 --]]
 199
 200 -- alter a protobuf response for anonymization purposes
 201 --[[
 202 function alterProtobuf(dq, protobuf)
 203     requestor = newCA(dq.remoteaddr:toString())
 204     if requestor:isIPv4() then
 205         requestor:truncate(24)
 206     else
 207         requestor:truncate(56)
 208     end
 209     protobuf:setRequestor(requestor)
 210 end
 211
 212 rl = newRemoteLogger("127.0.0.1:4242")
 213 addAction(AllRule(), RemoteLogAction(rl, alterProtobuf))
 214 --]]