pdns/dnsdistconf.lua

   1 -- listen for console connection with the given secret key
   2 -- controlSocket("0.0.0.0")
   3 -- setKey(please generate a fresh private key with makeKey())
   4
   5 -- start the web server on port 8083, using password 'set a random password here'
   6 -- webserver("0.0.0.0:8083", "set a random password here")
   7
   8 -- accept DNS queries on UDP/5200 and TCP/5200
   9 addLocal("0.0.0.0:5200")
  10
  11 -- send statistics to PowerDNS metronome server
  12 -- carbonServer("2001:888:2000:1d::2")
  13
  14 -- fix up possibly badly truncated answers from pdns 2.9.22
  15 truncateTC(true)
  16
  17 warnlog(string.format("Script starting %s", "up!"))
  18
  19 -- define the good servers
  20 newServer("8.8.8.8", 2)  -- 2 qps
  21 newServer("8.8.4.4", 2)
  22 newServer("208.67.222.222", 1)
  23 newServer("208.67.220.220", 1)
  24 newServer("2001:4860:4860::8888", 1)
  25 newServer("2001:4860:4860::8844",1)
  26 newServer("2620:0:ccc::2", 10)
  27 newServer("2620:0:ccd::2", 10)
  28 newServer({address="192.168.1.2", qps=1000, order=2})
  29 newServer({address="192.168.1.79:5300", order=2})
  30 newServer({address="127.0.0.1:5300", order=3})
  31 newServer({address="192.168.1.30:5300", pool="abuse"})
  32
  33 -- switch the server balancing policy to round robin,
  34 -- the default being least outstanding queries
  35 -- setServerPolicy(roundrobin)
  36
  37 -- send the queries for selected domain suffixes to the server
  38 -- in the 'abuse' pool
  39 addAction({"ezdns.it.", "xxx."}, PoolAction("abuse"))
  40
  41 -- send the queries from a selected subnet to the
  42 -- abuse pool
  43 addAction("192.168.1.0/24", PoolAction("abuse"))
  44
  45 -- send the queries for the "com" suffix to the "abuse"
  46 -- pool, but only up to 100 qps
  47 addAction("com.", QPSPoolAction(100, "abuse"))
  48
  49 -- declare a Lua action function, routing NAPTR queries
  50 -- to the abuse pool
  51 function luarule(dq)
  52         if(dq.qtype==dnsdist.NAPTR)
  53         then
  54                 return DNSAction.Pool, "abuse" -- send to abuse pool
  55         else
  56                 return DNSAction.None, ""      -- no action
  57         end
  58 end
  59 -- send only queries from the selected subnet to
  60 -- the luarule function
  61 addLuaAction("192.168.1.0/24", luarule)
  62
  63 -- drop queries exceeding 5 qps, grouped by /24 for IPv4
  64 -- and /64 for IPv6
  65 addAction(MaxQPSIPRule(5, 24, 64), DropAction())
  66
  67 -- move the last rule to the first position
  68 topRule()
  69
  70 -- drop queries for the following suffixes:
  71 addAction("powerdns.org.", DropAction())
  72 addAction("spectre.", DropAction())
  73
  74 -- called before we distribute a question
  75 block=newDNSName("powerdns.org.")
  76 truncateNMG = newNMG()
  77 truncateNMG:addMask("213.244.0.0/16")
  78 truncateNMG:addMask("2001:503:ba3e::2:30")
  79 truncateNMG:addMask("fe80::/16")
  80
  81 print(string.format("Have %d entries in truncate NMG", truncateNMG:size()))
  82
  83 -- called to pick a downstream server, ignores 'up' status
  84 counter=0
  85 function luaroundrobin(servers, dq)
  86          counter=counter+1;
  87          return servers[1+(counter % #servers)]
  88 end
  89 -- setServerPolicyLua("luaroundrobin", luaroundrobin)
  90
  91 newServer({address="2001:888:2000:1d::2", pool={"auth", "dnssec"}})
  92 newServer({address="2a01:4f8:110:4389::2", pool={"auth", "dnssec"}})
  93 --addAction(DNSSECRule(), PoolAction("dnssec"))
  94 --topRule()
  95
  96 -- split queries between the 'auth' pool and the regular one,
  97 -- based on the RD flag
  98 function splitSetup(servers, dq)
  99          if(dq.dh:getRD() == false)
 100          then
 101                 return firstAvailable.policy(getPoolServers("auth"), dq)
 102          else
 103                 return firstAvailable.policy(servers, dq)
 104          end
 105 end
 106 -- setServerPolicyLua("splitSetup", splitSetup)
 107
 108 -- the 'maintenance' function is called every second
 109 function maintenance()
 110          -- block all hosts that exceeded 20 qps over the past 10s,
 111          -- for 60s
 112          addDynBlocks(exceedQRate(20, 10), "Exceeded query rate", 60)
 113 end
 114
 115 -- allow queries for the domain powerdns.com., drop everything else
 116 -- addAction(makeRule("powerdns.com."), AllowAction())
 117 -- addAction(AllRule(), DropAction())
 118
 119 -- clear the RD flag in queries for powerdns.com.
 120 -- addAction("powerdns.com.", NoRecurseAction())
 121
 122 -- set the CD flag in queries for powerdns.com.
 123 -- addAction("powerdns.com.", DisableValidationAction())
 124
 125 -- delay all responses for 1000ms
 126 -- addAction(AllRule(), DelayAction(1000))
 127
 128 -- truncate ANY queries over UDP only
 129 -- addAction(AndRule{QTypeRule(dnsdist.ANY), TCPRule(false)}, TCAction())
 130
 131 -- truncate ANY queries over TCP only
 132 -- addAction(AndRule({QTypeRule(dnsdist.ANY), TCPRule(true)}), TCAction())
 133 -- can also be written as:
 134 -- addAction(AndRule({QTypeRule("ANY"), TCPRule(true)}), TCAction())
 135
 136 -- return 'not implemented' for qtype != A over UDP
 137 -- addAction(AndRule({NotRule(QTypeRule("A")), TCPRule(false)}), RCodeAction(dnsdist.NOTIMP))
 138
 139 -- return 'not implemented' for qtype == A OR received over UDP
 140 -- addAction(OrRule({QTypeRule("A"), TCPRule(false)}), RCodeAction(dnsdist.NOTIMP))
 141
 142 -- log all queries to a 'dndist.log' file, in text-mode (not binary) appending and unbuffered
 143 -- addAction(AllRule(), LogAction("dnsdist.log", false, true, false))
 144
 145 -- drop all queries with the DO flag set
 146 -- addAction(DNSSECRule(), DropAction())
 147
 148 -- drop all queries for the CHAOS class
 149 -- addAction(QClassRule(3), DropAction())
 150 -- addAction(QClassRule(DNSClass.CHAOS), DropAction())
 151
 152 -- drop all queries with the UPDATE opcode
 153 -- addAction(OpcodeRule(DNSOpcode.Update), DropAction())
 154
 155 -- refuse all queries not having exactly one question
 156 -- addAction(NotRule(RecordsCountRule(DNSSection.Question, 1, 1)), RCodeAction(dnsdist.REFUSED))
 157
 158 -- return 'refused' for domains matching the regex evil[0-9]{4,}.powerdns.com$
 159 -- addAction(RegexRule("evil[0-9]{4,}\\.powerdns\\.com$"), RCodeAction(dnsdist.REFUSED))
 160
 161 -- spoof responses for A, AAAA and ANY for spoof.powerdns.com.
 162 -- A queries will get 192.0.2.1, AAAA 2001:DB8::1 and ANY both
 163 -- addAction("spoof.powerdns.com.", SpoofAction({"192.0.2.1", "2001:DB8::1"}))
 164
 165 -- spoof responses will multiple records
 166 -- A will get 192.0.2.1 and 192.0.2.2, AAAA 20B8::1 and 2001:DB8::2
 167 -- ANY all of that
 168 -- addAction("spoof.powerdns.com", SpoofAction({"192.0.2.1", "192.0.2.2", "20B8::1", "2001:DB8::2"}))
 169
 170 -- spoof responses with a CNAME
 171 -- addAction("cnamespoof.powerdns.com.", SpoofCNAMEAction("cname.powerdns.com."))
 172
 173 -- spoof responses in Lua
 174 --[[
 175     function spoof1rule(dq)
 176         if(dq.qtype==1) -- A
 177         then
 178                 return DNSAction.Spoof, "192.0.2.1"
 179         elseif(dq.qtype == 28) -- AAAA
 180         then
 181                 return DNSAction.Spoof, "2001:DB8::1"
 182         else
 183                 return DNSAction.None, ""
 184         end
 185     end
 186     function spoof2rule(dq)
 187         return DNSAction.Spoof, "spoofed.powerdns.com."
 188     end
 189     addLuaAction("luaspoof1.powerdns.com.", spoof1rule)
 190     addLuaAction("luaspoof2.powerdns.com.", spoof2rule)
 191
 192 --]]
 193
 194 -- alter a protobuf response for anonymization purposes
 195 --[[
 196 function alterProtobuf(dq, protobuf)
 197     requestor = newCA(dq.remoteaddr:toString())
 198     if requestor:isIPv4() then
 199         requestor:truncate(24)
 200     else
 201         requestor:truncate(56)
 202     end
 203     protobuf:setRequestor(requestor)
 204 end
 205
 206 rl = newRemoteLogger("127.0.0.1:4242")
 207 addAction(AllRule(), RemoteLogAction(rl, alterProtobuf))
 208 --]]