- ``backupSelector``: used to pick the IP address from list of all candidates if all addresses are down. Choices include 'pickclosest', 'random', 'hashed', 'all' (default to 'random').
- ``source``: Source IP address to check from
- ``stringmatch``: check ``url`` for this string, only declare 'up' if found
+ - ``useragent``: Set the HTTP "User-Agent" header in the requests. By default it is set to "PowerDNS Authoritative Server"
{ "sendCustomTrap", true, "str", "send a custom `SNMP` trap from Lua, containing the `str` string"},
{ "setACL", true, "{netmask, netmask}", "replace the ACL set with these netmasks. Use `setACL({})` to reset the list, meaning no one can use us" },
{ "setAddEDNSToSelfGeneratedResponses", true, "add", "set whether to add EDNS to self-generated responses, provided that the initial query had EDNS" },
+ { "setAllowEmptyResponse", true, "allow", "Set to true (defaults to false) to allow empty responses (qdcount=0) with a NoError or NXDomain rcode (default) from backends" },
{ "setAPIWritable", true, "bool, dir", "allow modifications via the API. if `dir` is set, it must be a valid directory where the configuration files will be written by the API" },
{ "setConsoleACL", true, "{netmask, netmask}", "replace the console ACL set with these netmasks" },
{ "setConsoleConnectionsLogging", true, "enabled", "whether to log the opening and closing of console connections" },
If this function exists, it is called every second to so regular tasks.
This can be used for e.g. :doc:`Dynamic Blocks <../guides/dynblocks>`.
+.. function: setAllowEmptyResponse()
+
+ .. versionadded:: 1.4.0
+
+ Set to true (defaults to false) to allow empty responses (qdcount=0) with a NoError or NXDomain rcode (default) from backends. dnsdist drops these responses by default because it can't match them against the initial query since they don't contain the qname, qtype and qclass, and therefore the risk of collision is much higher than with regular responses.
-void DNSFilterEngine::Zone::addQNameTrigger(const DNSName& n, Policy&& pol)
+void DNSFilterEngine::Zone::addQNameTrigger(const DNSName& n, Policy&& pol, bool ignoreDuplicate)
{
auto it = d_qpolName.find(n);
if (it != d_qpolName.end()) {
auto& existingPol = it->second;
- if (pol.d_kind != PolicyKind::Custom) {
+ if (pol.d_kind != PolicyKind::Custom && !ignoreDuplicate) {
throw std::runtime_error("Adding a QName-based filter policy of kind " + getKindToString(pol.d_kind) + " but a policy of kind " + getKindToString(existingPol.d_kind) + " already exists for the following QName: " + n.toLogString());
}
- if (existingPol.d_kind != PolicyKind::Custom) {
+ if (existingPol.d_kind != PolicyKind::Custom && ignoreDuplicate) {
throw std::runtime_error("Adding a QName-based filter policy of kind " + getKindToString(existingPol.d_kind) + " but there was already an existing policy for the following QName: " + n.toLogString());
@@ -297,7+304,7 @@ void loadRecursorLuaConfig(const std::string& fname, luaConfigDelayedThreads& de
if (!seedFile.empty()) {
g_log<<Logger::Info<<"Pre-loading RPZ zone "<<zoneName<<" from seed file '"<<seedFile<<"'"<<endl;
try {
- sr = loadRPZFromFile(seedFile, zone, defpol, maxTTL);
+ sr = loadRPZFromFile(seedFile, zone, defpol, defpolOverrideLocal, maxTTL);
if (zone->getDomain() != domain) {
throw PDNSException("The RPZ zone " + zoneName + " loaded from the seed file (" + zone->getDomain().toString() + ") does not match the one passed in parameter (" + domain.toString() + ")");
@@ -321,7+328,7 @@ void loadRecursorLuaConfig(const std::string& fname, luaConfigDelayedThreads& de
In this example, 'policy.rpz' denotes the name of the zone to query for.
+The action to be taken on a match is defined by the zone itself, but in some cases it might be interesting to be able to override it, and always apply the same action
+regardless of the one specified in the RPZ zone. To load from file and override the default action with a custom CNAME to badserver.example.com., use for example:
+Note that since 4.2.0, it is possible for the override policy specified via 'defpol' to no longer be applied to local data entries present in the zone by setting the 'defpolOverrideLocalData' parameter to false.
+
As of version 4.2.0, the first parameter of :func:`rpzMaster` can be a list of addresses for failover:
@@ -712,6+712,17 @@ Path to a lua file to manipulate the Recursor's answers. See :doc:`lua-scripting
The interval between calls to the Lua user defined `maintenance()` function in seconds.
See :ref:`hooks-maintenance-callback`
+.. _setting-max-cache-bogus-ttl:
+
+``max-cache-bogus-ttl``
+-----------------------
+.. versionadded:: 4.2.0
+
+- Integer
+- Default: 3600
+
+Maximum number of seconds to cache an item in the DNS cache (negative or positive) if its DNSSEC validation failed, no matter what the original TTL specified, to reduce the impact of a broken domain.
LOG(prefix<<qname<<": Found cache CNAME hit for '"<< qname << "|CNAME" <<"' to '"<<j->d_content->getZoneRepresentation()<<"', validation state is "<<vStates[state]<<endl);
LOG(prefix<<qname<<": answer is in: resolved to '"<< rec.d_content->getZoneRepresentation()<<"|"<<DNSRecordContent::NumberToType(rec.d_type)<<"'"<<endl);
done=true;
- ret.push_back(rec);
if (state == Secure && needWildcardProof) {
/* We have a positive answer synthetized from a wildcard, we need to check that we have