From: Otto Moerbeek Date: Wed, 4 Nov 2020 13:37:18 +0000 (+0100) Subject: Deprecate more black- or whitelists X-Git-Tag: rec-4.5.0-alpha1~79^2~2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=996a5c0a7d5f33b4c6f9f2735e99724400e94a6c;p=thirdparty%2Fpdns.git Deprecate more black- or whitelists --- diff --git a/pdns/pdns_recursor.cc b/pdns/pdns_recursor.cc index 4c06ffe5de..0e465b2790 100644 --- a/pdns/pdns_recursor.cc +++ b/pdns/pdns_recursor.cc @@ -4381,6 +4381,7 @@ static void setupNODGlobal() g_nodLookupDomain = DNSName(::arg()["new-domain-lookup"]); g_nodLog = ::arg().mustDo("new-domain-log"); parseNODWhitelist(::arg()["new-domain-whitelist"]); + parseNODWhitelist(::arg()["new-domain-ignore-list"]); // Setup Unique DNS Response subsystem g_udrEnabled = ::arg().mustDo("unique-response-tracking"); @@ -4619,6 +4620,7 @@ static int serviceMain(int argc, char*argv[]) } SyncRes::parseEDNSSubnetWhitelist(::arg()["edns-subnet-whitelist"]); + SyncRes::parseEDNSSubnetWhitelist(::arg()["edns-subnet-allow-list"]); SyncRes::parseEDNSSubnetAddFor(::arg()["ecs-add-for"]); g_useIncomingECS = ::arg().mustDo("use-incoming-edns-subnet"); @@ -4880,6 +4882,11 @@ static int serviceMain(int argc, char*argv[]) blacklistStats(StatComponent::RecControl, ::arg()["stats-rec-control-blacklist"]); blacklistStats(StatComponent::SNMP, ::arg()["stats-snmp-blacklist"]); + blacklistStats(StatComponent::API, ::arg()["stats-api-disabled-list"]); + blacklistStats(StatComponent::Carbon, ::arg()["stats-carbon-disabled-list"]); + blacklistStats(StatComponent::RecControl, ::arg()["stats-rec-control-disabled-list"]); + blacklistStats(StatComponent::SNMP, ::arg()["stats-snmp-disabled-list"]); + if (::arg().mustDo("snmp-agent")) { string setting = ::arg()["snmp-daemon-socket"]; if (setting.empty()) { @@ -5350,9 +5357,10 @@ int main(int argc, char **argv) ::arg().set("ecs-ipv6-cache-bits", "Maximum number of bits of IPv6 mask to cache ECS response")="56"; ::arg().set("ecs-minimum-ttl-override", "The minimum TTL for records in ECS-specific answers")="1"; ::arg().set("ecs-cache-limit-ttl", "Minimum TTL to cache ECS response")="0"; - ::arg().set("edns-subnet-whitelist", "List of netmasks and domains that we should enable EDNS subnet for")=""; + ::arg().set("edns-subnet-whitelist", "List of netmasks and domains that we should enable EDNS subnet for (deprecated)")=""; + ::arg().set("edns-subnet-allow-list", "List of netmasks and domains that we should enable EDNS subnet for")=""; ::arg().set("ecs-add-for", "List of client netmasks for which EDNS Client Subnet will be added")="0.0.0.0/0, ::/0, " LOCAL_NETS_INVERSE; - ::arg().set("ecs-scope-zero-address", "Address to send to whitelisted authoritative servers for incoming queries with ECS prefix-length source of 0")=""; + ::arg().set("ecs-scope-zero-address", "Address to send to allow-listed authoritative servers for incoming queries with ECS prefix-length source of 0")=""; ::arg().setSwitch( "use-incoming-edns-subnet", "Pass along received EDNS Client Subnet information")="no"; ::arg().setSwitch( "pdns-distributes-queries", "If PowerDNS itself should distribute queries over threads")="yes"; ::arg().setSwitch( "root-nx-trust", "If set, believe that an NXDOMAIN from the root means the TLD does not exist")="yes"; @@ -5386,10 +5394,15 @@ int main(int argc, char **argv) for (size_t idx = 0; idx < 128; idx++) { defaultBlacklistedStats += ", ecs-v6-response-bits-" + std::to_string(idx + 1); } - ::arg().set("stats-api-blacklist", "List of statistics that are disabled when retrieving the complete list of statistics via the API")=defaultBlacklistedStats; - ::arg().set("stats-carbon-blacklist", "List of statistics that are prevented from being exported via Carbon")=defaultBlacklistedStats; - ::arg().set("stats-rec-control-blacklist", "List of statistics that are prevented from being exported via rec_control get-all")=defaultBlacklistedStats; - ::arg().set("stats-snmp-blacklist", "List of statistics that are prevented from being exported via SNMP")=defaultBlacklistedStats; + ::arg().set("stats-api-blacklist", "List of statistics that are disabled when retrieving the complete list of statistics via the API (deprecated)")=defaultBlacklistedStats; + ::arg().set("stats-carbon-blacklist", "List of statistics that are prevented from being exported via Carbon (deprecated)")=defaultBlacklistedStats; + ::arg().set("stats-rec-control-blacklist", "List of statistics that are prevented from being exported via rec_control get-all (deprecated)")=defaultBlacklistedStats; + ::arg().set("stats-snmp-blacklist", "List of statistics that are prevented from being exported via SNMP (deprecated)")=defaultBlacklistedStats; + + ::arg().set("stats-api-disabled-list", "List of statistics that are disabled when retrieving the complete list of statistics via the API")=defaultBlacklistedStats; + ::arg().set("stats-carbon-disabled-list", "List of statistics that are prevented from being exported via Carbon")=defaultBlacklistedStats; + ::arg().set("stats-rec-control-disabled-list", "List of statistics that are prevented from being exported via rec_control get-all")=defaultBlacklistedStats; + ::arg().set("stats-snmp-disabled-list", "List of statistics that are prevented from being exported via SNMP")=defaultBlacklistedStats; ::arg().set("tcp-fast-open", "Enable TCP Fast Open support on the listening sockets, using the supplied numerical value as the queue size")="0"; ::arg().set("nsec3-max-iterations", "Maximum number of iterations allowed for an NSEC3 record")="2500"; @@ -5423,7 +5436,8 @@ int main(int argc, char **argv) ::arg().set("new-domain-log", "Log newly observed domains.")="yes"; ::arg().set("new-domain-lookup", "Perform a DNS lookup newly observed domains as a subdomain of the configured domain")=""; ::arg().set("new-domain-history-dir", "Persist new domain tracking data here to persist between restarts")=string(NODCACHEDIR)+"/nod"; - ::arg().set("new-domain-whitelist", "List of domains (and implicitly all subdomains) which will never be considered a new domain")=""; + ::arg().set("new-domain-whitelist", "List of domains (and implicitly all subdomains) which will never be considered a new domain (deprecated)")=""; + ::arg().set("new-domain-ignore-list", "List of domains (and implicitly all subdomains) which will never be considered a new domain")=""; ::arg().set("new-domain-db-size", "Size of the DB used to track new domains in terms of number of cells. Defaults to 67108864")="67108864"; ::arg().set("new-domain-pb-tag", "If protobuf is configured, the tag to use for messages containing newly observed domains. Defaults to 'pdns-nod'")="pdns-nod"; ::arg().set("unique-response-tracking", "Track unique responses (tuple of query name, type and RR).")="no"; diff --git a/pdns/recursordist/docs/nod_udr.rst b/pdns/recursordist/docs/nod_udr.rst index 1ef5f1af26..03acb16ea5 100644 --- a/pdns/recursordist/docs/nod_udr.rst +++ b/pdns/recursordist/docs/nod_udr.rst @@ -17,7 +17,7 @@ NOD is disabled by default, and must be enabled through the use of the following Once enabled the recursor will keep track of previously seen domains using the SBF data structure, which is periodically persisted to the directory specified in the ``new-domain-history-dir``, which defaults to /var/lib/pdns-recursor/nod. -Administrators may wish to prevent certain domains or subdomains from ever triggering the NOD algorithm, in which case those domains must be added to the ``new-domain-whitelist`` setting as a comma separated list. No domain (or subdomain of a domain) listed will be considered a newly observed domain. +Administrators may wish to prevent certain domains or subdomains from ever triggering the NOD algorithm, in which case those domains must be added to the ``new-domain-ignore-list`` setting as a comma separated list. No domain (or subdomain of a domain) listed will be considered a newly observed domain. There are several ways to receive the information about newly observed domains: diff --git a/pdns/recursordist/docs/settings.rst b/pdns/recursordist/docs/settings.rst index 369e3fef67..90e6d9b801 100644 --- a/pdns/recursordist/docs/settings.rst +++ b/pdns/recursordist/docs/settings.rst @@ -459,7 +459,7 @@ Queries to addresses for zones as configured in any of the settings `forward-zon List of requestor netmasks for which the requestor IP Address should be used as the :rfc:`EDNS Client Subnet <7871>` for outgoing queries. Outgoing queries for requestors that do not match this list will use the `ecs-scope-zero-address`_ instead. Valid incoming ECS values from `use-incoming-edns-subnet`_ are not replaced. -Regardless of the value of this setting, ECS values are only sent for outgoing queries matching the conditions in the `edns-subnet-whitelist`_ setting. This setting only controls the actual value being sent. +Regardless of the value of this setting, ECS values are only sent for outgoing queries matching the conditions in the `edns-subnet-allow-list`_ setting. This setting only controls the actual value being sent. This defaults to not using the requestor address inside RFC1918 and similar "private" IP address spaces. @@ -547,7 +547,7 @@ That is, only if both the limits apply, the record will not be cached. - Default: empty The IP address sent via EDNS Client Subnet to authoritative servers listed in -`edns-subnet-whitelist`_ when `use-incoming-edns-subnet`_ is set and the query has +`edns-subnet-allow-list`_ when `use-incoming-edns-subnet`_ is set and the query has an ECS source prefix-length set to 0. The default is to look for the first usable (not an ``any`` one) address in `query-local-address`_ (starting with IPv4). If no suitable address is @@ -575,6 +575,15 @@ Lower this if you experience timeouts. ``edns-subnet-whitelist`` ------------------------- +.. deprecated:: 4.5.0 + Use :ref:`setting-edns-subnet-allow-list`. + +.. _setting-edns-subnet-allow-list: + +``edns-subnet-allow-list`` +-------------------------- +.. versionadded:: 4.5.0 + - Comma separated list of domain names and netmasks - Default: (none) @@ -1174,6 +1183,14 @@ from this directory. ``new-domain-whitelist`` ------------------------ .. versionadded:: 4.2.0 +.. deprecated:: 4.5.0 + Use :ref:`setting-new-domain-ignore-list`. + +.. _setting-new-domain-ignore-list: + +``new-domain-ignore-list`` +-------------------------- +.. versionadded:: 4.5.0 - List of Domain Names, comma separated - Example: xyz.com, abc.com @@ -1181,7 +1198,7 @@ from this directory. This setting is a list of all domains (and implicitly all subdomains) that will never be considered a new domain. For example, if the domain 'xyz123.tv' is in the list, then 'foo.bar.xyz123.tv' will never be -considered a new domain. One use-case for the whitelist is to never +considered a new domain. One use-case for the ignore list is to never reveal details of internal subdomains via the new-domain-lookup feature. @@ -1616,6 +1633,14 @@ Use 0 to disable. ``stats-api-blacklist`` ----------------------- .. versionadded:: 4.2.0 +.. deprecated:: 4.5.0 + Use :ref:`setting-stats-api-disabled-list`. + +.. _setting-stats-api-disabled-list: + +``stats-api-disabled-list`` +--------------------------- +.. versionadded:: 4.5.0 - String - Default: "cache-bytes, packetcache-bytes, special-memory-usage, ecs-v4-response-bits-*, ecs-v6-response-bits-*" @@ -1628,6 +1653,14 @@ These statistics can still be retrieved individually by specifically asking for ``stats-carbon-blacklist`` -------------------------- .. versionadded:: 4.2.0 +.. deprecated:: 4.5.0 + Use :ref:`setting-stats-carbon-disabled-list`. + +.. _setting-stats-carbon-disabled-list: + +``stats-carbon-disabled-list`` +------------------------------ +.. versionadded:: 4.5.0 - String - Default: "cache-bytes, packetcache-bytes, special-memory-usage, ecs-v4-response-bits-*, ecs-v6-response-bits-*" @@ -1639,6 +1672,14 @@ A list of comma-separated statistic names, that are prevented from being exporte ``stats-rec-control-blacklist`` ------------------------------- .. versionadded:: 4.2.0 +.. deprecated:: 4.5.0 + Use :ref:`setting-stats-rec-control-disabled-list`. + +.. _setting-stats-rec-control-disabled-list: + +``stats-rec-control-disabled-list`` +------------------------------------ +.. versionadded:: 4.5.0 - String - Default: "cache-bytes, packetcache-bytes, special-memory-usage, ecs-v4-response-bits-*, ecs-v6-response-bits-*" @@ -1661,6 +1702,14 @@ Can be read out using ``rec_control top-remotes``. ``stats-snmp-blacklist`` ------------------------ .. versionadded:: 4.2.0 +.. deprecated:: 4.5.0 + Use :ref:`setting-stats-snmp-disabled-list`. + +.. _setting-stats-snmp-disabled-list: + +``stats-snmp-disabled-list`` +---------------------------- +.. versionadded:: 4.5.0 - String - Default: "cache-bytes, packetcache-bytes, special-memory-usage, ecs-v4-response-bits-*, ecs-v6-response-bits-*" @@ -1849,7 +1898,7 @@ a unique DNS response is observed. - Default: no Whether to process and pass along a received EDNS Client Subnet to authoritative servers. -The ECS information will only be sent for netmasks and domains listed in `edns-subnet-whitelist`_ and will be truncated if the received scope exceeds `ecs-ipv4-bits`_ for IPv4 or `ecs-ipv6-bits`_ for IPv6. +The ECS information will only be sent for netmasks and domains listed in `edns-subnet-allow-list`_ and will be truncated if the received scope exceeds `ecs-ipv4-bits`_ for IPv4 or `ecs-ipv6-bits`_ for IPv6. .. _setting-version: