From: Ensar Sarajčić Date: Mon, 3 Jun 2024 16:43:05 +0000 (+0200) Subject: Add support for `udr-ignore-list-file` X-Git-Tag: rec-5.2.0-alpha0~19^2~15 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=6a4368343f557b802d645bbd95759d0a4256f3f3;p=thirdparty%2Fpdns.git Add support for `udr-ignore-list-file` --- diff --git a/pdns/recursordist/docs/nod_udr.rst b/pdns/recursordist/docs/nod_udr.rst index 705090633d..69d6bd2f19 100644 --- a/pdns/recursordist/docs/nod_udr.rst +++ b/pdns/recursordist/docs/nod_udr.rst @@ -59,7 +59,7 @@ The data is persisted to /var/lib/pdns-recursor/udr by default, which can be cha The SBF (which is maintained separately per recursor thread) cell size defaults to 67108864, which can be changed using the setting ``unique-response-db-size``. The same caveats regarding FPs/FNs apply as for NOD. -Similarly to NOD, administrators may wish to prevent certain domains or subdomains from ever triggering the UDR algorithm, in which case those domains must be added to the ``udr-ignore-list`` setting as a comma separated list. No domain (or subdomain of a domain) listed will be considered a new unique domain response. +Similarly to NOD, administrators may wish to prevent certain domains or subdomains from ever triggering the UDR algorithm, in which case those domains must be added to the ``udr-ignore-list`` setting as a comma separated list. No domain (or subdomain of a domain) listed will be considered a new unique domain response. It is also possible to use ``udr-ignore-list-file`` to read a file with ignored domains, one domain per line. Similarly to NOD, unique domain responses can be tracked using several mechanisms: diff --git a/pdns/recursordist/rec-main.cc b/pdns/recursordist/rec-main.cc index 11c75955c8..db8fa554d2 100644 --- a/pdns/recursordist/rec-main.cc +++ b/pdns/recursordist/rec-main.cc @@ -877,6 +877,39 @@ static void parseUDRIgnorelist(const std::string& wlist) } } +static void parseUDRIgnorelistFile(const std::string& fname) +{ + string line; + std::ifstream udrIgnorelistFileStream(fname); + if (!udrIgnorelistFileStream) { + throw ArgException(fname + " could not be parsed"); + } + + while (getline(udrIgnorelistFileStream, line)) { + boost::trim_right(line); + + // strip everything after a # + string::size_type pos = line.find('#'); + if (pos != string::npos) { + // make sure it's either first char or has whitespace before + if (pos == 0 || (std::isspace(line[pos - 1]) != 0)) { + line = line.substr(0, pos); + } + } + + // strip trailing spaces + boost::trim_right(line); + + // strip leading spaces + pos = line.find_first_not_of(" \t\r\n"); + if (pos != string::npos) { + line = line.substr(pos); + } + + g_udrDomainWL.add(DNSName(line)); + } +} + static void setupNODGlobal() { // Setup NOD subsystem @@ -892,6 +925,7 @@ static void setupNODGlobal() g_nod_pbtag = ::arg()["new-domain-pb-tag"]; g_udr_pbtag = ::arg()["unique-response-pb-tag"]; parseUDRIgnorelist(::arg()["udr-ignore-list"]); + parseUDRIgnorelistFile(::arg()["udr-ignore-list-file"]); } #endif /* NOD_ENABLED */ diff --git a/pdns/recursordist/settings/table.py b/pdns/recursordist/settings/table.py index 758d3ed6f7..e3c6b98efb 100644 --- a/pdns/recursordist/settings/table.py +++ b/pdns/recursordist/settings/table.py @@ -1808,6 +1808,23 @@ that will never be considered for a new unique domain request. For example, if the domain 'xyz123.tv' is in the list, then 'foo.bar.xyz123.tv' will never be considered for a new unique domain request. One use-case for the ignore list is to never reveal details of internal subdomains +via the new-domain-lookup feature. + ''', + 'versionadded' : '5.1.0' + }, + { + 'name' : 'udr_ignore_list_file', + 'section' : 'nod', + 'oldname' : 'udr-ignore-list-file', + 'type' : LType.String, + 'default' : '', + 'help' : 'File with list of domains (and implicitly all subdomains) which will never be considered for UDR', + 'doc' : ''' +This setting is a list of all domains (and implicitly all subdomains) +that will never be considered for a new unique domain request. +For example, if the domain 'xyz123.tv' is in the list, then 'foo.bar.xyz123.tv' +will never be considered for a new unique domain request. One use-case for the +ignore list is to never reveal details of internal subdomains via the new-domain-lookup feature. ''', 'versionadded' : '5.1.0'