ahupowerdns

We often get requests for a PowerDNS package repository to ease updating. This is our idea on how we'll implement this.

There will be a repository that always gives you 
  1) auth and recursor from the tip of master or other branches ("scary-master", "scary-oneshot")
  2) auth and recursor from 3.3.x, where we promise that updates within 3.3.x will never break ("auth-3.3, recursor-3.5")
  3) auth and recursor "highest released version" ("auth-release", "recursor-release")

So to upgrade to a newer version, either:
  1) just update and get whatever pain we want to inflict on you
  2) update and get something that Should Just Work

ahupowerdns

If you note that some of your users are sending you queries to weirdly named domains
(sdfhsdfkh.www.7xinggua.com. for example), and that those queries in turn are contributing 
to a denial of service attack to "nameservers" behind those weirdly named domains, this page 
may be for you. The instructions are for Linux, but other operating systems will offer 
similar ways to filter traffic.

PowerDNS Recursor 3.6.0 out of the box comes with settings that try to limit this attack, 
but there is only so much we can do. A better way is to block or deflect traffic from those 
sending the queries. 

ahupowerdns

Get your own restricted shell!

$ grep restricted /etc/passwd
restricted:x:1001:1001:bert hubert,,,:/home/restricted:/home/ahu/git/secfilter/shwrap

$ cat shwrap
#!/bin/sh
/home/ahu/git/secfilter/secfilt --no-outbound-network=1 /bin/bash

ahupowerdns

First, clone the Mozilla focus project and make it fetch its list:

$ git clone https://github.com/mozilla/focus.git
$ cd focus
$ ./checkout.sh
$ cd Lists

This delivers several JSON formatted files, of which we are going to use disconnect-advertising.json. We'll filter out the good bits using jq, and create a Lua representation:

(

ahupowerdns

1: blogspot.com
2: test.blogspot.com
3: blogspot.co.uk

Now we get a lookup for zzz.blogspot.com: is it on the list? We do a binary search and end up between 2 and 3. So how do we decide if zzz.blogspot.com is on the list?

Walk backwards until an entry matches? When do we stop?

This setup only works if we do 4 lookups, one for zzz.blogspot.com., blogspot.com., com., .. which is exactly what we don't want.

ahupowerdns

$ git clone https://github.com/mozilla/focus.git
$ cd focus
$ ./checkout.sh
$ cd Lists

ahupowerdns

(
echo 'return{'
for a in $(jq '.[].trigger["url-filter"]' disconnect-advertising.json  | 
           cut -f3 -d? | sed 's:\\\\.:.:g' | sed s:\"::)
do 
   echo \"$a\", 
done 
echo '}'
) > blocklist.lua    

ahupowerdns

adservers=newDS()
adservers:add(dofile("blocklist.lua"))

function preresolve(dq)
    if(not adservers:check(dq.qname) or (dq.qtype ~= pdns.A and dq.qtype ~= pdns.AAAA)) then
        return false
    end

    dq:addRecord(pdns.SOA,
        "fake."..dq.qname:toString().." fake."..dq.qname:toString().." 1 7200 900 1209600 86400",

ahupowerdns

  (echo return{; 
  for z in {1..10}
  do for a in {1..255}
  do for b in {1..255}
  do echo \"10.$z.$a.$b\",
  done ; done; done
  echo } ) > filtercustomers.lua

ahupowerdns

adservers=newDS()
adservers:add(dofile("blocklist.lua"))
-- optionally: adservers:add(dofile("trackers.lua"))

filterset=newCAS()
filterset:add(dofile("filtercustomers.lua"))

function preresolve(dq)
    if(not adservers:check(dq.qname) or (dq.qtype ~= pdns.A and dq.qtype ~= pdns.AAAA)) then
        return false