lua script to filter out private A records and replace internal domain with external domain on powerdns slave

axferfilter.lua

-- lua script to filter out private A records and replace internal domain with external domain on powerdns slave

-- sqlite> select * from domain;
-- 1|example.com|[u'10.0.0.1']|Slave|1476367424|0|1|0
-- sqlite> insert into domainmetadata values (1, 1, 'LUA-AXFR-SCRIPT', '/var/opt/pdns/axferfilter.lua');

pdnslog("loading axferfilter.lua")

ranges={
        "127.0.0.0/8",
        "10.0.0.0/8",
        "172.16.0.0/12",
        "192.168.0.0/16",
}
function axfrfilter(remoteip, zone, qname, qtype, ttl, prio, content)
  -- filter out any record that starts with a _
  if qname:match("^_") == "_" then
    return 0, {}
  end

  -- filter out any A records that match rfc1918 IPs
  if qtype == pdns.A and matchnetmask(content, ranges) then
    return 0, {}
  end

  if qtype == pdns.NS or qtype == pdns.SOA then
    content = content:gsub("ldap", "ns")
  end

  content = string.lower(content)
  content = content:gsub("int.local", "example.com")

  resp = {}
  resp[1] = {qname=qname, qtype=qtype, ttl=ttl, prio=prio, content=content}

  -- pdnslog("axfrfilter: remoteip: ".. tostring(remoteip).." zone: "..tostring(zone).." qname: "..tostring(qname).." qtype: "..tostring(qtype).." ttl: "..tostring(ttl).." prio: "..tostring(prio).." content:" .. tostring(content))

  return 0, resp
end

function string.starts(s, start)
  return s.sub(s, 1, s.len(start)) == start
end

Looks great. You might consider doing string.lower(content) first in case somebody put some funny upper/lower case stuff in there, causing your gsub to not to match. This will also just convert it to lowercase before responding.

content = string.lower(content)
content = content:gsub("int.local", "example.com")

Good idea. The gsub for the capitalized version was for _kerberos TXT records, but I've decided to filter those out.

I've updated the script with those changes.