[prev in list] [next in list] [prev in thread] [next in thread]
List: pdns-users
Subject: Re: [Pdns-users] Pdns RPZ logging
From: Otto Moerbeek via Pdns-users <pdns-users () mailman ! powerdns ! com>
Date: 2020-03-20 8:23:52
Message-ID: 20200320082352.GB95162 () clue ! drijf ! net
[Download RAW message or body]
On Thu, Mar 19, 2020 at 09:18:18AM +0000, Francis Turner via Pdns-users wrote:
> All,
>
>
> As you may know ThreatSTOP provides an RPZ service and it works on power DNS. What \
> doesn't quite work is logging and I'm trying to fix that.
>
> My problem is that the documentation for what is output in the protobuf logging is \
> unclear - https://github.com/PowerDNS/pdns/blob/master/pdns/dnsmessage.proto is \
> the only thing I can find - but it doesn't look like power dns provides the record \
> that caused the RPZ rewrite that is made available in bind. The PolicyType enum \
> tells me that the hit was RESPONSEIP etc. but I don't see anything in the rest of \
> the protobug that gives me the actual rule that was hit.
>
> In bind you have a "via blahblah.." stanza in the log line that does this e.g.
>
> 17-Mar-2020 09:34:49.887 rpz: info: client 192.168.123.10#53112 (casasur.cl): rpz \
> QNAME NODATA rewrite casasur.cl via casasur.cl.phishy.di000001.rpz.threatstop.local \
> For RPZ hits that work on dnames the qname is (plus or minus a *.) such as in the \
> example above then that's fine but if the rule his i somethign else e.g. responseip \
> or nsip then this isn't helpful e.g. bind tells me this
> 19-Mar-2020 09:00:45.878 rpz: info: client 192.168.123.12#55929 (peccsr.com): rpz \
> NSIP CNAME rewrite peccsr.com via \
> 29.120.82.251.162.rpz-nsip.phishy.di000001.rpz.threatstop.local
> so far as I can tell what I get from power dns is the rewritten return e.g. \
> NXDOMAIN or CNAME something but not the record that caused the rewrite. This makes \
> it hard for us to provide details on why the record was rewritten. E.g. that it was \
> a botnet or phishing or porn or whatever
> So my questions are
> is there more documentation on what is in the protobuf output?
> is there a way to configure it so that it can contain what I need? (ideally without \
> recompiling powerDNS)
> Regards
We do not provide the exact details you describe in the protobuf
message (which indeed has sparse docs).
But what you could do is use lua to add policytags to the query, which
will end up in the protobuf "tags" field.
See https://docs.powerdns.com/recursor/lua-scripting/hooks.html and
https://docs.powerdns.com/recursor/lua-scripting/dq.html#DNSQuestion
specificaly the appliedPolicy object and the addPolicyTag method.
master has a PR that allows you to do this based on the RPZ zone that
causes a hit, see https://github.com/PowerDNS/pdns/pull/8927
-Otto
>
> Francis
>
> Francis Turner
> Threat STOP Global SE
> JP Cell: +81-8080404701 | US Cell: +1-760-402-7676
> Office: +1-760-542-1550 | Skype: francis.turner.threatstop
> francis@threatstop.com<https://west.exch030.serverdata.net/owa/redir.aspx?C=_XQ5Vz8M \
> cce6FBPWG3SRNURxxWucllPOVpIrIsW2dHMdMWpxOJbWCA..&URL=mailto%3afrancis%40threatstop.com> \
> | www.threatstop.com<https://west.exch030.serverdata.net/owa/redir.aspx?C=tQTMDuD3pd \
> xKjYNQkf_pe3ePQk-0j-owQDEt5bnZf0YdMWpxOJbWCA..&URL=http%3a%2f%2fwww.threatstop.com%2f>
> Weaponize Your Threat Intelligence
> "If You Don't Build It, They Definitely Will Not Come" – P. Vixie
> _______________________________________________
> Pdns-users mailing list
> Pdns-users@mailman.powerdns.com
> https://mailman.powerdns.com/mailman/listinfo/pdns-users
_______________________________________________
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic