$SDIG $nameserver 5301 www3.example.net a recurse 2>&1
+$SDIG $nameserver 5301 android.marvin.example.net a recurse 2>&1
Reply to question for qname='www3.example.net.', qtype=A
Rcode: 0 (No Error), RD: 1, QR: 1, TC: 0, AA: 0, opcode: 0
0 www3.example.net. IN CNAME 0 www2.example.net.
+Reply to question for qname='android.marvin.example.net.', qtype=A
+Rcode: 0 (No Error), RD: 1, QR: 1, TC: 0, AA: 0, opcode: 0
+0 android.marvin.example.net. IN A 15 192.0.2.5
$SDIG $nameserver 5301 trillian.example.net a recurse 2>&1
echo "==> www.trillian.example.net has no RPZ policy attached, so lookup should succeed"
$SDIG $nameserver 5301 www.trillian.example.net a recurse 2>&1
+echo "==> www.hijackme.example.net is served on ns.hijackme.example.net, which should be NXDOMAIN"
+$SDIG $nameserver 5301 www.hijackme.example.net a recurse 2>&1
+echo "==> host.lowercase-outgoing.example.net is served on ns.lowercase-outgoing.example.net, blocked by NS IP rule"
+$SDIG $nameserver 5301 host.lowercase-outgoing.example.net a recurse 2>&1
Rcode: 0 (No Error), RD: 1, QR: 1, TC: 0, AA: 0, opcode: 0
0 www.trillian.example.net. IN CNAME 15 www2.arthur.example.net.
0 www2.arthur.example.net. IN A 15 192.0.2.6
+==> www.hijackme.example.net is served on ns.hijackme.example.net, which should be NXDOMAIN
+Reply to question for qname='www.hijackme.example.net.', qtype=A
+Rcode: 3 (Non-Existent domain), RD: 1, QR: 1, TC: 0, AA: 0, opcode: 0
+==> host.lowercase-outgoing.example.net is served on ns.lowercase-outgoing.example.net, blocked by NS IP rule
+Reply to question for qname='host.lowercase-outgoing.example.net.', qtype=A
+Rcode: 3 (Non-Existent domain), RD: 1, QR: 1, TC: 0, AA: 0, opcode: 0
rpzFile("$(pwd)/recursor-service3/rpz.zone", {policyName="myRPZ"})
EOF
+IFS=. read REV_PREFIX1 REV_PREFIX2 REV_PREFIX3 <<< $(echo $PREFIX) # This will bite us in the ass if we ever test on IPv6
+
cat > recursor-service3/rpz.zone <<EOF
\$TTL 2h;
\$ORIGIN domain.example.
trillian.example.net CNAME . ; NXDOMAIN on apex, allows all sub-names (#4086)
32.4.2.0.192.rpz-ip CNAME rpz-drop. ; www4.example.net resolves to 192.0.2.4, drop A responses with that IP
+
+ns.hijackme.example.net.rpz-nsdname CNAME . ; NXDOMAIN for anything hosted on ns.hijackme.example.net
+ns.marvin.example.net.rpz-nsdname CNAME . ; NXDOMAIN for anything hosted on ns.marvin.example.net (we disable RPZ in preresolve though)
+32.24.$REV_PREFIX3.$REV_PREFIX2.$REV_PREFIX1.rpz-nsip CNAME . ; The IP for ns.lowercase-outgoing.example.net, should yield NXDOMAIN
+
EOF
cat > recursor-service3/script.lua <<EOF
function preresolve(dq)
+ if dq.qname:equal("android.marvin.example.net") then
+ dq.wantsRPZ = false -- disable RPZ
+ end
if dq.appliedPolicy.policyKind == pdns.policykinds.Custom then
if dq.qname:equal("www3.example.net") then
dq.appliedPolicy.policyCustom = "www2.example.net"
projects / pdns / commitdiff