From 439913bbde58a44ccdd7c2c4af678c65fb52937d Mon Sep 17 00:00:00 2001 From: Otto Moerbeek Date: Thu, 19 Sep 2024 14:07:26 +0200 Subject: [PATCH 1/2] rec: a few RPZ tweaks - Log policyname on policyHit when updating root - Do not register invalid file-based RPZs - Do not return null SOA --- pdns/recursordist/filterpo.hh | 2 +- pdns/recursordist/rec-main.cc | 10 +++++++--- pdns/recursordist/syncres.cc | 5 +++-- 3 files changed, 11 insertions(+), 6 deletions(-) diff --git a/pdns/recursordist/filterpo.hh b/pdns/recursordist/filterpo.hh index 2fec80813b08..fbd14c1d76d0 100644 --- a/pdns/recursordist/filterpo.hh +++ b/pdns/recursordist/filterpo.hh @@ -212,7 +212,7 @@ public: [[nodiscard]] bool getSOA(DNSRecord& rec) const { - if (d_zoneData) { + if (d_zoneData && d_zoneData->d_soa.getContent()) { rec = d_zoneData->d_soa; return true; } diff --git a/pdns/recursordist/rec-main.cc b/pdns/recursordist/rec-main.cc index 6a1eb68358ba..efd01215cf56 100644 --- a/pdns/recursordist/rec-main.cc +++ b/pdns/recursordist/rec-main.cc @@ -3426,7 +3426,7 @@ static void* pleaseInitPolCounts(const string& name) return nullptr; } -static void activateRPZFile(const RPZTrackerParams& params, LuaConfigItems& lci, shared_ptr& zone) +static bool activateRPZFile(const RPZTrackerParams& params, LuaConfigItems& lci, shared_ptr& zone) { auto log = lci.d_slog->withValues("file", Logging::Loggable(params.name)); @@ -3441,7 +3441,10 @@ static void activateRPZFile(const RPZTrackerParams& params, LuaConfigItems& lci, catch (const std::exception& e) { SLOG(g_log << Logger::Error << "Unable to load RPZ zone from '" << params.name << "': " << e.what() << endl, log->error(Logr::Error, e.what(), "Exception while loading RPZ zone from file")); + zone->clear(); + return false; } + return true; } static void activateRPZPrimary(RPZTrackerParams& params, LuaConfigItems& lci, shared_ptr& zone, const DNSName& domain) @@ -3500,8 +3503,9 @@ static void activateRPZs(LuaConfigItems& lci) zone->setIgnoreDuplicates(params.ignoreDuplicates); if (params.primaries.empty()) { - activateRPZFile(params, lci, zone); - lci.dfe.addZone(zone); + if (activateRPZFile(params, lci, zone)) { + lci.dfe.addZone(zone); + } } else { DNSName domain(params.name); diff --git a/pdns/recursordist/syncres.cc b/pdns/recursordist/syncres.cc index 8c1ffcfe4b72..7fe0c309dd8b 100644 --- a/pdns/recursordist/syncres.cc +++ b/pdns/recursordist/syncres.cc @@ -6223,9 +6223,10 @@ int SyncRes::getRootNS(struct timeval now, asyncresolve_t asyncCallback, unsigne SLOG(g_log << Logger::Error << "Failed to update . records, got an exception: " << e.reason << endl, log->error(Logr::Error, e.reason, msg, "exception", Logging::Loggable("ImmediateServFailException"))); } - catch (const PolicyHitException& e) { + catch (const PolicyHitException& policyHit) { SLOG(g_log << Logger::Error << "Failed to update . records, got a policy hit" << endl, - log->info(Logr::Error, msg, "exception", Logging::Loggable("PolicyHitException"))); + log->info(Logr::Error, msg, "exception", Logging::Loggable("PolicyHitException"), + "policyName", Logging::Loggable(resolver.d_appliedPolicy.getName()))); ret.clear(); } catch (const std::exception& e) { From 8798773e8180607818f81e9de6f2ba136c296c27 Mon Sep 17 00:00:00 2001 From: Otto Moerbeek Date: Fri, 20 Sep 2024 09:02:14 +0200 Subject: [PATCH 2/2] Don't apply NS RPZs to forwarders --- pdns/recursordist/syncres.cc | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/pdns/recursordist/syncres.cc b/pdns/recursordist/syncres.cc index 7fe0c309dd8b..e80e3b5fff76 100644 --- a/pdns/recursordist/syncres.cc +++ b/pdns/recursordist/syncres.cc @@ -3407,6 +3407,9 @@ bool SyncRes::nameserversBlockedByRPZ(const DNSFilterEngine& dfe, const NsSet& n */ if (d_wantsRPZ && !d_appliedPolicy.wasHit()) { for (auto const& nameserver : nameservers) { + if (nameserver.first.empty()) { + continue; + } bool match = dfe.getProcessingPolicy(nameserver.first, d_discardedPolicies, d_appliedPolicy); if (match) { mergePolicyTags(d_policyTags, d_appliedPolicy.getTags()); @@ -5944,7 +5947,7 @@ int SyncRes::doResolveAt(NsSet& nameservers, DNSName auth, bool flawedNSSet, con LOG(", "); } LOG(remoteIP->toString()); - if (nameserverIPBlockedByRPZ(luaconfsLocal->dfe, *remoteIP)) { + if (!tns->first.empty() && nameserverIPBlockedByRPZ(luaconfsLocal->dfe, *remoteIP)) { hitPolicy = true; } }