Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

newly RPZoned domains should invalidate previously cached entries #14854

Open
g0tar opened this issue Nov 19, 2024 · 3 comments
Open

newly RPZoned domains should invalidate previously cached entries #14854

g0tar opened this issue Nov 19, 2024 · 3 comments

Comments

@g0tar
Copy link
Contributor

g0tar commented Nov 19, 2024

  • Program: Recursor
  • Issue type: Feature request

Short description

Domains that are going to start some abusive campaign can preemptively increase their TTL.
While it is expected that end-user systems will honor this value to some degree (at least until reset/reboot of some kind), DNS server operator should expunge them as soon as they are not trusted anymore (i.e. appear in RPZ blocklist).

Usecase

After reloading rpzFile() (didn't test rpzPrimary() as it's harder to predict what domain to query ahead, needs setting up some testbed) with newly policied domains, Recursor still responds with cached values if it happens that such domain was queried beforehand.

This means that a single DNS client that asks for a domain before it gets blacklisted causes all future clients to get that response until TTL expires, effectively circumventing policing and e.g. allowing to keep spreading some malware.

Wiping entire cache unconditionally (rec_control wipe-cache $) seems to be overkill, as the rpzFile() can be loaded every 5 minutes, the same goes for artificially reducing max-cache-ttl from default 24h to something like 15 minutes.

I would expect RPZ entries to be iterated and automatically removed from the cache.
Ideally the dnsdist standing before should be somehow notified as well...

@omoerbeek omoerbeek added the rec label Nov 20, 2024
@omoerbeek
Copy link
Member

omoerbeek commented Nov 20, 2024

I think that reducing packet cache ttl (https://docs.powerdns.com/recursor/yamlsettings.html#packetcache-ttl) should be enough. On packet cache miss, a lookup is done in the record cache, and these lookup are subjected to RPZ.

Pruning the record cache is not right, as queries can be modified to ignore (specific) RPZs by Lua hooks.
But pruning the packet cache on RPZ update might be a nice thing to have.

@omoerbeek omoerbeek added this to the rec-future milestone Nov 20, 2024
@g0tar
Copy link
Contributor Author

g0tar commented Nov 20, 2024

I'll try reducing the packetcache-ttl to 15 minutes, I'm not going for performance anyway.

From your answer I understand that wipe-cache clears the record cache - I see two simple improvements here:

  1. more verbose documentation: "Wipe entries for DOMAIN (exact name match) from the record cache",
  2. adding some flag to clear packet cache only (wipe-cache -p?) - this might be useful for non-RPZ scenarios as well.

Thanks for quick response!

@omoerbeek
Copy link
Member

  1. Not correct,rec_control wipe-cache clears the record cache, packet cache, negative cache and aggressive NSEC cache.
  2. We'll ponder that, as just clearing the packet cache can be useful in some cases.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants