Zdravim,
Jak (spolehlive) funguje policy.add(policy.suffix(policy.STUB()… v kresd verze 4.3.0?
O co jde. Mam rozbehnuty RBL na IP adrese 192.168.100.11:
dig @192.168.100.11 A 1.2.2.1.dnsbl.doma
root@percival:/etc/init.d# dig @192.168.100.11 A 1.2.2.1.dnsbl.doma
; <<>> DiG 9.12.4-P2 <<>> @192.168.100.11 A 1.2.2.1.dnsbl.doma
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46644
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0
;; WARNING: recursion requested but not available
;; QUESTION SECTION:
;1.2.2.1.dnsbl.doma. IN A
;; ANSWER SECTION:
1.2.2.1.dnsbl.doma. 2100 IN A 127.0.0.2
;; AUTHORITY SECTION:
dnsbl.doma. 3000 IN NS dnsbl.doma.
;; Query time: 0 msec
;; SERVER: 192.168.100.11#53(192.168.100.11)
;; WHEN: Wed Feb 26 12:07:52 CET 2020
;; MSG SIZE rcvd: 66
Konfigurace kresd je nasledujici:
/tmp/kresd.config
--Automatically generated file; DO NOT EDIT
modules = {
'hints > iterate'
, 'policy'
, 'stats'
, predict = {
window = 30 -- 30 minutes sampling window
, period = 24*(60/30) -- track last 24 hours
}
}
hints.use_nodata(true)
hints.config('/tmp/kresd/hints.tmp')
trust_anchors.add_file('/etc/root.keys')
net.bufsize(16384)
net.ipv4=true
net.ipv6=true
cache.open(20*MB)
cache.clear()
--- Included custom configuration file from: ---
--- /etc/kresd/custom.conf
-- Lokalni upravy
policy.add(policy.suffix(policy.STUB('192.168.100.11'), {todname('dnsbl.doma.')}))
-- Konec
A kdyz nastartuju kresd(na Omnii[192.168.100.1]), tak v zasade vse funguje az na dotaz pro “…dnsbl.doma”:
dig @192.168.100.1 A 1.2.2.1.dnsbl.doma
root@percival:/etc/init.d# dig @192.168.100.1 A 1.2.2.1.dnsbl.doma
; <<>> DiG 9.12.4-P2 <<>> @192.168.100.1 A 1.2.2.1.dnsbl.doma
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 50854
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 16384
;; QUESTION SECTION:
;1.2.2.1.dnsbl.doma. IN A
;; AUTHORITY SECTION:
. 86394 IN SOA a.root-servers.net. nstld.verisign-grs.com. 2020022601 1800 900 604800 86400
;; Query time: 1 msec
;; SERVER: 192.168.100.1#53(192.168.100.1)
;; WHEN: Wed Feb 26 12:14:18 CET 2020
;; MSG SIZE rcvd: 122
Debug kresd obsahuje toto:
kresd verbose
2020-02-26 12:14:18 info kresd[17102]: > [00000.00][plan] plan '1.2.2.1.dnsbl.doma.' type 'A' uid [50854.00]
2020-02-26 12:14:18 info kresd[17102]: [50854.00][iter] '1.2.2.1.dnsbl.doma.' type 'A' new uid was assigned .01, parent uid .00
2020-02-26 12:14:18 info kresd[17102]: [50854.01][cach] => trying zone: ., NSEC, hash 0
2020-02-26 12:14:18 info kresd[17102]: [50854.01][cach] => NSEC sname: covered by: dog. -> domains., new TTL 86394
2020-02-26 12:14:18 info kresd[17102]: [50854.01][cach] => NSEC wildcard: covered by: . -> aaa., new TTL 86394
2020-02-26 12:14:18 info kresd[17102]: [50854.01][cach] => writing RRsets: +++
2020-02-26 12:14:18 info kresd[17102]: [50854.01][resl] AD: request NOT classified as SECURE
2020-02-26 12:14:18 info kresd[17102]: [50854.01][resl] finished: 0, queries: 1, mempool: 114744 B
Nejak se nemuzu zbavit dojmu na na to “STUB” pravidlo uplne kasle.
Ale kdyz si ted u kresd vynutim vyplach cache (echo “cache.clear()” | socat - /tmp/kresd/tty/*) a pak se zeptam:
dig @192.168.100.1 A 1.2.2.1.dnsbl.doma po vyplachu cache
root@percival:/etc/init.d# dig @192.168.100.1 A 1.2.2.1.dnsbl.doma
; <<>> DiG 9.12.4-P2 <<>> @192.168.100.1 A 1.2.2.1.dnsbl.doma
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62192
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 16384
;; QUESTION SECTION:
;1.2.2.1.dnsbl.doma. IN A
;; ANSWER SECTION:
1.2.2.1.dnsbl.doma. 2100 IN A 127.0.0.2
;; Query time: 1 msec
;; SERVER: 192.168.100.1#53(192.168.100.1)
;; WHEN: Wed Feb 26 12:18:15 CET 2020
;; MSG SIZE rcvd: 63
a debug log ted obsahuje:
kresd verbose po vyplachu cache
2020-02-26 12:18:14 info kresd[17102]: cache.clear()
2020-02-26 12:18:14 info kresd[17102]: [count] => 706
2020-02-26 12:18:14 info kresd[17102]:
2020-02-26 12:18:15 info kresd[17102]: > [00000.00][plan] plan '1.2.2.1.dnsbl.doma.' type 'A' uid [62192.00]
2020-02-26 12:18:15 info kresd[17102]: [62192.00][iter] '1.2.2.1.dnsbl.doma.' type 'A' new uid was assigned .01, parent uid .00
2020-02-26 12:18:15 info kresd[17102]: [ ][nsre] score 21 for 192.168.100.11#00053; cached RTT: -1
2020-02-26 12:18:15 info kresd[17102]: [62192.01][resl] => id: '05272' querying: '192.168.100.11#00053' score: 21 zone cut: '.' qname: '1.2.2.1.DNSbL.doma.' qtype: 'A' proto: 'udp'
2020-02-26 12:18:15 info kresd[17102]: [62192.01][cach] => stashed 1.2.2.1.dnsbl.doma. A, rank 021, 20 B total, incl. 0 RRSIGs
2020-02-26 12:18:15 info kresd[17102]: [62192.01][cach] => stashed dnsbl.doma. NS, rank 001, 28 B total, incl. 0 RRSIGs
2020-02-26 12:18:15 info kresd[17102]: [62192.01][resl] <= server: '192.168.100.11' rtt: 1 ms
2020-02-26 12:18:15 info kresd[17102]: [62192.01][resl] AD: request NOT classified as SECURE
2020-02-26 12:18:15 info kresd[17102]: [62192.01][resl] finished: 0, queries: 1, mempool: 65568 B
No a toto se pravidelne opakuje kazdym restartem kresd (anebo kdyz to zapomene).
Delam neco spatne ja nebo kresd?