search

PowerDNS / pdns

PowerDNS Authoritative, PowerDNS Recursor, dnsdist
https://www.powerdns.com/
GNU General Public License v2.0
3.71k stars 911 forks source link

newly RPZoned domains should invalidate previously cached entries #14854

Open g0tar opened 2 days ago

g0tar commented 2 days ago

Short description

Domains that are going to start some abusive campaign can preemptively increase their TTL. While it is expected that end-user systems will honor this value to some degree (at least until reset/reboot of some kind), DNS server operator should expunge them as soon as they are not trusted anymore (i.e. appear in RPZ blocklist).

Usecase

After reloading rpzFile() (didn't test rpzPrimary() as it's harder to predict what domain to query ahead, needs setting up some testbed) with newly policied domains, Recursor still responds with cached values if it happens that such domain was queried beforehand.

This means that a single DNS client that asks for a domain before it gets blacklisted causes all future clients to get that response until TTL expires, effectively circumventing policing and e.g. allowing to keep spreading some malware.

Wiping entire cache unconditionally (rec_control wipe-cache $) seems to be overkill, as the rpzFile() can be loaded every 5 minutes, the same goes for artificially reducing max-cache-ttl from default 24h to something like 15 minutes.

I would expect RPZ entries to be iterated and automatically removed from the cache. Ideally the dnsdist standing before should be somehow notified as well...

omoerbeek commented 2 days ago

I think that reducing packet cache ttl (https://docs.powerdns.com/recursor/yamlsettings.html#packetcache-ttl) should be enough. On packet cache miss, a lookup is done in the record cache, and these lookup are subjected to RPZ.

Pruning the record cache is not right, as queries can be modified to ignore (specific) RPZs by Lua hooks. But pruning the packet cache on RPZ update might be a nice thing to have.

g0tar commented 2 days ago

I'll try reducing the packetcache-ttl to 15 minutes, I'm not going for performance anyway.

From your answer I understand that wipe-cache clears the record cache - I see two simple improvements here:

  1. more verbose documentation: "Wipe entries for DOMAIN (exact name match) from the record cache",
  2. adding some flag to clear packet cache only (wipe-cache -p?) - this might be useful for non-RPZ scenarios as well.

Thanks for quick response!

omoerbeek commented 2 days ago
  1. Not correct,rec_control wipe-cache clears the record cache, packet cache, negative cache and aggressive NSEC cache.
  2. We'll ponder that, as just clearing the packet cache can be useful in some cases.