Skip to content

Commit

Permalink
Add RPZ policy details with powerdns protobuf (#590)
Browse files Browse the repository at this point in the history 
* Update docs
* Support all policy details
  • Loading branch information
@dmachard
dmachard authored Feb 2, 2024
1 parent d6286c8 commit 6714a6d
Show file tree
Hide file tree
Showing 3 changed files with 65 additions and 33 deletions.
28 changes: 28 additions & 0 deletions dnsutils/message.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -148,6 +148,10 @@ type PowerDNS struct {
Tags []string `json:"tags" msgpack:"tags"`
OriginalRequestSubnet string `json:"original-request-subnet" msgpack:"original-request-subnet"`
AppliedPolicy string `json:"applied-policy" msgpack:"applied-policy"`
AppliedPolicyHit string `json:"applied-policy-hit" msgpack:"applied-policy-hit"`
AppliedPolicyKind string `json:"applied-policy-kind" msgpack:"applied-policy-kind"`
AppliedPolicyTrigger string `json:"applied-policy-trigger" msgpack:"applied-policy-trigger"`
AppliedPolicyType string `json:"applied-policy-type" msgpack:"applied-policy-type"`
Metadata map[string]string `json:"metadata" msgpack:"metadata"`
}

Expand Down Expand Up @@ -345,6 +349,30 @@ func (dm *DNSMessage) handlePdnsDirectives(directives []string, s *strings.Build
} else {
s.WriteString("-")
}
case directive == "powerdns-applied-hit":
if len(dm.PowerDNS.AppliedPolicyHit) > 0 {
s.WriteString(dm.PowerDNS.AppliedPolicyHit)
} else {
s.WriteString("-")
}
case directive == "powerdns-applied-kind":
if len(dm.PowerDNS.AppliedPolicyKind) > 0 {
s.WriteString(dm.PowerDNS.AppliedPolicyKind)
} else {
s.WriteString("-")
}
case directive == "powerdns-applied-trigger":
if len(dm.PowerDNS.AppliedPolicyTrigger) > 0 {
s.WriteString(dm.PowerDNS.AppliedPolicyTrigger)
} else {
s.WriteString("-")
}
case directive == "powerdns-applied-type":
if len(dm.PowerDNS.AppliedPolicyType) > 0 {
s.WriteString(dm.PowerDNS.AppliedPolicyType)
} else {
s.WriteString("-")
}
case directive == "powerdns-original-request-subnet":
if len(dm.PowerDNS.OriginalRequestSubnet) > 0 {
s.WriteString(dm.PowerDNS.OriginalRequestSubnet)
Expand Down
66 changes: 33 additions & 33 deletions docs/collectors/collector_powerdns.md
View file
Original file line number Diff line number Diff line change
@@ -1,37 +1,29 @@
# Collector: Protobuf PowerDNS

Collector to logging protobuf streams from PowerDNS servers.

Options:

- `listen-ip`: (string) listen on ip
- `listen-port`: (integer) listening on port
- `tls-support:`: (boolean) to enable, set to true
- `tls-min-version`: (string) min tls version
- `cert-file`: (string) certificate server file
- `key-file`: (string) private key server file
- `sock-rcvbuf`: (integer) sets the socket receive buffer in bytes SO_RCVBUF, set to zero to use the default system value
- `reset-conn`: (bool) Reset TCP connection on exit
- `chan-buffer-size`: (integer) channel buffer size used on incoming packet, number of packet before to drop it.
- `add-dns-payload`: (boolean) generate and add fake DNS payload

Default values:

```yaml
powerdns:
listen-ip: 0.0.0.0
listen-port: 6001
tls-support: false
tls-min-version: 1.2
cert-file: ""
key-file: ""
add-dns-payload: false
sock-rcvbuf: 0
reset-conn: true
chan-buffer-size: 65535
```
The DNS-collector has a full [Protobuf Logging](https://dnsdist.org/reference/protobuf.html) support for PowerDNS's products.
Collector to logging protobuf streams from PowerDNS servers. The DNS-collector has a full [Protobuf Logging](https://dnsdist.org/reference/protobuf.html) support for PowerDNS's products.

Settings:

- `listen-ip` (str) local address to bind to. Defaults to `0.0.0.0`.
> Set the local address that the server will bind to. If not provided, the server will bind to all available network interfaces (0.0.0.0).
- `listen-port` (int) local port to bind to. Defaults to `6001`.
> Set the local port that the server will listen on. If not provided, the default port is 6001.
- `tls-support` (bool) set to true to enable TLS. Defaults to `false`.
> Enables or disables TLS (Transport Layer Security) support. If set to true, TLS will be used for secure communication.
- `tls-min-version` (str) Minimun TLS version to use. Default to `1.2`.
> Specifies the minimum TLS version that the server will support.
- `cert-file` (str) path to a certificate server file to use. Default to `(empty)`.
> Specifies the path to the certificate file to be used for TLS. This is a required parameter if TLS support is enabled.
- `key-file`(str) path to a key server file to use. Default to `(empty)`.
> Specifies the path to the key file corresponding to the certificate file. This is a required parameter if TLS support is enabled.
- `sock-rcvbuf` (int) sets the socket receive buffer in bytes SO_RCVBUF. Default to `0`.
> Set to zero to use the default system value.
- `reset-conn` (bool) reset TCP connection on exit. Default to `true`.
> Set whether to send a TCP Reset to force the cleanup of the connection on the remote side when the server exits.
- `chan-buffer-size` (int) incoming channel size, number of packet before to drop it. Default to `65535`.
> Specifies the maximum number of packets that can be buffered before dropping additional packets.
- `add-dns-payload` (bool) generate and add fake DNS payload. Default to `false`.
> PowerDNS protobuf message does not contain a DNS payload; use this setting to add a fake DNS payload.
## Custom text format

Expand All @@ -40,6 +32,10 @@ If you logs your DNS traffic in basic text format, you can use the specific dire
- `powerdns-tags[:INDEX]`: get all tags separated by comma, or the tag according to the provided INDEX
- `powerdns-original-request-subnet`: get original request subnet like edns subclient
- `powerdns-applied-policy`: get applied policy
- `powerdns-applied-policy-hit`: get applied policy hit
- `powerdns-applied-policy-kind`: get applied policy kind
- `powerdns-applied-policy-trigger`: get applied policy trigger
- `powerdns-applied-policy-type`: get applied policy type
- `powerdns-metadata[:KEY]`: get all metadata separated by comma or specific one if a valid [KEY](https://dnsdist.org/rules-actions.html#RemoteLogAction) is provided

Configuration example:
Expand All @@ -59,7 +55,11 @@ If you logs your DNS traffic in JSON output, the following part will be added in
"powerdns": {
"tags": [],
"original-request-subnet": "",
"applied-policy": "",
"applied-policy": "rpzbasic",
"applied-policy-hit": "local-a.org",
"applied-policy-kind": "Custom",
"applied-policy-trigger": "local-a.org.",
"applied-policy-type": "QNAME",
"metadata": {
"agent":"Go-http-client/1.1",
"selected_pool":"pool_internet"
Expand Down
4 changes: 4 additions & 0 deletions processors/powerdns.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -229,6 +229,10 @@ RUN_LOOP:

// get PowerDNS policy applied
pdns.AppliedPolicy = pbdm.GetResponse().GetAppliedPolicy()
pdns.AppliedPolicyHit = pbdm.GetResponse().GetAppliedPolicyHit()
pdns.AppliedPolicyKind = pbdm.GetResponse().GetAppliedPolicyKind().String()
pdns.AppliedPolicyTrigger = pbdm.GetResponse().GetAppliedPolicyTrigger()
pdns.AppliedPolicyType = pbdm.GetResponse().GetAppliedPolicyType().String()

// get PowerDNS metadata
metas := make(map[string]string)
Expand Down

0 comments on commit 6714a6d

Please sign in to comment.