Commit 33ca2696 authored by Mukund Sivaraman's avatar Mukund Sivaraman
Browse files

Allow RPZ rewrite logging to be configured on a per-zone basis (#39754)

parent 3e33f419
4155. [func] Allow RPZ rewrite logging to be configured on a
per-zone basis using a newly introduced log clause in
the response-policy option. [RT #39754]
4154. [bug] A OPT record should be included with the FORMERR
response when there is a malformed EDNS option.
[RT #39647]
......
......@@ -943,13 +943,14 @@ static void
rpz_log_rewrite(ns_client_t *client, isc_boolean_t disabled,
dns_rpz_policy_t policy, dns_rpz_type_t type,
dns_zone_t *p_zone, dns_name_t *p_name,
dns_name_t *cname)
dns_name_t *cname, dns_rpz_num_t rpz_num)
{
isc_stats_t *zonestats;
char qname_buf[DNS_NAME_FORMATSIZE];
char p_name_buf[DNS_NAME_FORMATSIZE];
char cname_buf[DNS_NAME_FORMATSIZE] = { 0 };
const char *s1 = cname_buf, *s2 = cname_buf;
dns_rpz_st_t *st;
/*
* Count enabled rewrites in the global counter.
......@@ -969,6 +970,10 @@ rpz_log_rewrite(ns_client_t *client, isc_boolean_t disabled,
if (!isc_log_wouldlog(ns_g_lctx, DNS_RPZ_INFO_LEVEL))
return;
st = client->query.rpz_st;
if ((st->popt.no_log & DNS_RPZ_ZBIT(rpz_num)) != 0)
return;
dns_name_format(client->query.qname, qname_buf, sizeof(qname_buf));
dns_name_format(p_name, p_name_buf, sizeof(p_name_buf));
if (cname != NULL) {
......@@ -1029,7 +1034,15 @@ rpz_getdb(ns_client_t *client, dns_name_t *p_name, dns_rpz_type_t rpz_type,
result = query_getzonedb(client, p_name, dns_rdatatype_any,
DNS_GETDB_IGNOREACL, zonep, dbp, &rpz_version);
if (result == ISC_R_SUCCESS) {
if (isc_log_wouldlog(ns_g_lctx, DNS_RPZ_DEBUG_LEVEL2)) {
dns_rpz_st_t *st = client->query.rpz_st;
/*
* It isn't meaningful to log this message when
* logging is disabled for some policy zones.
*/
if (st->popt.no_log == 0 &&
isc_log_wouldlog(ns_g_lctx, DNS_RPZ_DEBUG_LEVEL2))
{
dns_name_format(client->query.qname, qnamebuf,
sizeof(qnamebuf));
dns_name_format(p_name, p_namebuf, sizeof(p_namebuf));
......@@ -4731,7 +4744,7 @@ rpz_rewrite_ip(ns_client_t *client, const isc_netaddr_t *netaddr,
* and try the next eligible policy zone.
*/
rpz_log_rewrite(client, ISC_TRUE, policy, rpz_type,
p_zone, p_name, NULL);
p_zone, p_name, NULL, rpz_num);
}
}
......@@ -5068,7 +5081,7 @@ rpz_rewrite_name(ns_client_t *client, dns_name_t *trig_name,
* and try the next eligible policy zone.
*/
rpz_log_rewrite(client, ISC_TRUE, policy, rpz_type,
p_zone, p_name, NULL);
p_zone, p_name, NULL, rpz_num);
break;
}
}
......@@ -5474,7 +5487,7 @@ cleanup:
result != DNS_R_DELEGATION)
rpz_log_rewrite(client, ISC_FALSE, st->m.policy,
st->m.type, st->m.zone, st->p_name,
NULL);
NULL, st->m.rpz->num);
rpz_match_clear(st);
}
if (st->m.policy == DNS_RPZ_POLICY_ERROR) {
......@@ -5596,7 +5609,8 @@ rpz_add_cname(ns_client_t *client, dns_rpz_st_t *st,
if (result != ISC_R_SUCCESS)
return (result);
rpz_log_rewrite(client, ISC_FALSE, st->m.policy,
st->m.type, st->m.zone, st->p_name, fname);
st->m.type, st->m.zone, st->p_name, fname,
st->m.rpz->num);
ns_client_qnamereplace(client, fname);
/*
* Turn off DNSSEC because the results of a
......@@ -7046,14 +7060,16 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
rpz_log_rewrite(client, ISC_FALSE,
rpz_st->m.policy,
rpz_st->m.type, zone,
rpz_st->p_name, NULL);
rpz_st->p_name, NULL,
rpz_st->m.rpz->num);
goto cleanup;
case DNS_RPZ_POLICY_DROP:
QUERY_ERROR(DNS_R_DROP);
rpz_log_rewrite(client, ISC_FALSE,
rpz_st->m.policy,
rpz_st->m.type, zone,
rpz_st->p_name, NULL);
rpz_st->p_name, NULL,
rpz_st->m.rpz->num);
goto cleanup;
case DNS_RPZ_POLICY_NXDOMAIN:
result = DNS_R_NXDOMAIN;
......@@ -7127,7 +7143,7 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
is_zone = ISC_TRUE;
rpz_log_rewrite(client, ISC_FALSE, rpz_st->m.policy,
rpz_st->m.type, zone, rpz_st->p_name,
NULL);
NULL, rpz_st->m.rpz->num);
}
}
......
......@@ -1740,6 +1740,13 @@ configure_rpz_zone(dns_view_t *view, const cfg_listelt_t *element,
view->rpzs->p.no_rd_ok |= DNS_RPZ_ZBIT(new->num);
}
obj = cfg_tuple_get(rpz_obj, "log");
if (!cfg_obj_isvoid(obj) && !cfg_obj_asboolean(obj)) {
view->rpzs->p.no_log |= DNS_RPZ_ZBIT(new->num);
} else {
view->rpzs->p.no_log &= ~DNS_RPZ_ZBIT(new->num);
}
obj = cfg_tuple_get(rpz_obj, "max-policy-ttl");
if (cfg_obj_isuint32(obj)) {
new->max_policy_ttl = cfg_obj_asuint32(obj);
......
; Copyright (C) 2015 Internet Systems Consortium, Inc. ("ISC")
;
; Permission to use, copy, modify, and/or distribute this software for any
; purpose with or without fee is hereby granted, provided that the above
; copyright notice and this permission notice appear in all copies.
;
; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
; PERFORMANCE OF THIS SOFTWARE.
$TTL 60
@ IN SOA root.ns ns 1996072700 3600 1800 86400 60
NS ns
ns A 127.0.0.1
32.4.0.53.10.rpz-client-ip A 10.53.0.4
; Copyright (C) 2015 Internet Systems Consortium, Inc. ("ISC")
;
; Permission to use, copy, modify, and/or distribute this software for any
; purpose with or without fee is hereby granted, provided that the above
; copyright notice and this permission notice appear in all copies.
;
; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
; PERFORMANCE OF THIS SOFTWARE.
$TTL 60
@ IN SOA root.ns ns 1996072700 3600 1800 86400 60
NS ns
ns A 127.0.0.1
32.4.0.53.10.rpz-client-ip A 10.53.0.4
32.3.0.53.10.rpz-client-ip A 10.53.0.3
; Copyright (C) 2015 Internet Systems Consortium, Inc. ("ISC")
;
; Permission to use, copy, modify, and/or distribute this software for any
; purpose with or without fee is hereby granted, provided that the above
; copyright notice and this permission notice appear in all copies.
;
; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
; PERFORMANCE OF THIS SOFTWARE.
$TTL 60
@ IN SOA root.ns ns 1996072700 3600 1800 86400 60
NS ns
ns A 127.0.0.1
32.4.0.53.10.rpz-client-ip A 10.53.0.4
32.3.0.53.10.rpz-client-ip A 10.53.0.3
32.2.0.53.10.rpz-client-ip A 10.53.0.2
/*
* Copyright (C) 2015 Internet Systems Consortium, Inc. ("ISC")
*
* Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
* REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
* AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
* INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
* LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
* OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
* PERFORMANCE OF THIS SOFTWARE.
*/
# common configuration
include "named.conf.header";
view "recursive" {
zone "." {
type hint;
file "root.hint";
};
# policy configuration to be tested
response-policy {
zone "log1" log no;
zone "log2" log yes;
zone "log3"; # missing log clause
} qname-wait-recurse no;
# policy zones to be tested
zone "log1" { type master; file "db.log1"; };
zone "log2" { type master; file "db.log2"; };
zone "log3" { type master; file "db.log3"; };
};
......@@ -245,4 +245,25 @@ grep "^l2.l1.l0.[[:space:]]*[0-9]*[[:space:]]*IN[[:space:]]*A[[:space:]]*10.53.0
status=1
}
# Check RPZ log clause
t=`expr $t + 1`
echo "I:testing RPZ log clause (${t})"
run_server log
cur=`awk 'BEGIN {l=0} // {l++} END { print l }' ns2/named.run`
$DIG $DIGOPTS l2.l1.l0 a @10.53.0.2 -p 5300 -b 10.53.0.4 > dig.out.${t}
$DIG $DIGOPTS l2.l1.l0 a @10.53.0.2 -p 5300 -b 10.53.0.3 >> dig.out.${t}
$DIG $DIGOPTS l2.l1.l0 a @10.53.0.2 -p 5300 -b 10.53.0.2 >> dig.out.${t}
tail -n +"$cur" < ns2/named.run | grep "view recursive: rpz CLIENT-IP Local-Data rewrite l2.l1.l0 via 32.4.0.53.10.rpz-client-ip.log1" > /dev/null && {
echo "I: failed: unexpected rewrite message for policy zone log1 was logged"
status=1
}
tail -n +"$cur" < ns2/named.run | grep "view recursive: rpz CLIENT-IP Local-Data rewrite l2.l1.l0 via 32.3.0.53.10.rpz-client-ip.log2" > /dev/null || {
echo "I: failed: expected rewrite message for policy zone log2 was not logged"
status=1
}
tail -n +"$cur" < ns2/named.run | grep "view recursive: rpz CLIENT-IP Local-Data rewrite l2.l1.l0 via 32.2.0.53.10.rpz-client-ip.log3" > /dev/null || {
echo "I: failed: expected rewrite message for policy zone log3 was not logged"
status=1
}
exit $status
......@@ -5018,6 +5018,7 @@ badresp:1,adberr:0,findfail:0,valfail:0]
<optional> policy <replaceable>(given | disabled | passthru | drop |
tcp-only | nxdomain | nodata | cname domain</replaceable>) </optional>
<optional> recursive-only <replaceable>yes_or_no</replaceable> </optional>
<optional> log <replaceable>yes_or_no</replaceable> </optional>
<optional> max-policy-ttl <replaceable>number</replaceable> </optional>
; <optional>...</optional>
} <optional> recursive-only <replaceable>yes_or_no</replaceable> </optional>
......@@ -10296,6 +10297,12 @@ example.com CNAME rpz-tcp-only.
Responses rewritten by RPZ are counted in the
<command>RPZRewrites</command> statistics.
</para>
<para>
The <command>log<command> clause can be used to optionally
turn off rewrite logging for a particular response policy
zone. By default, all rewrites are logged.
</para>
</sect3>
 
<sect3>
......
......@@ -517,6 +517,13 @@
on Linux is now supported.
</para>
</listitem>
<listitem>
<para>
Within the <option>response-policy</option> option, it is now
possible to configure RPZ rewrite logging on a per-zone basis
using the <option>log</option> clause.
</para>
</listitem>
</itemizedlist>
</sect2>
<sect2 id="relnotes_bugs">
......
......@@ -257,6 +257,7 @@ options {
response-policy { zone <quoted_string> [ policy ( given | disabled
| passthru | no-op | drop | tcp-only | nxdomain | nodata |
cname <quoted_string> ) ] [ recursive-only <boolean> ] [
log <boolean> ] [
max-policy-ttl <integer> ]; ... } [ recursive-only <boolean> ]
[ break-dnssec <boolean> ] [ max-policy-ttl <integer> ] [
min-ns-dots <integer> ] [ qname-wait-recurse <boolean> ];
......
......@@ -173,6 +173,7 @@ struct dns_rpz_have {
typedef struct dns_rpz_popt dns_rpz_popt_t;
struct dns_rpz_popt {
dns_rpz_zbits_t no_rd_ok;
dns_rpz_zbits_t no_log;
isc_boolean_t break_dnssec;
isc_boolean_t qname_wait_recurse;
unsigned int min_ns_labels;
......
......@@ -1113,7 +1113,8 @@ static cfg_type_t cfg_type_masterstyle = {
* response-policy {
* zone <string> [ policy (given|disabled|passthru|drop|tcp-only|
* nxdomain|nodata|cname <domain> ) ]
* [ recursive-only yes|no ] [ max-policy-ttl number ] ;
* [ recursive-only yes|no ] [ log yes|no ]
* [ max-policy-ttl number ] ;
* } [ recursive-only yes|no ] [ max-policy-ttl number ]
* [ break-dnssec yes|no ] [ min-ns-dots number ]
* [ qname-wait-recurse yes|no ] ;
......@@ -1303,6 +1304,7 @@ static cfg_tuplefielddef_t rpz_zone_fields[] = {
{ "zone name", &cfg_type_rpz_zone, 0 },
{ "policy", &cfg_type_rpz_policy, 0 },
{ "recursive-only", &cfg_type_boolean, 0 },
{ "log", &cfg_type_boolean, 0 },
{ "max-policy-ttl", &cfg_type_uint32, 0 },
{ NULL, NULL, 0 }
};
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment