DNS based adblock on VyOS - how to add custom PDNS scripts?

General questions
5

Seems to work! I now have the following setup:

Two files for PowerDNS, a blocklist (to be expended) and a parsing script:

vyos@vyos:~$ ls -l /run/powerdns/adblock-*
-rwxr-xr-x 1 pdns pdns  223 Feb 26 22:01 /run/powerdns/adblock-blocklist.lua
-rwxr-xr-x 1 pdns pdns 1080 Feb 27 15:21 /run/powerdns/adblock-script.lua

vyos@vyos:~$ cat /run/powerdns/adblock-script.lua

adservers=newDS()
-- permitted=newDS()

function preresolve(dq)
  -- if permitted:check(dq.qname) or (not adservers:check(dq.qname))  then
  if (not adservers:check(dq.qname)) then
    return false
  end

  -- Return NXDOMAIN (non-existent domain), which 
  dq.rcode = pdns.NXDOMAIN -- set NXDOMAIN answer
  return true  
end

-- Blocklist should contain something like:
-- return{"101com.com", "101order.com"}
adservers:add(dofile("/run/powerdns/adblock-blocklist.lua"))
-- permitted:add(dofile("/srv/config/permitted.lua"))

vyos@vyos:~$ cat /run/powerdns/adblock-blocklist.lua

return{"101com.com", "101order.com"}

And the final magic happens as post-commit hook script in /config/scripts/commit/post-hooks.d/adblock.

Two notes:

  1. there is no .sh as . is not allowed in the filename (see also here and here).
  2. post-commit is also post-restart, so I restart the dns forwarding service again in this script. I tried pre-commit hook as well, but that’s too early.
vyos@vyos:~$ ls -l /config/scripts/commit/post-hooks.d/
total 4
-rwxr-xr-x 1 root vyattacfg 411 Feb 27 20:20 adblock

#!/bin/vbash
# N.B. the script name is quite restrictive! See https://vyos.dev/T4917
source /opt/vyatta/etc/functions/script-template
if [ "$(id -g -n)" != 'vyattacfg' ] ; then
    exec sg vyattacfg -c "/bin/vbash $(readlink -f $0) $@"
fi

echo "lua-dns-script=/run/powerdns/adblock-script.lua" | sudo tee -a /run/powerdns/recursor.conf

# Need to restart PowerDNS in order to process conf change.
run restart dns forwarding
1 Like