Query Cache

Matt_Nelson · February 6, 2017, 10:43pm

Hello all,

I have built a DNS filtering service using the pythonmod for unbound. Everything is working as it should apart from the cache. I want to disable the cache completely as I am filtering the results based on the incoming IP address. As an example anyone from 192.168.30.20 can access social media sites, but anyone from 192.168.30.30 is returned the IP address of the server instead which shows a “blocked” message.

The code is working perfectly, but the cache is causing issues as if someone requests from 192.168.30.20 then the query is put into the cache which then gets delivered to 192.168.30.30. I have returned the cache size to 0 which helped a bit, but it still keeps some items in the cache for a short period (about a minute). Here is what I have put in my config file:

module-config: “python iterator”
msg-cache-size: 0
rrset-cache-size: 0
key-cache-size: 0

Even with these settings, queries are still going into the cache as shown below:

root@dns1:/etc/unbound# unbound-control dump_cache | grep amoory
amoory.com. 592 IN A 89.184.84.7

I also play with the cache-max-ttl option, but that seems to return the lower ttl to the client too. If there a way of simply disabling the cache?

The dream would be to have a cache per client of incoming IP address, but I wouldn’t want to have to code it from scratch in pythonmod.

In my ‘operate’ method in pythonmod I have even put the follow, but this still doesn’t prevent items going in to the cache:

if (event == MODULE_EVENT_NEW) or (event == MODULE_EVENT_PASS):
#Turn off the cache management

Instruct other modules to not lookup for an

answer in the cache.

qstate.no_cache_lookup = 1

Instruct other modules to not store the answer in

the cache.

qstate.no_cache_store = 1

I can show the full code if needed. Any help would be appreciated!

Phil_Pennock1 · February 7, 2017, 12:21am

Sounds like you want to be using Views, with a `view:` block which has
`view-first: yes` set, local-data: in the view providing the IP address
of the server, and a set of `access-control-view:` directives putting
individual IPs into that view.

I'm not seeing anything under
http://unbound.net/documentation/pythonmod/index.html which shows the
access-control or view directives being exposed to Python.

Assuming that the list of IPs is fairly dynamic, have you considered
using an include directive such as:

include: "/etc/unbound/python-managed.d/*.conf"

and then having your Python be a standalone service to
modify/create/delete one or more files in that directory based upon your
site integrations, and use unbound-control to
dump_cache/reload/load_cache ?

I don't see unbound-control options to directly change
access-control-view: options without doing a full reload. :\

-Phil

Matt_Nelson · February 7, 2017, 9:28am

Hi Phil,

Thanks for the update. That’s an interesting idea, I’ve had a good read around and I’m not sure if the view will work in our scenario (maybe I haven’t understood them properly!).

We will have a large number of Clients, Locations and IP addresses and we also have multiple Unbound servers in different datacenters. The servers share data using a MariaDB Galeria Cluster. Client access is currently controlled using the firewalls on the servers, if a client adds a new location and IP address (using the web control panel) it’s pushed into a firewall zone using the firewalld python module. The python module is filtering the requests based on the location and rule set that the client has set in the admin area, so they can filter categories of sites from over 4 million sites in the DB.

I think the issue may be with my version of Unbound as I’ve just read that “qstate.no_cache_store = 1” was only added in version 1.6.0. I will build the new version and see if that helps!

Thanks for the heads up regarding views, I will have a play with them to see if they make a bit more sense when implemented!