[RPZ] marking packets modified by DNS-RPZ-policy

Hannes Frederic Sowa hannes at mailcolloid.de
Sat Aug 7 15:10:52 UTC 2010


I would like to propose adding a marker to dns-packets modified due to a
dns-rpz-policy. If I compare dns-rpz to (smtp-)dnsbl or rhsbl I have some
kind of transparency, in which who blocked what and most of the time,
who initiated the blocking (per smtp status messages).

If such rpz-zones will be deployed in the internet and I find my
hypothetical domain on such a zone, how do I manage do get
in contact with the rpz-zone-admin? Even digging around won't help as
the zones have to be transferred via axfr to the resolver (as in the
current draft and implementation).

A marker in the packets also has the advantage to handle this kind
of remapping transparently for the user. A special resolver could
interpret the marks and provide some kind of alarm in the browser-native
UI as the google-anti-phising filter in firefox and google-chrome do.

What do you think?



More information about the DNSfirewalls mailing list