[RPZ] marking packets modified by DNS-RPZ-policy
Hannes Frederic Sowa
hannes at mailcolloid.de
Sat Aug 7 16:36:04 UTC 2010
On Sat, Aug 7, 2010 at 5:57 PM, Paul Vixie <vixie at isc.org> wrote:
> i can't think of a way to do this marking that won't look like a kashpureff
> attack to any downstream recursives that use the rpz server as a forwarder.
> so, putting an RR into the additional section, like
> "HIT._RPZ. 0 IN RP 0 RPZ.VIX.COM."
> seems like an obvious and wonderful thing until you look at the syslog files
> on the people downstream of you.
> dnsrpz-interest mailing list
> dnsrpz-interest at lists.isc.org
The problem could be mitigated somewhat, if there would be an out-of-band
interface for querying such information, e.g. chaos-txt record for bind-version.
To enhance your example:
"foo.bar.com.HIT._RPZ.0 CHAOS RP 0 RPZ.VIX.COM"
Perhaps combined with a bit flipped in the (e)-dns header flags field
in the normal response.
It doesn't look like an elegant solution but I definitively see the
need for such an interface.
More information about the DNSfirewalls