[RPZ] marking packets modified by DNS-RPZ-policy

Hannes Frederic Sowa hannes at mailcolloid.de
Sat Aug 7 16:36:04 UTC 2010

On Sat, Aug 7, 2010 at 5:57 PM, Paul Vixie <vixie at isc.org> wrote:
> i can't think of a way to do this marking that won't look like a kashpureff
> attack to any downstream recursives that use the rpz server as a forwarder.
> so, putting an RR into the additional section, like
> seems like an obvious and wonderful thing until you look at the syslog files
> on the people downstream of you.
> _______________________________________________
> dnsrpz-interest mailing list
> dnsrpz-interest at lists.isc.org
> https://lists.isc.org/mailman/listinfo/dnsrpz-interest

The problem could be mitigated somewhat, if there would be an out-of-band
interface for querying such information, e.g. chaos-txt record for bind-version.

To enhance your example:
"foo.bar.com.HIT._RPZ.0 CHAOS RP 0 RPZ.VIX.COM"

Perhaps combined with a bit flipped in the (e)-dns header flags field
in the normal response.

It doesn't look like an elegant solution but I definitively see the
need for such an interface.

More information about the DNSfirewalls mailing list