[RPZ] marking packets modified by DNS-RPZ-policy

Robert Edmonds edmonds at isc.org
Sat Aug 7 17:57:52 UTC 2010

Paul Vixie wrote:
> i can't think of a way to do this marking that won't look like a kashpureff
> attack to any downstream recursives that use the rpz server as a forwarder.
> so, putting an RR into the additional section, like
> seems like an obvious and wonderful thing until you look at the syslog files
> on the people downstream of you.

on which forwarders and at which logging levels would you see error
messages generated by such additional records?  and why is it a bad
thing to generate log messages downstream when a response is rewritten
due to RPZ policy?

Robert Edmonds
edmonds at isc.org

More information about the DNSfirewalls mailing list