[RPZ] marking packets modified by DNS-RPZ-policy
Robert Edmonds
edmonds at isc.org
Sat Aug 7 17:57:52 UTC 2010
Paul Vixie wrote:
> i can't think of a way to do this marking that won't look like a kashpureff
> attack to any downstream recursives that use the rpz server as a forwarder.
>
> so, putting an RR into the additional section, like
>
> "HIT._RPZ. 0 IN RP 0 RPZ.VIX.COM."
>
> seems like an obvious and wonderful thing until you look at the syslog files
> on the people downstream of you.
on which forwarders and at which logging levels would you see error
messages generated by such additional records? and why is it a bad
thing to generate log messages downstream when a response is rewritten
due to RPZ policy?
--
Robert Edmonds
edmonds at isc.org
More information about the DNSfirewalls
mailing list