[RPZ] marking packets modified by DNS-RPZ-policy

Paul Vixie vixie at isc.org
Sat Aug 7 18:32:17 UTC 2010

> Date: Sat, 7 Aug 2010 13:57:52 -0400
> From: Robert Edmonds <edmonds at isc.org>
> > seems like an obvious and wonderful thing until you look at the syslog
> > files on the people downstream of you.
> on which forwarders and at which logging levels would you see error
> messages generated by such additional records?

i once wrote a resolver which had for a few years 100% market share which
would in this case report via syslog that you'd received a cache pollution
attack.  the code was wrong.  but i'm not sure correct code that complained
about kashpureff attacks does not exist in various stub and recursive

> and why is it a bad thing to generate log messages downstream when a
> response is rewritten due to RPZ policy?

because the message would be incorrect and misleading.

but the more i think about it, the more i think i err'd in my initial reply.
adding unsolicited additional data to an RD=1 RA=1 response is not covered
by any RFC rule, exception, or loophole of which i'm presently aware.  we'd
need an RFC published on this topic before we could implement something like
this.  (noting that there's likewise no rule for sending back policy-based
content, there is no on-the-wire distinction in that case, which is the
loophole we're using.)

More information about the DNSfirewalls mailing list