[RPZ] Unwanted AAAA records; replace A with authoritative response
Jan-Piet Mens
jpmens.dns at gmail.com
Wed Nov 2 13:42:13 UTC 2011
Hello,
I've just been asked whether it would be possible to create an RPZ which
hides broken (for any definition of broken) IPv6 sites. My solution is
to create a record for the site with a corresponding A answer so that
BIND replies there is no AAAA
jpmens.net.rpz-net. A 95.143.172.12
That works well enough with BIND 9.9.0a3, but it means records need to
be populated with the A addresses.
Is there some trick to have the original authoritative A response
returned instead of manually adding it to the RPZ zone? Something like
jpmens.net.rpz-net. A *
I've tried that, but BIND correctly complains about an incorrect
address :)
Thank you,
-JP
More information about the DNSfirewalls
mailing list