[RPZ] Fwd: strange result with rpz

Raymond Dijkxhoorn raymond at prolocation.net
Fri Sep 16 21:24:30 UTC 2011


>> response-policy { zone "rpz.zone";};
>> and this is the zone rpz.zone:
>> a.b.c.myzone.fr IN CNAME a.b.c.myzone.fr.
>> *.fr           IN      A
>> The problem is that my server answer a.b.c.myzone.fr  but also answer all t=
>> he zone myzone.fr like www.myzone.fr , ftp.myzone.fr<ftp://ftp.myzone.fr>, =
>> ....why?
> If I understand that description and have not overlooked something,
> then I would predict that all requests with RD=1 for example.fr,
> ftp.example.myzone.fr, ftp.myzone.fr, myzone.fr and all other domains
> matching *.fr except a.b.c.myzone.fr are answered with
> That is because the "*.fr IN A" policy in the rpz.zone
> file requires rewriting all answers to all requests for A RRs for any
> domain matching *.fr to  All valid answers including
> NXDOMAIN are rewritten.  The a.b.c.myzone.fr policy record exempts
> only a.b.c.myzone.fr from rewriting.
> Evidently those are not the desired results.  What was desired?
> The "*.fr IN A" policy record seems a little unusual.

I was thinking the exact same thing. The zone is setup like that so should 
match *.fr and also the ones he tells there. So either i am missing the 
point here?


More information about the DNSfirewalls mailing list