[RPZ] RPZ and MX

Alan Doherty dnsrpz at alandoherty.net
Fri Jun 1 19:25:08 UTC 2012

At 15:58 01/06/2012  Friday, John Hascall wrote:

>Our primary aim in using RPZ is to protect web users
>by directing them to a walled garden.
>It appears that RPZ is also affecting MX records
>in the blacklisted zones.
>Is there a way to exempt MX records from the
>RPZ process?
>We recognize that this does present a risk as
>it would provide a possible mechanism for
>extant malware to "phone home".

simpler solution is to point web users at a rpz dns server
point mail servers at a clean dns server
(as yes rpz can be served to a mailserver, IF and ONLY if its responses have been tailored so it isn't claiming to senders that "their domain dosn't exist" when it should be claiming "we are not accepting mail from your domain due to policy"

as one shows your admin to have a possibly broken server, the other that their domain has/is an issue

these 'servers' can be different views on the one server based on source ip of the query

I personally also am looking at rpz feeds to aid in mail filtering but only with corrected rejection messages

>dnsrpz-interest mailing list
>dnsrpz-interest at lists.isc.org

More information about the DNSfirewalls mailing list