[DNSfirewalls] patches for BIND 9.8.5-P2 and 9.9.3-P2
vjs at rhyolite.com
Fri Jul 26 22:48:59 UTC 2013
new RPZ and RRL patches for BIND 9.8.5-P2 and 9.9.3-P2 are available
by following the link labeled "Patch files for BIND9"
The RPZ code in those patches supports "rpz-client-IP" triggers and
"rpz-drop" and "rpz-tcp-only" policies. The new trigger can be used
with any RPZ policy and both new policies can be used with any trigger.
That allows so dubious schemes such as dropping all requests for some
domains or forcing them them TCP. I hope their intended application
is more useful. A response policy zone of DNS reflection attack
victims with a TCP-only policy might mitigate attacks that are too
distributed to trigger RRL at any single authority. A policy zone of
unreconstructed open resolvers with a drop policy is similar to a mail
Vernon Schryver vjs at rhyolite.com
More information about the DNSfirewalls