[DNSfirewalls] Of RPZ, PTR, and NXDOMAIN
Anne Bennett
anne at encs.concordia.ca
Wed Dec 17 22:17:40 UTC 2014
Yes, I'm verbose this week, as I try to set up this new function!
Google is surprisingly unhelpful, which leads me to wonder how many
people out there are using RPZs...
Anyway, two issues:
(1) What do I do about queries for PTR records from a
"quarantined" client (one matched by rpz-client-ip)?
It doesn't make sense to redirect them with a CNAME like
forward queries, but I see no way to make an exception
for PTR queries in general. There's no "query type"
trigger. Hmm, can I pass through based on a QNAME match
on in-addr.arpa or ip6.arpa? I'll try that when I get
back from my Christmas vacation.
(2) When I quarantine a client such that all of its queries
(except those for whitelisted sites) get a CNAME to a
server under my control, then an NXDOMAIN (real) answer also
gets translated to the CNAME. I suppose this is logically
consistent, preventing a quarantined client from learning
anything at all, even the non-existence of a name. But in
practice, I think it could lead to unnecessary confusion.
As far as I know, though, there's no way to match an
NXDOMAIN response and pass it through. Or is there?
Hope there someone out there! If so, happy holidays to you!
Anne.
--
Ms. Anne Bennett, Senior Sysadmin, ENCS, Concordia University, Montreal H3G 1M8
anne at encs.concordia.ca +1 514 848-2424 x2285
More information about the DNSfirewalls
mailing list