[DNSfirewalls] Of RPZ, PTR, and NXDOMAIN
anne at encs.concordia.ca
Wed Dec 17 22:17:40 UTC 2014
Yes, I'm verbose this week, as I try to set up this new function!
Google is surprisingly unhelpful, which leads me to wonder how many
people out there are using RPZs...
Anyway, two issues:
(1) What do I do about queries for PTR records from a
"quarantined" client (one matched by rpz-client-ip)?
It doesn't make sense to redirect them with a CNAME like
forward queries, but I see no way to make an exception
for PTR queries in general. There's no "query type"
trigger. Hmm, can I pass through based on a QNAME match
on in-addr.arpa or ip6.arpa? I'll try that when I get
back from my Christmas vacation.
(2) When I quarantine a client such that all of its queries
(except those for whitelisted sites) get a CNAME to a
server under my control, then an NXDOMAIN (real) answer also
gets translated to the CNAME. I suppose this is logically
consistent, preventing a quarantined client from learning
anything at all, even the non-existence of a name. But in
practice, I think it could lead to unnecessary confusion.
As far as I know, though, there's no way to match an
NXDOMAIN response and pass it through. Or is there?
Hope there someone out there! If so, happy holidays to you!
Ms. Anne Bennett, Senior Sysadmin, ENCS, Concordia University, Montreal H3G 1M8
anne at encs.concordia.ca +1 514 848-2424 x2285
More information about the DNSfirewalls