[DNSfirewalls] Of RPZ, PTR, and NXDOMAIN

Anne Bennett anne at encs.concordia.ca
Wed Dec 17 22:17:40 UTC 2014

Yes, I'm verbose this week, as I try to set up this new function!
Google is surprisingly unhelpful, which leads me to wonder how many
people out there are using RPZs...

Anyway, two issues:

(1) What do I do about queries for PTR records from a
    "quarantined" client (one matched by rpz-client-ip)?
    It doesn't make sense to redirect them with a CNAME like
    forward queries, but I see no way to make an exception
    for PTR queries in general.  There's no "query type"
    trigger.  Hmm, can I pass through based on a QNAME match
    on in-addr.arpa or ip6.arpa?  I'll try that when I get
    back from my Christmas vacation.

(2) When I quarantine a client such that all of its queries
    (except those for whitelisted sites) get a CNAME to a
    server under my control, then an NXDOMAIN (real) answer also
    gets translated to the CNAME.  I suppose this is logically
    consistent, preventing a quarantined client from learning
    anything at all, even the non-existence of a name.  But in
    practice, I think it could lead to unnecessary confusion.
    As far as I know, though, there's no way to match an
    NXDOMAIN response and pass it through.  Or is there?

Hope there someone out there!  If so, happy holidays to you!

Ms. Anne Bennett, Senior Sysadmin, ENCS, Concordia University, Montreal H3G 1M8
anne at encs.concordia.ca                                    +1 514 848-2424 x2285

More information about the DNSfirewalls mailing list