[DNSfirewalls] Of RPZ, PTR, and NXDOMAIN

Wed Dec 17 23:02:46 UTC 2014

> From: Anne Bennett <anne at encs.concordia.ca>

> Yes, I'm verbose this week, as I try to set up this new function!
> Google is surprisingly unhelpful, which leads me to wonder how many
> people out there are using RPZs...

Because RPZ is no longer an experimental or even new feature of BIND,
I suspect that you would reach a larger fraction of RPZ users through
one of the main BIND mailing lists such as bind-users.  Please see
https://lists.isc.org/mailman/listinfo

> (1) What do I do about queries for PTR records from a
>     "quarantined" client (one matched by rpz-client-ip)?
>     It doesn't make sense to redirect them with a CNAME like
>     forward queries, but I see no way to make an exception
>     for PTR queries in general.  There's no "query type"
>     trigger.  Hmm, can I pass through based on a QNAME match
>     on in-addr.arpa or ip6.arpa?  I'll try that when I get
>     back from my Christmas vacation.

Why treat PTR records differently?  If you have reason to distrust
the DNS clients at an IP address and so serve them false answers
for record types other than PTR such as A, AAAA, MX, CNAME, TXT,
and SRV, isn't prudent to do the same for PTR records?  I think PTR
records could be used in a DNS tunnel.
(Please note that I'm saying nothing about the added complexity in
the RPZ code itself of adding qtype to the RPZ rules. )

More to the point, would the complexity for BIND users of including
the original response record type in the trigger be worthwhile?
A synthetic, quarantine CNAME response to a PTR request might not
be very useful, but a valid response PTR that does not match whatever
the quarantining CNAME ultimately resolves into seems worse.

By the way, instead of quarantining with only a CNAME RPZ record,
why not use a full set of A, AAAA, and PTR records?  Using RPZ to
rewrite all matching responses to a CNAME is only the easiest to
use tactic, and I think generally least desirable tactic.

> (2) When I quarantine a client such that all of its queries
>     (except those for whitelisted sites) get a CNAME to a
>     server under my control, then an NXDOMAIN (real) answer also
>     gets translated to the CNAME.  I suppose this is logically
>     consistent, preventing a quarantined client from learning
>     anything at all, even the non-existence of a name.  But in
>     practice, I think it could lead to unnecessary confusion.
>     As far as I know, though, there's no way to match an
>     NXDOMAIN response and pass it through.  Or is there?

As an end user or someone doing technical support, I think I'd be more
confused by having only responses with some codes written.  What would
be the costs and benefits of the added complication of including the
response status value in the rules?  (I'm assuming the proposal is not
special for NXDOMAIN but would include all of the DNS response codes.)

Please also note that while it is good to hear that RPZ is, as I
hoped, at least potentially useful for quarantining "owned" end
users, the motives for RPZ ran in the other direction.  The idea
was to filter outside bad guys.
https://www.google.com/search?q=bind+rpz
http://en.wikipedia.org/wiki/Response_policy_zone
https://dnsrpz.info/

Vernon Schryver    vjs at rhyolite.com