[DNSfirewalls] RPZ and client perception
vjs at rhyolite.com
Sun Jul 6 18:31:53 UTC 2014
> From: "David A. Evans" <Evans_David_A at cat.com>
> appear to be related to the RPZ and the amount of time it takes to
> complete all the extra queries for the NSDNAME checks.
NSDNAME or both NSDNAME and NSIP? If both, then why not turn off
If only NSDNAME, then I don't understand. Getting A and AAAA records
for a bunch of NS names to do NSIP checks can take a lot of time, but
with the default setting of 1 for min-ns-dots, why does it take too
much time to do only NSDNAME checks for a domain like banque-france.org?
Have you overridden the default value for min-ns-dots?
> these issues they seem to fit into 2 groups.
> 1. DNS zones with "slightly" broken infrastructure. These would
> 2. DNS zones with a large number of NS records and the name
> servers have FQDN's in several different DNS zones. I found some where the
> Is there a RPZ log event that says "It took over (X) seconds to
> complete this query because of RPZ"? Basically, I got a good answer back
> for the 'real' query but I did not provide it to the client within X
> seconds because the RPZ check was still ongoing.
No, but I think that by turning on enough debugging logging and then
crunching it, one could synthezise such log events.
> I can imagine there
> would be a huge amount of noise in those messages but they could
> conceivably be acted on before the client calls with an issue.
What action would be taken after such a log event? Answering the
request including doing the RPZ checks would still have taken too long.
Distinguishing Group #1 (broken infrastructure) from Group #2 (lots
distributed NS RRs) would requirea lot of processing and perhaps human
work. Is the idea to have a good story to tell clients when they call?
Or to add to a local RPZ whitelist?
Would be be effective to sift SMTP and perhaps HTTP server logs for
customer and provider domains to build a private RPZ whitelist?
Vernon Schryver vjs at rhyolite.com
More information about the DNSfirewalls