From vjs at rhyolite.com Sun Nov 6 16:33:45 2016 From: vjs at rhyolite.com (Vernon Schryver) Date: Sun, 6 Nov 2016 16:33:45 GMT Subject: [DNSfirewalls] version -02 of the RPZ Internet Draft Message-ID: <201611061633.uA6GXj8j064355@calcite.rhyolite.com> A new version of the RPZ Internet Draft is temporarily at https://www.rhyolite.com/temp/draft-vixie-dns-rpz-02.txt until the I-D submission tool reopens after the IETF meeting. Comments would be welcome. Vernon Schryver vjs at rhyolite.com From vjs at rhyolite.com Sun Nov 6 16:37:10 2016 From: vjs at rhyolite.com (Vernon Schryver) Date: Sun, 6 Nov 2016 16:37:10 GMT Subject: [DNSfirewalls] Fwd: New Version Notification for Message-ID: <201611061637.uA6GbAxL064474@calcite.rhyolite.com> > From: Eric Ziegast > To: dnsfirewalls at lists.redbarn.org I apologize for not responding to Eric's message before now. > 1. Precedence.... Y'all say: > ... The Precedence Rules are in their own section in the -02 version of the draft (which is at temporarily at https://www.rhyolite.com/temp/draft-vixie-dns-rpz-02.txt until the I-D submission tool reopens after the IETF meeting.) There is more text about the "Name Length" rule, and wildcards are now explicitly mentioned. Your comments on it would be welcome. > Eg: I might want to pass-through TCL.TK and *.TCL.TK, > but still point *.TK through a walled garden. These do that: tcl.tk cname rpz-passthru. *.tcl.tk cname rpz-passthru. *.tk cname walled.example.com. > 2. I don't understand what "qname-wait-recurse" in the > Security Considerations section is. Is that a specific > option/implementation in BIND? Does that sentence need > need rephrasing? Yes. Please consider the new paragraph in Section 5 of the -02 draft > 3. Forwarders.... Y'all state: > > RPZ merely formalizes and facilitates modifying DNS data on > its way from DNS authority servers to clients. > > I think this might need some elaboration. In it's simplest > ... Is the addtional text about RD=0/1 in Section 5 of the -02 draft enough? It doesn't mention forwarders avoid needing to define that class of DNS servers. Do forwarders set RD=1? I assume so, but that seems like something beyond the scope of an RPZ RFC. > 4. DNSSEC vs RPZ.... I see: > ... Are the additional words in Section 5 and Section 10 good enough? Vernon Schryver vjs at rhyolite.com From paul at redbarn.org Sun Nov 6 18:40:35 2016 From: paul at redbarn.org (Paul Vixie) Date: Sun, 06 Nov 2016 10:40:35 -0800 Subject: [DNSfirewalls] version -02 of the RPZ Internet Draft In-Reply-To: <201611061633.uA6GXj8j064355@calcite.rhyolite.com> References: <201611061633.uA6GXj8j064355@calcite.rhyolite.com> Message-ID: <581F7923.6070300@redbarn.org> in spite of it not being in the official ietf document system, i'd like to invite anyone who has read this document to join me at a "Bar BOF" in seoul, on sunday night, november 13. rsvp to me by e-mail and i'll let everybody know which bar and what time. i know a place with good western beer that's about a 10-minute walk from the ietf hotel. timing will be "after the social and after our various dinners." --vix re: Vernon Schryver wrote: > A new version of the RPZ Internet Draft is temporarily at > https://www.rhyolite.com/temp/draft-vixie-dns-rpz-02.txt > until the I-D submission tool reopens after the IETF meeting. > > Comments would be welcome. > > > Vernon Schryver vjs at rhyolite.com > _______________________________________________ > DNSfirewalls mailing list > DNSfirewalls at lists.redbarn.org > http://lists.redbarn.org/mailman/listinfo/dnsfirewalls -- P Vixie From ljsong at biigroup.cn Mon Nov 28 02:59:48 2016 From: ljsong at biigroup.cn (=?gb2312?B?RGF2ZXkgU29uZyjLzsHWvaEp?=) Date: Mon, 28 Nov 2016 10:59:48 +0800 Subject: [DNSfirewalls] Can RPZ respond/filter the outbound query? Message-ID: <00b001d24923$7d8d4920$78a7db60$@cn> Hi folks, I know RPZ is designed to provide alternate responses to inbound queries. Can RPZ respond or filter the outbound queries? I would like to apply action and trigger policy to the outbound queries. For example: to PASSTHRU or Drop all outbound queries whose qtype==2 and dst is ?xx.xx.xx.xx?. If it works, another question is that dose this built-in filter impact the NS selection algorithm of that resolver. Because if you drop all outbound NS query to particular server, the resolver will not (or much less) send any other type of queries to that server. My requirement is simple that the resolver can send all types of query except for NS query to that specific server(s). Iptable or other firewall can drop the packets but I would like that action will not reduce other queries to that server(s). I?m not sure I make the question clear. If RPZ does not fit for this, may I ask, is there any other tool can help ? Best regards, Davey -------------- next part -------------- An HTML attachment was scrubbed... URL: From paul at redbarn.org Mon Nov 28 03:09:28 2016 From: paul at redbarn.org (Paul Vixie) Date: Sun, 27 Nov 2016 19:09:28 -0800 Subject: [DNSfirewalls] Can RPZ respond/filter the outbound query? In-Reply-To: <00b001d24923$7d8d4920$78a7db60$@cn> References: <00b001d24923$7d8d4920$78a7db60$@cn> Message-ID: <583B9FE8.4040202@redbarn.org> Davey Song(???) wrote: > I know RPZ is designed to provide alternate responses to inbound > queries. Can RPZ respond or filter the outbound queries? I would like to > apply action and trigger policy to the outbound queries. For example: to > PASSTHRU or Drop all outbound queries whose qtype==2 and dst is > ?xx.xx.xx.xx?. no. rpz is intended to control the response seen by the stub resolver, it has no effect at all on the upstream query activities of the full resolver ("recursive nameserver") which runs rpz and serves those stubs. > I?m not sure I make the question clear. If RPZ does not fit for this, > may I ask, is there any other tool can help ? in BIND you would use the bogus-ns feature. -- P Vixie From afried at deteque.com Mon Nov 28 03:12:09 2016 From: afried at deteque.com (Andrew Fried) Date: Sun, 27 Nov 2016 22:12:09 -0500 Subject: [DNSfirewalls] Can RPZ respond/filter the outbound query? In-Reply-To: <00b001d24923$7d8d4920$78a7db60$@cn> References: <00b001d24923$7d8d4920$78a7db60$@cn> Message-ID: <73f640c3-7e8b-4023-ecc0-4fca20d6555b@deteque.com> I'm not sure I completely understand what you are actually trying to accomplish. If you want to block recursive lookups to a specific nameserver you can do that with rpz two different way - using either the nameserver name (nsdname type trigger) or nameserver IP (ns-ip trigger). Andrew On 11/27/16 9:59 PM, Davey Song(???) wrote: > > Hi folks, > > > > I know RPZ is designed to provide alternate responses to inbound > queries. Can RPZ respond or filter the outbound queries? I would like > to apply action and trigger policy to the outbound queries. For > example: to PASSTHRU or Drop all outbound queries whose qtype==2 and > dst is ?xx.xx.xx.xx?. > > > > If it works, another question is that dose this built-in filter impact > the NS selection algorithm of that resolver. Because if you drop all > outbound NS query to particular server, the resolver will not (or much > less) send any other type of queries to that server. > > > > My requirement is simple that the resolver can send all types of query > except for NS query to that specific server(s). Iptable or other > firewall can drop the packets but I would like that action will not > reduce other queries to that server(s). > > > > I?m not sure I make the question clear. If RPZ does not fit for this, > may I ask, is there any other tool can help ? > > > > Best regards, > > Davey > > > > _______________________________________________ > DNSfirewalls mailing list > DNSfirewalls at lists.redbarn.org > http://lists.redbarn.org/mailman/listinfo/dnsfirewalls -- Andrew Fried afried at deteque.com +1.703.667.4050 Office +1.703.362.0067 Mobile deteque Skype From ljsong at biigroup.cn Mon Nov 28 03:39:07 2016 From: ljsong at biigroup.cn (=?utf-8?B?RGF2ZXkgU29uZyjlrovmnpflgaUp?=) Date: Mon, 28 Nov 2016 11:39:07 +0800 Subject: [DNSfirewalls] =?utf-8?b?562U5aSNOiAgQ2FuIFJQWiByZXNwb25kL2ZpbHRl?= =?utf-8?q?r_the_outbound_query=3F?= In-Reply-To: <583B9FE8.4040202@redbarn.org> References: <00b001d24923$7d8d4920$78a7db60$@cn> <583B9FE8.4040202@redbarn.org> Message-ID: <00c701d24928$fb9410b0$f2bc3210$@cn> Add a Bogus name server or using blackhole list will stop all queries to that server. But I only want to stop specific types of query of specific qname to that server. Can bogus-ns function specify query types for specific qname? --Davey -----????----- ???: Paul Vixie [mailto:paul at redbarn.org] ????: 2016?11?28? 11:09 ???: "Davey Song(???)" ??: dnsfirewalls at lists.redbarn.org ??: Re: [DNSfirewalls] Can RPZ respond/filter the outbound query? Davey Song(???) wrote: > I know RPZ is designed to provide alternate responses to inbound > queries. Can RPZ respond or filter the outbound queries? I would like > to apply action and trigger policy to the outbound queries. For > example: to PASSTHRU or Drop all outbound queries whose qtype==2 and > dst is ?xx.xx.xx.xx?. no. rpz is intended to control the response seen by the stub resolver, it has no effect at all on the upstream query activities of the full resolver ("recursive nameserver") which runs rpz and serves those stubs. > I?m not sure I make the question clear. If RPZ does not fit for this, > may I ask, is there any other tool can help ? in BIND you would use the bogus-ns feature. -- P Vixie From paul at redbarn.org Mon Nov 28 05:05:56 2016 From: paul at redbarn.org (Paul Vixie) Date: Sun, 27 Nov 2016 21:05:56 -0800 Subject: [DNSfirewalls] =?utf-8?b?562U5aSNOiAgQ2FuIFJQWiByZXNwb25kL2Zp?= =?utf-8?q?lter_the_outbound_query=3F?= In-Reply-To: <00c701d24928$fb9410b0$f2bc3210$@cn> References: <00b001d24923$7d8d4920$78a7db60$@cn> <583B9FE8.4040202@redbarn.org> <00c701d24928$fb9410b0$f2bc3210$@cn> Message-ID: <583BBB34.5040306@redbarn.org> Davey Song(???) wrote: > Add a Bogus name server or using blackhole list will stop all queries > to that server. But I only want to stop specific types of query of > specific qname to that server. Can bogus-ns function specify query > types for specific qname? no. -- P Vixie