[DNSfirewalls] Can RPZ respond/filter the outbound query?

Davey Song(宋林健) ljsong at biigroup.cn
Mon Nov 28 02:59:48 UTC 2016

Hi folks, 


I know RPZ is designed to provide alternate responses to inbound queries.
Can RPZ respond or filter the outbound queries? I would like to apply action
and trigger policy to the outbound queries. For example: to PASSTHRU or Drop
all outbound queries whose qtype==2 and dst is ‘xx.xx.xx.xx’. 


If it works, another question is that dose this built-in filter impact the
NS selection algorithm of that resolver. Because if you drop all outbound NS
query to particular server, the resolver will not (or much less) send any
other type of queries to that server. 


My requirement is simple that the resolver can send all types of query
except for NS query to that specific server(s). Iptable or other firewall
can drop the packets but I would like that action will not reduce other
queries to that server(s). 


I’m not sure I make the question clear. If RPZ does not fit for this, may I
ask, is there any other tool can help ?


Best regards,


