[DNSfirewalls] Can RPZ respond/filter the outbound query?
Andrew Fried
afried at deteque.com
Mon Nov 28 03:12:09 UTC 2016
I'm not sure I completely understand what you are actually trying to
accomplish. If you want to block recursive lookups to a specific
nameserver you can do that with rpz two different way - using either the
nameserver name (nsdname type trigger) or nameserver IP (ns-ip trigger).
Andrew
On 11/27/16 9:59 PM, Davey Song(宋林健) wrote:
>
> Hi folks,
>
>
>
> I know RPZ is designed to provide alternate responses to inbound
> queries. Can RPZ respond or filter the outbound queries? I would like
> to apply action and trigger policy to the outbound queries. For
> example: to PASSTHRU or Drop all outbound queries whose qtype==2 and
> dst is ‘xx.xx.xx.xx’.
>
>
>
> If it works, another question is that dose this built-in filter impact
> the NS selection algorithm of that resolver. Because if you drop all
> outbound NS query to particular server, the resolver will not (or much
> less) send any other type of queries to that server.
>
>
>
> My requirement is simple that the resolver can send all types of query
> except for NS query to that specific server(s). Iptable or other
> firewall can drop the packets but I would like that action will not
> reduce other queries to that server(s).
>
>
>
> I’m not sure I make the question clear. If RPZ does not fit for this,
> may I ask, is there any other tool can help ?
>
>
>
> Best regards,
>
> Davey
>
>
>
> _______________________________________________
> DNSfirewalls mailing list
> DNSfirewalls at lists.redbarn.org
> http://lists.redbarn.org/mailman/listinfo/dnsfirewalls
--
Andrew Fried
afried at deteque.com
+1.703.667.4050 Office
+1.703.362.0067 Mobile
deteque Skype
More information about the DNSfirewalls
mailing list