[DNSfirewalls] 答复: Can RPZ respond/filter the outbound query?

[Davey Song(宋林健)]

Add a Bogus name server or using blackhole list will stop all queries to that server. But I only want to stop specific types of query of specific qname to that server. Can bogus-ns function specify query types for specific qname?

--Davey

-----邮件原件-----
发件人: Paul Vixie [mailto:paul at redbarn.org] 
发送时间: 2016年11月28日 11:09
收件人: "Davey Song(宋林健)"
抄送: dnsfirewalls at lists.redbarn.org
主题: Re: [DNSfirewalls] Can RPZ respond/filter the outbound query?



Davey Song(宋林健) wrote:
> I know RPZ is designed to provide alternate responses to inbound 
> queries. Can RPZ respond or filter the outbound queries? I would like 
> to apply action and trigger policy to the outbound queries. For 
> example: to PASSTHRU or Drop all outbound queries whose qtype==2 and 
> dst is ‘xx.xx.xx.xx’.

no. rpz is intended to control the response seen by the stub resolver, it has no effect at all on the upstream query activities of the full resolver ("recursive nameserver") which runs rpz and serves those stubs.

> I’m not sure I make the question clear. If RPZ does not fit for this, 
> may I ask, is there any other tool can help ?

in BIND you would use the bogus-ns feature.

--
P Vixie