[DNSfirewalls] RPZ Trigger on answer section

Davey Song songlinjian at gmail.com
Thu Dec 21 02:15:05 UTC 2017


Hi folks,

I recently received a issue which I would like to use RPZ to resolve , but
I'm not sure RPZ fits this situation. I put this in following txt. It's
appriciated if anyone can give me some clue on this.

* Background

A lots websites using CDN to replicate their content and make it close to
their users. It's a common tool to promote their users' experience.
However, when it comes to updating website to support IPv6, there is a
mismatch between websites and their CDNs.

 There is a case that some advanced websites update their DNS and Web
servers to support IPv6. But most of CDNS (or their long-term CDNs) are not
ready for IPv6, which means these CDNs' authoritative server has not answer
to AAAA query. Once there is a cname in the zone, there is no room for AAAA
to be added into the domain of that website. It is a dilemma for website
operators to choose, either postpone their IPv6 plan or give up using CDNs.

Note: choosing another IPv6 enabled CDN is out of the scope of this draft.

* The proposal

The intuitive idea to this problem is to hack the website's DNS system to
break cname context and add a AAAA to that zone. It is expected to response
a IPv6 address to AAAA type query.

A lighter approach is to put a proxy or dnsdist in front of the
authoritative server to respond as it is desired.

 A more nature way is to harness the existing RPZ(Response Policy Zone) to
accommodate the requirement base on the local policy. The local policy is
that if the response return only a cname to AAAA type query, the server
should response with a configured AAAA record.

* Issues using RPZ (my personal experience)

By searching the RPZ configuration rules, there is only a trigger: IP
Trigger which operates on the answer section to an A/AAAA query. But that
trigger is perform exactly on the IPv4/IPv6 address contained as a answer
of a DNS response. There is no trigger in RPZ reacting perfectly according
to the proposal.

Best regards,
Davey
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.redbarn.org/pipermail/dnsfirewalls/attachments/20171221/00ce64bc/attachment.html>


More information about the DNSfirewalls mailing list