[DNSfirewalls] RPZ Trigger on answer section
paul at redbarn.org
Sat Dec 23 18:12:10 UTC 2017
Davey Song wrote:
> * The proposal
> The intuitive idea to this problem is to hack the website's DNS system
> to break cname context and add a AAAA to that zone. It is expected to
> response a IPv6 address to AAAA type query.
> A lighter approach is to put a proxy or dnsdist in front of the
> authoritative server to respond as it is desired.
> A more nature way is to harness the existing RPZ(Response Policy Zone)
> to accommodate the requirement base on the local policy. The local
> policy is that if the response return only a cname to AAAA type query,
> the server should response with a configured AAAA record.
RPZ is not able to act on two or more attributes of a response, only
one. None of the relevant attributes will be the QTYPE of the query or
any of the RRTYPEs of the answer. so, as it is today, RPZ cannot help
you with your problem.
> * Issues using RPZ (my personal experience)
> By searching the RPZ configuration rules, there is only a trigger: IP
> Trigger which operates on the answer section to an A/AAAA query. But
> that trigger is perform exactly on the IPv4/IPv6 address contained as a
> answer of a DNS response. There is no trigger in RPZ reacting perfectly
> according to the proposal.
i think you mean that of the five available triggers, only one is
related in any way to an IP address. however, your word "exactly" is not
correct. RPZ triggers can be based on IP prefixes (which means, IP4 or
IP6 prefixes) of any length. to specify a host, a full (32 bit or 128
bit) prefix is provided, to specify a network or a group of networks, a
shorter prefix (less than 32 bits, or less than 128 bits) is specified.
you are correct that there is no trigger in RPZ that does what you need.
moreover, there may not be anything in DNS that does what you need. the
CNAME returned in the CDN IP4 case will be cached, and your authority
server will not receive subsequent queries about any RRset for that
alias (CNAME owner). so, even if you use dnsdist, or hand-write your own
DNS server, it's not clear that you could ever win.
More information about the DNSfirewalls