[DNSfirewalls] RPZ Trigger on answer section

Paul Vixie paul at redbarn.org
Sat Dec 23 18:12:10 UTC 2017

Davey Song wrote:
> ...
> * The proposal
> The intuitive idea to this problem is to hack the website's DNS system
> to break cname context and add a AAAA to that zone. It is expected to
> response a IPv6 address to AAAA type query.
> A lighter approach is to put a proxy or dnsdist in front of the
> authoritative server to respond as it is desired.
> A more nature way is to harness the existing RPZ(Response Policy Zone)
> to accommodate the requirement base on the local policy. The local
> policy is that if the response return only a cname to AAAA type query,
> the server should response with a configured AAAA record.

RPZ is not able to act on two or more attributes of a response, only 
one. None of the relevant attributes will be the QTYPE of the query or 
any of the RRTYPEs of the answer. so, as it is today, RPZ cannot help 
you with your problem.

> * Issues using RPZ (my personal experience)
> By searching the RPZ configuration rules, there is only a trigger: IP
> Trigger which operates on the answer section to an A/AAAA query. But
> that trigger is perform exactly on the IPv4/IPv6 address contained as a
> answer of a DNS response. There is no trigger in RPZ reacting perfectly
> according to the proposal.

i think you mean that of the five available triggers, only one is 
related in any way to an IP address. however, your word "exactly" is not 
correct. RPZ triggers can be based on IP prefixes (which means, IP4 or 
IP6 prefixes) of any length. to specify a host, a full (32 bit or 128 
bit) prefix is provided, to specify a network or a group of networks, a 
shorter prefix (less than 32 bits, or less than 128 bits) is specified.

you are correct that there is no trigger in RPZ that does what you need. 
moreover, there may not be anything in DNS that does what you need. the 
CNAME returned in the CDN IP4 case will be cached, and your authority 
server will not receive subsequent queries about any RRset for that 
alias (CNAME owner). so, even if you use dnsdist, or hand-write your own 
DNS server, it's not clear that you could ever win.

P Vixie

More information about the DNSfirewalls mailing list