[DNSfirewalls] Response Policy Zone: disabling "leaking" of lookups

Fred Morris m3047 at m3047.net
Thu Sep 3 00:47:09 UTC 2020


It comes to my attention that when an unresolvable query occurs, it gets
forwarded to the authoritative zone regardless of anything I can set in
named.conf. Closest I can come is qname-wait-recurse which has the
/opposite/ effect sort of, namely waiting for recursion to complete. If
I have something in an RPZ, I want it to accept that; period, full stop,
no outwardly visible effects.

Ironically the text surrounding this option in the ARM is to the effect
that "... not resolving the requested name can leak the fact that
response policy rewriting is in use..." and leaking the fact that it is
in use by not leaking the query in the first place is what I'm trying to
achieve: how do I disable the (useless) resolution directed at upstream
servers?

Here is a use case:

 1. A search list is in place for example.com. This means that if
    "foo.bar" fails to resolve then "foo.bar.example.com" will be tried,
    followed by "foo.bar.com".
 2. In addition to the foregoing a rule is placed in the RPZ that
    "com.example.com" and "*.com.example.com" are NXDOMAIN.
 3. An additional rule is present in the RPZ that
    "my-outhouse-example.com" is NXDOMAIN.

In this case:

  * "my-outhouse-example.com.example.com" will return NXDOMAIN (it does!)
  * There should be /no/ upstream (pointless) query for
    my-outhouse-example.com.example.com. (oops!)

Let's stop the leaks.

--

Fred Morris


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.redbarn.org/pipermail/dnsfirewalls/attachments/20200902/6f935e14/attachment-0001.htm>


More information about the DNSfirewalls mailing list